AWS CLI & IAM: Complete Guide with examples
Introduction
AWS Identity & Access Management provides fine-grained access control across AWS serviecs. In this article, we will look at how to use the AWS CLI to perform common IAM operations.
Table of contents
- Introduction
- How to create a new user?
- How to list all users?
- How to update a user?
- How to create an IAM policy?
- How to list all IAM policies?
- How to create an IAM role?
- How to attach an IAM policy to a user?
- How to list all policies attached to a user?
- How to attach an IAM policy to an IAM role?
- How to list all policies attached to a role?
Prerequisites
- AWS CLI
- AWS Credentials: If you haven’t setup your AWS credentials before, this resource from AWS is helpful.
How to create a new user?
We will be using the create-user
subcommand to create a new IAM user. The arguments needed for this command are:
user-name
: Name of the user you want to create
aws iam create-user --user-name learnaws-test
Output:
{
"User": {
"Path": "/",
"UserName": "learnaws-test",
"UserId": "AIDA2V2OH2EKCJX62PGX5",
"Arn": "arn:aws:iam::XXXX:user/learnaws-test",
"CreateDate": "2022-02-05T20:54:53+00:00"
}
}
How to list all users?
We can use the list-users
subcommand to list all IAM users in a particular AWS account.
aws iam list-users
Output:
{
"Users": [
{
"Path": "/",
"UserName": "learnaws-test",
"UserId": "AIDA2V2OH2EKCJX62PGX5",
"Arn": "arn:aws:iam::XXXX:user/learnaws-test",
"CreateDate": "2022-02-05T20:54:53+00:00"
}
]
}
How to update a user?
We can update the name of a user using the update-user
command.
aws iam update-user --user-name learnaws-test --new-user-name learnaws-new
We can then run the list-users
command as seen above to confirm that our change has been applied.
How to create an IAM policy?
We will use the create-policy
command to create a new IAM policy. The arguments needed to create a new policy are:
policy-name
: Name of the IAM policypolicy-document
: Policy document in JSON format
We will create a new IAM policy that provides permission for certain operations within DynamoDB. The policy document looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Scan"
],
"Resource": "*"
}
]
}
We can then create the policy using the following command:
aws iam create-policy --policy-name learnaws-dynamo-policy --policy-document file://iam-policy.json
Output:
"Policy": {
"PolicyName": "learnaws-dynamo-policy",
"PolicyId": "ANPA2V2OH2EKDAS3RWBHT",
"Arn": "arn:aws:iam::XXXX:policy/learnaws-dynamo-policy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2022-02-05T21:00:21+00:00",
"UpdateDate": "2022-02-05T21:00:21+00:00"
}
}
How to list all IAM policies?
We can use the list-policies
command to list all IAM policies.
aws route53 create-traffic-policy --name weighted-traffic-policy --document file://traffic-policy.json
Output
{
"Policies": [
{
"PolicyName": "learnaws-dynamo-policy",
"PolicyId": "ANPA2V2OH2EKDAS3RWBHT",
"Arn": "arn:aws:iam::xxxx:policy/learnaws-dynamo-policy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2022-02-05T21:00:21+00:00",
"UpdateDate": "2022-02-05T21:00:21+00:00"
}
]
}
How to create an IAM role?
We will use the create-role
subcommand to create a new IAM role. The arguments for this command are:
role-name
: Name of the IAM roleassume-role-policy-document
: Trust relationship policy document (in JSON) that grants an entity permission to assume this role
In this example, we will create an IAM role that grants AWS Glue permission to assume the role (as principal).
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "glue.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
After creating the policy document, we will create a new IAM role as follows:
aws iam create-role --role-name learnaws-glue-role --assume-role-policy-document file://iam-assume-policy.json
Output:
{
"Role": {
"Path": "/",
"RoleName": "learnaws-glue-role",
"RoleId": "AROA2V2OH2EKLR7MUL26T",
"Arn": "arn:aws:iam::XXXXX:role/learnaws-glue-role",
"CreateDate": "2022-02-05T21:06:29+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "glue.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
}
}
How to attach an IAM policy to a user?
The attach-user-policy
command can be used to attach an IAM policy to a user. The arguments for the command are:
user-name
: Name of the IAM userpolicy-arn
: ARN of the IAM policy you want to attach
In this example, we will try and attach the DynamoDB IAM policy we created earlier to the IAM user we created earlier as well.
aws iam attach-user-policy --user-name learnaws-new --policy-arn arn:aws:iam::XXX:policy/learnaws-dynamo-policy
How to list all policies attached to a user?
We can use the list-attached-user-policies
to list all IAM policies attached to a user.
aws iam list-attached-user-policies --user-name learnaws-new
Output
{
"AttachedPolicies": [
{
"PolicyName": "learnaws-dynamo-policy",
"PolicyArn": "arn:aws:iam::XXX:policy/learnaws-dynamo-policy"
}
]
}
How to attach an IAM policy to an IAM role?
The attach-role-policy
command can be used to attach an IAM policy to an IAM role. The arguments for the command are:
role-name
: Name of the IAM rolepolicy-arn
: ARN of the IAM policy you want to attach
aws iam attach-role-policy --role-name learnaws-glue-role --policy-arn arn:aws:iam::XXX:policy/learnaws-dynamo-policy
How to list all policies attached to a role?
We can use the list-attached-role-policies
to list all IAM policies attached to a role.
aws iam list-attached-role-policies --role-name learnaws-glue-role
Output
{
"AttachedPolicies": [
{
"PolicyName": "learnaws-dynamo-policy",
"PolicyArn": "arn:aws:iam::xxxx:policy/learnaws-dynamo-policy"
}
]
}