Skip to main content

iam

user

$ aws iam list-users --query 'Users[?UserName==`<username>`]'
$ aws iam get-user --user-name <username>

$ aws iam create-user --user-name <username>
$ aws iam tag-user --user-name <username> --tags '{"Key":"name","Value":"test"}'

$ aws iam delete-user --user-name <username>

login profile

$ aws iam get-login-profile --user-name <username>
$ aws iam create-login-profile --generate-cli-skeleton > create-login-profile.json

$ jq '.' create-login-profile.json
{
  "UserName": "<username>",
  "Password": "<initialpassword>",
  "PasswordResetRequired": true
}
$ aws iam create-login-profile --user-name <username> --cli-input-json file://create-login-profile.json

group

$ aws iam list-groups  --query 'Groups[?GroupName==`<groupname>`]'
$ aws iam create-group --group-name <groupname>

$ aws iam delete-group --group-name <groupname>

policy

$ aws iam list-policies --query 'Policies[?PolicyName==`<policyname>`]'
$ aws iam get-policy --policy-arn <policyarn>

$ jq . policy.json 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "*"
    }
  ]
}

$ aws iam create-policy --policy-name <policyname> --policy-document file://policy.json

$ aws iam list-policy-versions --policy-arn <policyarn>
$ aws iam get-policy-version --policy-arn <policyarn> --version-id v1
$ aws iam create-policy-version --policy-arn <policyarn> --policy-document file://policy_v2.json
$ aws iam set-default-policy-version --policy-arn <policyarn> --version-id v1

$ aws iam delete-policy-version --policy-arn <policyarn> --version-id v2
$ aws iam delete-policy --policy-arn <policyarn>

sample policy for allow change password

$ jq '.' policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:GetAccountPasswordPolicy",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iam:ChangePassword",
      "Resource": "<userarn>"
    }
  ]
}

add user to group

$ aws iam list-groups-for-user --user-name <username>
$ aws iam add-user-to-group --group-name <groupname> --user-name <username>

$ aws iam remove-user-from-group --group-name <groupname> --user-name <username>

attach policy to user

$ aws iam list-attached-user-policies --user-name <username>
$ aws iam attach-user-policy --user-name <username> --policy-arn "<policyarn>"
$ aws iam detach-user-policy --user-name <username> --policy-arn "<policyarn>"

attach policy to group

$ aws iam list-attached-group-policies --group-name <groupname>
$ aws iam attach-group-policy --group-name <groupname> --policy-arn "<policyarn>"
$ aws iam detach-group-policy --group-name <groupname> --policy-arn "<policyarn>"

role

$ aws iam list-roles --query 'Roles[?RoleName==`<rolename>`]'
$ jq . assumepolicy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
$ aws iam create-role --role-name <rolename> --assume-role-policy-document file://assumepolicy.json

(Before you delte role, you must remove roles from instance profile.)

$ aws iam delete-role --role-name <rolename>

attach policy to role

$ aws iam list-attached-role-policies --role-name <rolename>
$ aws iam attach-role-policy --role-name <rolename> --policy-arn <policyarn>
$ aws iam detach-role-policy --role-name <rolename> --policy-arn <policyarn>

add role to instance profile

$ aws iam list-instance-profiles-for-role --role-name <rolename>
$ aws iam add-role-to-instance-profile --instance-profile-name <rolename> --role-name <rolename>
$ aws iam remove-role-from-instance-profile --instance-profile-name <rolename> --role-name <rolename>

associate iam instance profile

$ aws ec2 describe-iam-instance-profile-associations 
$ aws ec2 associate-iam-instance-profile --iam-instance-profile '{"Arn":"<rolearn>","Name":"<rolename>"}' --instance-id <instanceid>
$ aws ec2 disassociate-iam-instance-profile --association-id <associationid>

access key

$ aws iam list-access-keys --user-name <user-name>
$ aws iam get-access-key-last-used --access-key-id <access-key-id>

$ aws iam create-access-key --user-name <user-name>
$ aws iam update-access-key --user-name <user-name> --access-key-id <access-key-id> --status Inactive
$ aws iam delete-access-key --user-name <user-name> --access-key-id <access-key-id>

cloudformation sample template

    TestLambdaRole:
      Type: AWS::IAM::Role
      Properties:
        AssumeRolePolicyDocument:
          Version: 2012-10-17
          Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
        Tags:
          - "Key": "Name"
            "Value": "test"
    AllowAccessDynamoDBTable:
      Type: "AWS::IAM::Policy"
      Properties:
        PolicyName: "AllowAccessDynamoDBTable"
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Action:
                - dynamodb:GetItem
                - dynamodb:PutItem
                - dynamodb:DeleteItem
              Resource: !GetAtt TestDynamoDBTable.Arn
        Roles:
          - !Ref TestLambdaRole