LinuxCommandLibrary

aws-iam

Manage AWS IAM resources

TLDR

List users

$ aws iam list-users
copy

List policies
$ aws iam list-policies
copy

List groups
$ aws iam list-groups
copy

Get users in a group
$ aws iam get-group --group-name [group_name]
copy

Describe an IAM policy
$ aws iam get-policy --policy-arn arn:aws:iam::aws:policy/[policy_name]
copy

List access keys
$ aws iam list-access-keys
copy

List access keys for a specific user
$ aws iam list-access-keys --user-name [user_name]
copy

Display help
$ aws iam help
copy

SYNOPSIS

aws [global-options] iam [options] <subcommand> [<subcommand-args>]

PARAMETERS

--cli-input-json | --cli-binary-input
    Reads arguments from JSON file or stdin for non-interactive use

--generate-cli-skeleton [version]
    Prints JSON skeleton for command input

--output json|text|table
    Desired output format (default: json)

--region region-name
    AWS region (e.g., us-east-1); overrides config

--profile profile-name
    Named profile from AWS config file

--debug
    Turn on debug logging

--endpoint-url URL
    Override default endpoint

--no-verify-ssl
    Disable SSL certificate verification (insecure)

--query expression
    JMESPath query to filter results

--dry-run
    Validate without executing (supported subcommands only)

DESCRIPTION

The aws iam command is a core component of the AWS Command Line Interface (CLI), a unified toolset for interacting with AWS services from Linux terminals. It provides full programmatic control over AWS Identity and Access Management (IAM), enabling secure management of users, groups, roles, policies, access keys, MFA devices, and more.

Key capabilities include creating/deleting resources, attaching/detaching policies, listing entities with pagination, simulating policy effects, and generating credential reports. It supports JSON as input/output format, dry-run simulations, and integration with AWS STS for temporary credentials.

Usage requires AWS CLI v2 (recommended) installed via package managers like apt or brew, with credentials configured via AWS_ACCESS_KEY_ID, profiles, or SSO. Commands follow a hierarchical structure: aws iam subcommand [options]. Output can be text, table, or JSON for scripting.

Ideal for automation in CI/CD pipelines, infrastructure-as-code with Terraform/CloudFormation, or daily admin tasks, ensuring least-privilege access across AWS accounts.

CAVEATS

Requires AWS credentials with IAM permissions; rate limits apply (e.g., 5 req/s for create-user); subcommands vary—use aws iam help for details. Not all options apply to every subcommand.

COMMON SUBCOMMANDS

create-user, list-users, create-role, attach-role-policy, list-policies, get-policy, simulate-principal-policy, delete-user—see aws iam help <subcommand>.

CONFIGURATION

Set via ~/.aws/config and ~/.aws/credentials; use aws configure interactively.

HISTORY

Introduced in AWS CLI v1 (2013); enhanced in v2 (2020) with binary JSON support, faster performance, and SSO integration. IAM service launched 2011; CLI commands evolved with features like policy simulator (2015).

SEE ALSO

aws(1), aws sts(1), aws configure(1)

Copied to clipboard