aws-iam

Create a new IAM user

$ aws iam create-user --user-name [my-user]

$ aws iam create-access-key --user-name [my-user]

$ aws iam attach-user-policy --user-name [my-user] --policy-arn [arn:aws:iam::aws:policy/ReadOnlyAccess]

$ aws iam create-role --role-name [my-role] --assume-role-policy-document file://[trust-policy.json]

$ aws iam list-users

$ aws iam create-group --group-name [developers] && aws iam add-user-to-group --user-name [my-user] --group-name [developers]

$ aws iam generate-credential-report && aws iam get-credential-report --output text --query Content | base64 -d

aws iam command [options]

aws iam is the AWS CLI interface for AWS Identity and Access Management (IAM), the service for controlling access to AWS resources. IAM enables creating users, groups, roles, and policies to manage authentication and authorization.
IAM is global (not region-specific) and provides fine-grained access control through JSON policies. It supports identity federation with SAML 2.0 and OIDC providers, and multi-factor authentication for enhanced security.

create-user

Create a new IAM user

Remove a user

Generate access key credentials

Create a role for service or cross-account access

Attach a managed policy to a user

Attach a managed policy to a role

Create a custom managed policy

Create a user group

Add user to a group

List all IAM users

Get user details

Test policy permissions

Policy changes can take several seconds to propagate. The root account should never be used for daily operations. Access keys should be rotated regularly. IAM has a limit of 5000 users per account. Inline policies are harder to audit than managed policies.

AWS IAM launched in May 2010 as the access control system for AWS. Roles were introduced in 2012 for cross-account and service access. Policy conditions expanded significantly over the years, and IAM Identity Center (formerly SSO) was added in 2017 for centralized access management.

aws(1), aws-sts(1), aws-organizations(1)