Introduction

AWS Identity & Access Management provides fine-grained access control across AWS serviecs. In this article, we will look at how to use the AWS CLI to perform common IAM operations.

Table of contents

Prerequisites

  • AWS CLI
  • AWS Credentials: If you haven’t setup your AWS credentials before, this resource from AWS is helpful.

How to create a new user?

We will be using the create-user subcommand to create a new IAM user. The arguments needed for this command are:

  • user-name: Name of the user you want to create
aws iam create-user --user-name learnaws-test

Output:

{
    "User": {
        "Path": "/",
        "UserName": "learnaws-test",
        "UserId": "AIDA2V2OH2EKCJX62PGX5",
        "Arn": "arn:aws:iam::XXXX:user/learnaws-test",
        "CreateDate": "2022-02-05T20:54:53+00:00"
    }
}

How to list all users?

We can use the list-users subcommand to list all IAM users in a particular AWS account.

aws iam list-users

Output:

{
    "Users": [
        {
            "Path": "/",
            "UserName": "learnaws-test",
            "UserId": "AIDA2V2OH2EKCJX62PGX5",
            "Arn": "arn:aws:iam::XXXX:user/learnaws-test",
            "CreateDate": "2022-02-05T20:54:53+00:00"
        }
		]
}

How to update a user?

We can update the name of a user using the update-user command.

aws iam update-user --user-name learnaws-test --new-user-name learnaws-new

We can then run the list-users command as seen above to confirm that our change has been applied.

How to create an IAM policy?

We will use the create-policy command to create a new IAM policy. The arguments needed to create a new policy are:

  • policy-name: Name of the IAM policy
  • policy-document: Policy document in JSON format

We will create a new IAM policy that provides permission for certain operations within DynamoDB. The policy document looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetItem",
                "dynamodb:Scan"
            ],
            "Resource": "*"
        }
    ]
}

We can then create the policy using the following command:

aws iam create-policy --policy-name learnaws-dynamo-policy --policy-document file://iam-policy.json

Output:

"Policy": {
        "PolicyName": "learnaws-dynamo-policy",
        "PolicyId": "ANPA2V2OH2EKDAS3RWBHT",
        "Arn": "arn:aws:iam::XXXX:policy/learnaws-dynamo-policy",
        "Path": "/",
        "DefaultVersionId": "v1",
        "AttachmentCount": 0,
        "PermissionsBoundaryUsageCount": 0,
        "IsAttachable": true,
        "CreateDate": "2022-02-05T21:00:21+00:00",
        "UpdateDate": "2022-02-05T21:00:21+00:00"
    }
}

How to list all IAM policies?

We can use the list-policies command to list all IAM policies.

aws route53 create-traffic-policy --name weighted-traffic-policy --document file://traffic-policy.json

Output

{
	"Policies": [
		{
        "PolicyName": "learnaws-dynamo-policy",
        "PolicyId": "ANPA2V2OH2EKDAS3RWBHT",
        "Arn": "arn:aws:iam::xxxx:policy/learnaws-dynamo-policy",
        "Path": "/",
        "DefaultVersionId": "v1",
        "AttachmentCount": 0,
        "PermissionsBoundaryUsageCount": 0,
        "IsAttachable": true,
        "CreateDate": "2022-02-05T21:00:21+00:00",
        "UpdateDate": "2022-02-05T21:00:21+00:00"
    }
	]
}

How to create an IAM role?

We will use the create-role subcommand to create a new IAM role. The arguments for this command are:

  • role-name: Name of the IAM role
  • assume-role-policy-document: Trust relationship policy document (in JSON) that grants an entity permission to assume this role

In this example, we will create an IAM role that grants AWS Glue permission to assume the role (as principal).

{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Effect": "Allow",
        "Principal": {
        "Service": "glue.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
        }
    ]
}

After creating the policy document, we will create a new IAM role as follows:

aws iam create-role --role-name learnaws-glue-role --assume-role-policy-document file://iam-assume-policy.json

Output:

{
    "Role": {
        "Path": "/",
        "RoleName": "learnaws-glue-role",
        "RoleId": "AROA2V2OH2EKLR7MUL26T",
        "Arn": "arn:aws:iam::XXXXX:role/learnaws-glue-role",
        "CreateDate": "2022-02-05T21:06:29+00:00",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "glue.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }
            ]
        }
    }
}

How to attach an IAM policy to a user?

The attach-user-policy command can be used to attach an IAM policy to a user. The arguments for the command are:

  • user-name: Name of the IAM user
  • policy-arn: ARN of the IAM policy you want to attach

In this example, we will try and attach the DynamoDB IAM policy we created earlier to the IAM user we created earlier as well.

aws iam attach-user-policy --user-name learnaws-new --policy-arn arn:aws:iam::XXX:policy/learnaws-dynamo-policy

How to list all policies attached to a user?

We can use the list-attached-user-policies to list all IAM policies attached to a user.

aws iam list-attached-user-policies --user-name learnaws-new

Output

{
    "AttachedPolicies": [
        {
            "PolicyName": "learnaws-dynamo-policy",
            "PolicyArn": "arn:aws:iam::XXX:policy/learnaws-dynamo-policy"
        }
    ]
}

How to attach an IAM policy to an IAM role?

The attach-role-policy command can be used to attach an IAM policy to an IAM role. The arguments for the command are:

  • role-name: Name of the IAM role
  • policy-arn: ARN of the IAM policy you want to attach
aws iam attach-role-policy --role-name learnaws-glue-role --policy-arn arn:aws:iam::XXX:policy/learnaws-dynamo-policy

How to list all policies attached to a role?

We can use the list-attached-role-policies to list all IAM policies attached to a role.

aws iam list-attached-role-policies --role-name learnaws-glue-role

Output

{
    "AttachedPolicies": [
        {
            "PolicyName": "learnaws-dynamo-policy",
            "PolicyArn": "arn:aws:iam::xxxx:policy/learnaws-dynamo-policy"
        }
    ]
}