This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.

• An IAM Policy allows certain actions (such create) on certain resources (such as EC2)
• An IAM User is typically a users account (such as john.doe) that contains an IAM Identity-Based Policy that allows certain actions (such as list) on certain resources (such S3)
• An IAM Role contains an IAM Policy that allows certain actions (such create) on certain resources (such as EC2) - Let's say the Identity-Based Policy attached to john.doe does NOT allow create S3 - john.doe could Assume a Role that allows create S3
  • Assume Role or Switch Role using Python boto3
  • Assume Role or Switch Role using Terraform
  • Assume Role or Switch Role using the AWS CLI
  • Often, a Role will have two Policies:
    • Trust Relationship
    • Permission Policy

The aws iam list-users command can be used to list the IAM users that have been created.

~]$ aws iam list-users
{
    "Users": [
        {
            "Path": "/",
            "UserName": "john.doe",
            "UserId": "AIDAABCDL76GLUA6B21234",
            "Arn": "arn:aws:iam::123456789012:user/john.doe",
            "CreateDate": "2022-09-13T11:13:03+00:00"
        }
    ]
}

The aws iam list-users command can be used to list the IAM users that have been created.

~]$ aws iam list-users
{
    "Users": [
        {
            "Path": "/",
            "UserName": "john.doe",
            "UserId": "AIDAABCDL76GLUA6B21234",
            "Arn": "arn:aws:iam::123456789012:user/john.doe",
            "CreateDate": "2022-09-13T11:13:03+00:00"
        }
    ]
}

The aws iam list-access-keys command can be used to list the access key ID associated with a user. Notice in this example that the Access Key is Active.

~]$ aws iam list-access-keys --user-name john.doe
{
    "AccessKeyMetadata": [
        {
            "UserName": "john.doe",
            "AccessKeyId": "AKIA2MABCD6GDQ1234RY",
            "Status": "Active",
            "CreateDate": "2022-09-13T11:13:04+00:00"
        }
    ]
}

The aws iam update-access-key command can be used to update a users Access Key to Active or Inactive.

The aws iam delete-access-key command can be used to delete an access key.

The aws iam create-access-key command can be used to create a new access key.

aws iam update-access-key --access-key-id AKIA2MABCD6GDQ1234RY --status Inactive --user-name john.doe

The aws iam update-access-key command is a bit strange in that no output will be returned so you will want to reissue the aws iam list-access-keys command. Notice in this example that the Access Key is now Inactive.

~]$ aws iam list-access-keys --user-name john.doe
{
    "AccessKeyMetadata": [
        {
            "UserName": "john.doe",
            "AccessKeyId": "AKIA2MABCD6GDQ1234RY",
            "Status": "Inactive",
            "CreateDate": "2022-09-13T11:13:04+00:00"
        }
    ]
}