LinuxCommandLibrary

aws-iam

Manage AWS IAM resources

TLDR

List users

$ aws iam list-users
copy

List policies
$ aws iam list-policies
copy

List groups
$ aws iam list-groups
copy

Get users in a group
$ aws iam get-group --group-name [group_name]
copy

Describe an IAM policy
$ aws iam get-policy --policy-arn arn:aws:iam::aws:policy/[policy_name]
copy

List access keys
$ aws iam list-access-keys
copy

List access keys for a specific user
$ aws iam list-access-keys --user-name [user_name]
copy

Display help
$ aws iam help
copy

SYNOPSIS

The general syntax for using the aws iam subcommand is:

aws iam <subcommand> [<options>] [<parameters>]

<subcommand> refers to a specific IAM operation (e.g., create-user, list-users, attach-user-policy).
<options> are global AWS CLI options (e.g., --region, --output, --profile).
<parameters> are specific to the chosen IAM subcommand (e.g., --user-name, --policy-arn).

Examples:
aws iam list-users
aws iam create-user --user-name myNewUser
aws iam attach-user-policy --user-name myUser --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

PARAMETERS

list-users
    Lists IAM users. Does not take direct parameters but supports global AWS CLI options (e.g., --max-items, --starting-token).

create-user
    Creates a new IAM user.
Key parameters: --user-name <string> (required), --path <string>.

get-user
    Retrieves information about a specific IAM user.
Key parameter: --user-name <string> (optional, defaults to the current user).

delete-user
    Deletes an IAM user.
Key parameter: --user-name <string> (required).

create-role
    Creates a new IAM role.
Key parameters: --role-name <string> (required), --assume-role-policy-document <string> (required, typically JSON).

attach-user-policy
    Attaches a managed policy to an IAM user.
Key parameters: --user-name <string> (required), --policy-arn <string> (required).

list-policies
    Lists managed policies.
Supports filtering parameters like --scope, --only-attached.

get-policy
    Retrieves information about a specific managed policy.
Key parameter: --policy-arn <string> (required).

DESCRIPTION

The aws iam command is a crucial subcommand of the AWS Command Line Interface (CLI), enabling direct interaction with the AWS Identity and Access Management (IAM) service from your terminal. IAM is a web service that helps you securely control access to AWS resources. Using aws iam, administrators and developers can programmatically manage users, groups, roles, policies, and identity providers. This includes tasks such as creating and deleting users, assigning permissions, managing access keys, configuring multi-factor authentication (MFA) devices, and setting up trust policies for roles. It provides a powerful alternative to the AWS Management Console for automating IAM tasks, integrating with scripts, and streamlining infrastructure as code workflows.

CAVEATS

Permissions: To execute aws iam commands, the AWS credentials configured for the CLI (via environment variables, shared credentials file, or IAM role) must have the necessary IAM permissions. For example, to create a user, the principal must have iam:CreateUser permission.
Region: While IAM is a global service, some AWS CLI commands might implicitly rely on a configured default region or require the --region option for other services. For IAM specific actions, the region usually defaults to us-east-1 but can generally be omitted.
Rate Limits: AWS IAM API calls are subject to rate limits. Scripts making a high volume of calls in a short period may encounter throttling errors. Implement retry mechanisms with exponential backoff if necessary.
JSON Output: Many IAM commands return JSON output, which can be verbose. Tools like jq are invaluable for parsing and filtering this output.
Security Best Practices: Exercise caution when creating or modifying IAM entities. Adhere to the principle of least privilege, granting only the necessary permissions. Avoid hardcoding sensitive credentials.

OUTPUT FORMATS

By default, aws iam commands output JSON. You can specify other formats using the --output global option, such as text or table, which can be more human-readable for certain commands.
Example: aws iam list-users --output table

PAGINATING RESULTS

For commands that can return a large number of items (e.g., list-users), the AWS CLI automatically handles pagination. You can control this behavior using --max-items (maximum items to return in a single call) and --starting-token (token to resume a previous paginated request).

HISTORY

The AWS Command Line Interface (CLI) was initially released in 2013, providing a unified tool to manage AWS services. Prior to the CLI, interaction with AWS APIs primarily involved SDKs or the AWS Management Console. As a core AWS service, IAM capabilities were integrated into the CLI early on. The development of aws iam as a subcommand reflects the increasing need for programmatic and automated management of AWS identities and access policies, especially with the rise of DevOps, infrastructure as code, and continuous delivery practices. It has evolved with the IAM service, incorporating new features like permission boundaries, service-linked roles, and enhanced policy management.

SEE ALSO

aws(1): The main AWS Command Line Interface command, of which iam is a subcommand., aws configure(1): Used to set up and manage AWS CLI configuration profiles (credentials, default region, output format)., jq(1): A lightweight and flexible command-line JSON processor, commonly used to parse the output of AWS CLI commands., less(1): A pager program often used to view extensive JSON output from AWS CLI commands.

Copied to clipboard