Create IAM users and groups using AWS Command Line Interface (AWS CLI)
In this blog, I walk you through AWS CLI commands to create an AWS Identity and Access Management (IAM) group, and a new IAM user, and then add the user to the group and also attach an AWS IAM policy to the IAM group.
Note: Never use the root user for day-to-day access to your aws account, instead create an IAM user with administrator access and enable MFA(Multi-factor Authentication) to both the root and IAM user. Doing this is one of the best practices to secure your AWS account.
Prerequisites:
- IAM user with administrator access
- AWS CLI v2 installed. Here are the instructions for Installing AWS CLI
- Configure basic settings that the AWS CLI uses to interact with AWS. Follow the instructions configuration basics and enter aws configure command.
Note: Enter AWS Access Key ID, AWS Secret Access Key, AWS Region, and Output format. I’m using the default profile so please DO NOT do the steps in Profile
Tip: Change to the directory (use cd command) where your access key information is saved before running the aws configure command.
Steps:
- To create a new IAM group called Prod, use the create-group command. Enter the following command in AWS CLI:
aws iam create-group --group-name Prod
After successful execution of the command, we can see an output similar to this.
2. To create a new IAM user called Emp1, use the create-user command. Enter the following command in AWS CLI:
aws iam create-user --user-name Emp1
After successful execution of the command, we can see an output similar to this.
3. To add the user to the Prod group, enter the following command:
aws iam add-user-to-group --user-name Emp1 --group-name Prod
Successful execution results in no output and returns to the prompt.
4. To give the user access to the AWS Management Console, enter the following command:
aws iam create-login-profile --user-name Emp1 --password <pick_your_password> --nopassword-reset-required
5. To give the user programmatic access, enter the following command:
aws iam create-access-key --user-name Emp1
Successful execution results in access key information. Save access key for future use.
Use the echo command to save access key information to a file. Use the >> to append to the file.
echo “AccessKeyId=<your_info>” > <filename>
echo “SecretAccessKey=<your_info>” >> <filename>
6. To verify the user added to the group. Enter the following command:
aws iam get-group --group-name Prod
Successful execution of the command displays the following output:
7. Attach an IAM managed policy to an IAM user, enter the following command:
aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/PowerUserAccess --group-name Prod
Successful execution results in no output return prompt.
8. To verify the policy is attached to the group use the list-attached-group-policies command.
aws iam list-attached-group-policies --group-name Prod
Successful execution of the command results in similar output as shown below.
Note: We can also check our work by logging in to the aws management console->IAM-> User groups->Users->permissions.
By this time we successfully created a group name Prod and user name Emp1 and also added Emp1 user to the Prod group and attached the PowerUserAccess policy to the group.