In the last article, we have learned to manage IAM users with Python. Today we are going to perform the same operations using AWS CLI. Let’s get started.

Creating IAM User in CLI

We can create an IAM user using “create-user” command. We can get information about AWS CLI commands using the help option. When you run “aws iam create-user help” command you will see the following output.

manage IAM users with AWS CLI - AWS CLI create user help

For creating a user we need to give user name which is required and other parameters are optional.

mahesh@mahesh:~$ aws iam create-user \
> --user-name 'cli_first_user'
{
    "User": {
        "Path": "/",
        "UserName": "cli_first_user",
        "UserId": "AIDAS3CARBCBUS63MIFZT",
        "Arn": "arn:aws:iam::195556345987:user/cli_first_user",
        "CreateDate": "2019-08-18T09:14:38Z"
    }
}

We can also add tags to a new user while creating him/her.

mahesh@mahesh:~$ aws iam create-user \
--user-name 'cli_second_user'\
 --tags Key="Env",Value="Dev"
{
    "User": {
        "Path": "/",
        "UserName": "cli_second_user",
        "UserId": "AIDAS3CARBCB4CSIWUMHE",
        "Arn": "arn:aws:iam::195556345987:user/cli_second_user",
        "CreateDate": "2019-08-18T09:19:51Z",
        "Tags": [
            {
                "Key": "Env",
                "Value": "Dev"
            }
        ]
    }
}

Attaching Policy to IAM user

When we create a new user he/she does not have any permission to access AWS resource. We have to add the required permissions to each user. We can do that by attaching IAM policies to each user. Let us attach S3 read-only policy to a user using AWS CLI.

mahesh@mahesh:~$ aws iam attach-user-policy \
> --user-name 'cli_first_user' \
> --policy-arn 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess'

We can validate that this user has S3 read-only policy in AWS console.

Adding user to a group using AWS CLI

Attaching individual user policies is not feasible when you have hundreds of users. It is considered the best practice to create IAM groups and then attach policies to the group. In this way, we can manage user permissions at the group level easily. We need to make sure that the group is already created before we add a user to that group. Let us see how we create an IAM group and then add a user to that group.

# command creating IAM Group
mahesh@mahesh:~$ aws iam create-group \
> --group-name 'HR'
{
    "Group": {
        "Path": "/",
        "GroupName": "HR",
        "GroupId": "AGPAS3CARBCB7H4NRBUHW",
        "Arn": "arn:aws:iam::195556345987:group/HR",
        "CreateDate": "2019-08-18T09:34:55Z"
    }
}

# adding user to IAM Group
mahesh@mahesh:~$ aws iam add-user-to-group \
> --group-name 'HR' \
> --user-name 'cli_second_user'

We can validate this on the console that the user has been added to the HR group.

Listing all users in AWS account in CLI

Listing to all users in IAM is very easy. We can use the following command.

mahesh@mahesh:~$ aws iam list-users \
> 
{
    "Users": [
        {
            "Path": "/",
            "UserName": "cli_first_user",
            "UserId": "AIDAS3CARBCBUS63MIFZT",
            "Arn": "arn:aws:iam::195556345987:user/cli_first_user",
            "CreateDate": "2019-08-18T09:14:38Z"
        },
        {
            "Path": "/",
            "UserName": "cli_second_user",
            "UserId": "AIDAS3CARBCB4CSIWUMHE",
            "Arn": "arn:aws:iam::195556345987:user/cli_second_user",
            "CreateDate": "2019-08-18T09:19:51Z"
        }
    ]
}

If there are hundreds of users we can limit the number of users returned by this command using –max-items option.

Get user Details

We can get details about a specific user using ‘get-user’ command.

mahesh@mahesh:~$ aws iam get-user \
> --user-name 'cli_first_user'
{
    "User": {
        "Path": "/",
        "UserName": "cli_first_user",
        "UserId": "AIDAS3CARBCBUS63MIFZT",
        "Arn": "arn:aws:iam::195556345987:user/cli_first_user",
        "CreateDate": "2019-08-18T09:14:38Z"
    }
}

Delete user

There are often cases where we need to delete the IAM user. But before deleting user we need to remove it from all groups that the user is part of. We also need to remove individual policies attached to that user. Then only we can delete that user. Let us write CLI command to achieve the same.

#removing user from group
mahesh@mahesh:~$ aws iam remove-user-from-group \
> --user-name 'cli_second_user' \
> --group-name 'HR'

#deleting user
mahesh@mahesh:~$ aws iam delete-user \
> --user-name 'cli_second_user'

#detaching ploify from user
mahesh@mahesh:~$ aws iam detach-user-policy \
 --user-name 'cli_first_user' \
--policy-arn 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess'

#deleting user
mahesh@mahesh:~$ aws iam delete-user \
> --user-name 'cli_first_user'

Conclusion

In this article, we have managed IAM users using AWS CLI. We have written commands for creating, listing, adding policies and deleting users from IAM. These are not only operations that we can perform using AWS CLI. In the next articles, we will learn more about AWS and how we can manage its resources using CLI.

AWS
Mahesh Mogal

Mahesh Mogal

I am passionate about Cloud, Data Analytics, Machine Learning, and Artificial Intelligence. I like to learn and try out new things. I have started blogging about my experience while learning these exciting technologies.

Table of Contents
    Add a header to begin generating the table of contents

    Stay updated with latest blogs

    Posts you may be interested in

    Manage S3 Bucket Polices
    S3

    Set, Get and Delete AWS S3 bucket policies

    In this blog, we are going to learn how to get, put and delete S3 bucket policies suing S3 Console as well as programmatically using AWS CLI & Python

    Manage S3 Bucket Polices
    Read More →
    iam policy vs s3 policy vs s3 acls
    S3

    IAM Policies VS S3 Policies VS S3 Bucket ACLs – What should be used?

    You can manage S3 permission using IAM policy or S3 Policy or S3 ACLs. We will understand the difference between them and use cases for each way.

    iam policy vs s3 policy vs s3 acls
    Read More →
    Create S3 bucket
    S3

    Create S3 bucket using AWS CLI and Python Boto3

    In this blog, we are going to learn how to create an S3 bucket using AWS CLI, Python Boto3 and S3 management console.

    Create S3 bucket
    Read More →

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    Share via
    Copy link