In this short guide, I’ll guide you through creation of an AWS IAM users and groups on an AWS Account from the command line interface using AWS CLI. AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. There are two common ways of creating an AWS IAM User.

One method is from the web console, and the other one that we’ll be exploring is API call to AWS with AWS CLI. AWS CLI is a unified tool to manage your AWS services. We have a guide on how to install AWS CLI. See the link below.

Install and Use AWS CLI on Linux

After the installation and configuration of AWS CLI as detailed in the link, confirm it is working well.

$ aws s3 ls
2020-04-04 22:49:47 ami-image-bucket
2019-11-20 18:27:47 mydemo-bucket

These are the actions that we’ll perform in this guide.

  1. Create an IAM Group
  2. Attach Policy to the group
  3. Create an AWS IAM User
  4. Set initial password for the user and force password change on first login
  5. Add User to IAM Group
  6. Give a user additional IAM policy that grants access to services

Step 1: Create an AWS IAM Group

An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.

I’ll create a group called DB-Admins:

$ aws iam create-group --group-name DB-Admins
{
    "Group": {
        "Path": "/",
        "GroupName": "DB-Admins",
        "GroupId": "AGPARX4Y6JA3GYFUH5RA3",
        "Arn": "arn:aws:iam::120942965047:group/DB-Admins",
        "CreateDate": "2020-05-28T16:59:03Z"
    }
}

You can confirm creation by listing available groups:

$ aws iam list-groups

Step 2: Attach Policy to the group

You can choose to create a new IAM policy which grants or deny access to services or use pre-defined policy that works for your needs.

I’ll use the Database Administrator Policy that already exists in IAM policies list. Before you can attach an existing policy, you’ll need the Amazon Resource Name (ARN) of the IAM policy you want to attach.

You can easily get the ARN of a policy by clicking on the policy name and viewing the Summary.

<img alt="" data-ezsrc="https://kirelos.com/wp-content/uploads/2020/05/echo/aws-create-user-group-cli-01-1024×255.png" data-ez ezimgfmt="rs rscb8 src ng ngcb8 srcset" src="data:image/svg xml,”>

Copy the ARN and use it to attach the policy to IAM user group.

aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/IAMUserChangePassword --group-name DB-Admins

aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/job-function/DatabaseAdministrator --group-name DB-Admins

More details on Amazon Resource Names (ARNs)

Confirm the changes by listing all the policies attached to the IAM group:

$ aws iam  list-attached-group-policies --group-name DB-Admins
{
    "AttachedPolicies": [
        {
            "PolicyName": "DatabaseAdministrator",
            "PolicyArn": "arn:aws:iam::aws:policy/job-function/DatabaseAdministrator"
        },
        {
            "PolicyName": "IAMUserChangePassword",
            "PolicyArn": "arn:aws:iam::aws:policy/IAMUserChangePassword"
        }
    ]
}

Step 3: Create an AWS IAM User

Now that we have an IAM group with attached policy, we can create an IAM user.

aws iam create-user --user-name Alice --tags '{"Key": "Name", "Value": "Alice Karanja"}'

Set password if user needs to login to AWS Console.

aws iam create-login-profile 
  --user-name Alice 
  --password '3}~L=LMN]KeV3}qZ' 
  --password-reset-required

You can generate complex user passwords with Strong Random Password Generator.

Step 4: Add User to IAM Group

Let’s add the user to the group for it to inherit permissions added to the group.

aws iam add-user-to-group --user-name Alice --group-name  DB-Admins

Step 5: Add additional IAM policy to user

If you want a user to have specific access to resources, you can attach a policy directly to the user. The policy can be pre-defined or the one you’re creating.

Syntax:

aws iam attach-user-policy 
  --policy-arn  
  --user-name Alice

References:

Related guides:

How To Rename IAM User name on AWS

Recommended books: Best Rated AWS Cloud Certifications Preparation Books