IAM
IAM CLI Reference
AWS CLI commands for Identity and Access Management
Complete reference for AWS IAM CLI commands with examples.
User Management
Create User
aws iam create-user --user-name developerOptions:
| Option | Description |
|---|---|
--user-name | Name of the user (required) |
--path | Path for the user name |
--permissions-boundary | ARN of policy to set as permissions boundary |
--tags | List of tags to attach |
List Users
# List all users
aws iam list-users
# List users with specific path prefix
aws iam list-users --path-prefix /developers/
# Output only user names
aws iam list-users --query 'Users[*].UserName' --output textDelete User
aws iam delete-user --user-name developerBefore deleting a user, you must remove all attached policies, access keys, and group memberships.
Get User Info
# Get current user
aws iam get-user
# Get specific user
aws iam get-user --user-name developerGroup Management
Create Group
aws iam create-group --group-name DevelopersAdd User to Group
aws iam add-user-to-group --user-name developer --group-name DevelopersRemove User from Group
aws iam remove-user-from-group --user-name developer --group-name DevelopersList Groups
# List all groups
aws iam list-groups
# List groups for a user
aws iam list-groups-for-user --user-name developerDelete Group
aws iam delete-group --group-name DevelopersRole Management
Create Role
# Create role with trust policy
aws iam create-role \
--role-name EC2S3AccessRole \
--assume-role-policy-document file://trust-policy.json
# Example trust-policy.json for EC2
# {
# "Version": "2012-10-17",
# "Statement": [
# {
# "Effect": "Allow",
# "Principal": {
# "Service": "ec2.amazonaws.com"
# },
# "Action": "sts:AssumeRole"
# }
# ]
# }Options:
| Option | Description |
|---|---|
--role-name | Name of the role (required) |
--assume-role-policy-document | Trust policy (required) |
--description | Description of the role |
--max-session-duration | Maximum session duration (1-12 hours) |
--permissions-boundary | ARN of policy for permissions boundary |
List Roles
aws iam list-roles
# Filter by path
aws iam list-roles --path-prefix /service-role/Delete Role
aws iam delete-role --role-name EC2S3AccessRoleAssume Role
aws sts assume-role \
--role-arn arn:aws:iam::123456789012:role/MyRole \
--role-session-name MySessionPolicy Management
Create Policy
aws iam create-policy \
--policy-name S3ReadOnlyAccess \
--policy-document file://policy.json
# Example policy.json
# {
# "Version": "2012-10-17",
# "Statement": [
# {
# "Effect": "Allow",
# "Action": ["s3:GetObject", "s3:ListBucket"],
# "Resource": "*"
# }
# ]
# }List Policies
# List all policies
aws iam list-policies
# List only customer managed policies
aws iam list-policies --scope Local
# List AWS managed policies
aws iam list-policies --scope AWSGet Policy Details
# Get policy metadata
aws iam get-policy --policy-arn arn:aws:iam::123456789012:policy/MyPolicy
# Get policy document
aws iam get-policy-version \
--policy-arn arn:aws:iam::123456789012:policy/MyPolicy \
--version-id v1Attach Policy to User
aws iam attach-user-policy \
--user-name developer \
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccessAttach Policy to Group
aws iam attach-group-policy \
--group-name Developers \
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccessAttach Policy to Role
aws iam attach-role-policy \
--role-name EC2S3AccessRole \
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccessDetach Policies
# Detach from user
aws iam detach-user-policy \
--user-name developer \
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
# Detach from role
aws iam detach-role-policy \
--role-name EC2S3AccessRole \
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccessDelete Policy
aws iam delete-policy --policy-arn arn:aws:iam::123456789012:policy/MyPolicyAccess Keys
Create Access Key
aws iam create-access-key --user-name developerList Access Keys
aws iam list-access-keys --user-name developerDelete Access Key
aws iam delete-access-key \
--user-name developer \
--access-key-id AKIAIOSFODNN7EXAMPLERotate Access Key
# 1. Create new key
aws iam create-access-key --user-name developer
# 2. Update applications with new key
# 3. Deactivate old key
aws iam update-access-key \
--user-name developer \
--access-key-id AKIAIOSFODNN7EXAMPLE \
--status Inactive
# 4. Delete old key
aws iam delete-access-key \
--user-name developer \
--access-key-id AKIAIOSFODNN7EXAMPLEMFA Management
Enable Virtual MFA
# Create virtual MFA device
aws iam create-virtual-mfa-device \
--virtual-mfa-device-name developer-mfa \
--outfile QRCode.png \
--bootstrap-method QRCodePNG
# Enable MFA for user (requires two consecutive codes)
aws iam enable-mfa-device \
--user-name developer \
--serial-number arn:aws:iam::123456789012:mfa/developer-mfa \
--authentication-code1 123456 \
--authentication-code2 789012List MFA Devices
aws iam list-mfa-devices --user-name developerDeactivate MFA
aws iam deactivate-mfa-device \
--user-name developer \
--serial-number arn:aws:iam::123456789012:mfa/developer-mfaPassword Management
Set Password Policy
aws iam update-account-password-policy \
--minimum-password-length 14 \
--require-symbols \
--require-numbers \
--require-uppercase-characters \
--require-lowercase-characters \
--allow-users-to-change-password \
--max-password-age 90 \
--password-reuse-prevention 24Create Login Profile
aws iam create-login-profile \
--user-name developer \
--password "TempPassword123!" \
--password-reset-requiredChange Password
aws iam change-password \
--old-password "OldPassword123!" \
--new-password "NewPassword456!"Instance Profiles
Create Instance Profile
aws iam create-instance-profile --instance-profile-name EC2S3AccessProfileAdd Role to Instance Profile
aws iam add-role-to-instance-profile \
--instance-profile-name EC2S3AccessProfile \
--role-name EC2S3AccessRoleList Instance Profiles
aws iam list-instance-profilesAccount Information
Get Account Summary
aws iam get-account-summaryGenerate Credential Report
# Generate report
aws iam generate-credential-report
# Download report
aws iam get-credential-report --query 'Content' --output text | base64 -dGet Account Authorization Details
aws iam get-account-authorization-details