How to use/manage AWS IAM using AWS CLI

AWS IAM stands for AWS Identity and Access Management. We will see here how we can create IAM Users and IAM Groups using AWS CLI commands.

This is very important service which help us to manage and deploy AWS infrastructure securely. We can create users and groups using IAM and set them permissions to allow or deny them to specific AWS resources.

AWS IAM service provides following features:

• Secure AWS Account
• Identity Management Framework
• Centralized control over all AWS users and groups
• Fine Grained Control
• Flexibility
• In-built security policies
• Multilevel management i.e Users, Groups & Permissions
• Easy to configure and manage using AWS management console, AWS CLI, AWS Power Shell or AWS software development kit (SDK)

Lets see some examples using CLI....

List all users and create new users using CLI

>> aws iam list-users

This command will list all users present in our AWS account.

There are two type of account we can create, that are Root Account and IAM User Account

1. Root Account:
Root account is used to setup an AWS subscription when you first time create your AWS account. You can sign in to AWS account using root account username and password.

2. IAM User Account:
These are regular IAM user by which you can provide these user to sign' in to your AWS account with specific permissions and controls to access AWS resources to manage AWS account securely.

How to create new IAM user via CLI commands:

>> aws iam create-user --user-name pgtestuser

Using above command we can create a new IAM user having username 'pgtestuser'

Lets see how to create users IAM group. The IAM user group is collection of IAM users. If number of users needs similar permissions then we can create a group and assign them rather than granting these permissions to each users. Also one user can be part of multiple groups and note one thing that AWS IAM groups can not be nested.

How to create IAM group and add user to that group:

>>  aws iam create-group --group-name pggroup

Here we have just created 'pggroup' group and now lets add user to that group.

>> aws iam add-user-to-group --user-name pgtestuser --group-name pggroup

After this command executed the user 'pgtestuser' will be assigned to group 'pggroup'.

We can verify this from AWS console management from IAM Group menu.

How to get group details and it's users inside that group:

>> aws iam get-group --group-name pggroup


IAM Authentication Methods:

There are three types of authentication methods provided by AWS.

1. Username / Password
2. API Access Key 
3. Multi Factor Token

How to login IAM user using username / password authentication:

Before that first assign username and password to this user by using command below.

>> aws iam create-login-profile --user-name pgtestuser --password testpassword

This will set password to user 'pgtestuser'

How to authenticate IAM user using API Access Key:

API stands for Application programming interface. API keys allows other program or script to login within our AWS cloud programatically and interact with AWS resources. So using API Access Key other program or script can access resources.

Lets see how we can setup or create this API access key using CLI for a specific user.

>> aws iam create-access-key -user-name pgtestuser

Please make note that, it is essentials to store the key details in safe location for future usage, because the key details is only available while creation of these keys. In case if you loose the key, it is recommended to delete old key set and create new.

Lets see how to delete access keys. You can get user access key id from AWS console management.

>> aws iam delete -access-key --user-name pgtestuser -- access-key-id EnterYourAccessKeyId

Note, one user can have multiple access keys and it is not mandatory to delete old key before creating new but this is not recommended approach.

How to create access key for specific user and store that key details in a key.txt file for security purpose:

>> aws iam create-access-key --user-name pgtestuser >> key.txt

Lets verify key details by opening key.txt file using any editor.

>> sudo vim key.txt

Once you enter this command, it will display key details. Also you can verify it from AWS management console.


Happy Learning AWS Services!!!! :) Still Doubts? lets put your questions in below comment box! Thanks!

Watch Practical Video: