This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.

• An IAM Policy allows certain actions (such create) on certain resources (such as EC2)
• An IAM User is typically a users account (such as john.doe) that contains an IAM Identity-Based Policy that allows certain actions (such as list) on certain resources (such S3)
• An IAM Role contains an IAM Policy that allows certain actions (such create) on certain resources (such as EC2) - Let's say the Identity-Based Policy attached to john.doe does NOT allow create S3 - john.doe could Assume a Role that allows create S3
  • Assume Role or Switch Role using Python boto3
  • Assume Role or Switch Role using Terraform
  • Assume Role or Switch Role using the AWS CLI
  • Often, a Role will have two Policies:
    • Trust Relationship
    • Permission Policy

The aws iam create-user command can be used to create an IAM (Identity and Access Management) and User.

~]$ aws iam create-user --user-name john.doe
{
    "User": {
        "Path": "/",
        "UserName": "john.doe",
        "UserId": "AIDA2MITL76GEGJVOF3OP",
        "Arn": "arn:aws:iam::711234074567:user/john.doe",
        "CreateDate": "2023-04-13T01:54:16+00:00"
    }
}

The aws iam list-users command can be used to see that the user account was created.

~]$ aws iam list-users
{
    "Users": [
        {
            "Path": "/",
            "UserName": "john.doe",
            "UserId": "AIDAABCDL76GLUA6B21234",
            "Arn": "arn:aws:iam::711234074567:user/john.doe",
            "CreateDate": "2022-09-13T11:13:03+00:00"
        }
    ]
}

You may want to use the aws iam create-login-profile command to set the users initial password with a requirement for the user to reset their password.

aws iam create-login-profile --user-name john.doe --password itsasecret --password-reset-required

Notice in this example that the users ARN (Amazon Resource Number) contains 711234074567. When signing into the AWS web browser console, the account ID can be used. Or, the user can go directly to https://<account ID>.signin.aws.amazon.com/console (e.g. https://711234074567.signin.aws.amazon.com/console).

Secret Key and Access Key

The aws iam list-access-keys command can be used to see that, by default, the user account will have not have an Access key and Secret Key.

~]$ aws iam list-access-keys --user-name john.doe
{
    "AccessKeyMetadata": []
}

And then use the aws iam create-access-key command to create a new Access Key and Secret Key. Notice that the output will include both the access key ID and value. Make note of the value! This is your one and only chance to get the Secret Key.

~]$ aws iam create-access-key --user-name john.doe
{
    "AccessKey": {
        "UserName": "john.doe",
        "AccessKeyId": "AKIAABDCL76GBNCJ1235",
        "Status": "Active",
        "SecretAccessKey": "4FGkm30sdf-0m234dfAVMAD2340-dsfaADV324df",
        "CreateDate": "2023-03-22T01:55:29+00:00"
    }
}

And then use the aws configure set aws_access_key_id and aws configure set aws_secret_access_key commands to update your hidden .aws/credentials file with the Secret Key and Access Key.

aws configure set aws_access_key_id AKIAABDCL76GBNCJ1235 --profile john.doe
aws configure set aws_secret_access_key 4FGkm30sdf-0m234dfAVMAD2340-dsfaADV324df --profile john.doe

Now your hidden .aws/credentials file should contain something like this.

~]$ cat ~/.aws/credentials 
[john.doe]
aws_secret_access_key = 4FGkm30sdf-0m234dfAVMAD2340-dsfaADV324df
aws_access_key_id = AKIAABDCL76GBNCJ1235

And use the aws configure set region command to set the region the user account is in.

aws configure set region us-east-1 --profile john.doe

Now your hidden .aws/config file should contain something like this.

~]$ cat ~/.aws/config
[profile john.doe]
region = us-east-1

IAM Policy

The aws iam list-attached-user-policies command can be used to see that by default, no policies are attached to the newly created user.

~]$ aws iam list-attached-user-policies --user-name john.doe
{
    "AttachedPolicies": []
}

If we try to do something as the user, such as listing S3 Buckets using the aws s3api list-buckets command, Access Denied should be returned, because no IAM Policy has been attached to the User account, thus the user does not have permission to list S3 Buckets.

~]$ aws s3api list-buckets --profile john.doe

An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

Let's use the aws iam attach-user-policy command to attach the arn:aws:iam::aws:policy/AmazonS3FullAccess Policy so that john.doe can list S3 Buckets. Be aware that to do this, you will need to use some other profile that has the iam:AttachUserPolicy. For example, this could be done using the root profile which has AdministratorAccess. In this example, I used the root profile, which has AdministratorAccess.

aws iam attach-user-policy --user-name john.doe --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess --profile root

And now the user can list the S3 Buckets.

~]$ aws s3api list-buckets --profile johndoe
{
    "Buckets": [
        {
            "Name": "my-bucket-foo",
            "CreationDate": "2024-04-19T01:38:37+00:00"
        },
        {
            "Name": "my-bucket-bar",
            "CreationDate": "2023-07-21T23:17:02+00:00"
        }
    ],
    "Owner": {
        "DisplayName": "jack.doe"
    }
}