This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.
- An IAM Policy allows certain actions (such create) on certain resources (such as EC2)
- An IAM User is typically a users account (such as john.doe) that contains an IAM Identity-Based Policy that allows certain actions (such as list) on certain resources (such S3)
- An IAM Role contains an IAM Policy that allows certain actions (such create) on certain resources (such as EC2). Let's say the Identity-Based Policy attached to john.doe does NOT allow "create S3"
- The Role that allows "create S3" could be attached to john.doe - or, john.doe could Assume the Role:
- Often, a Role will have two Policies:
The aws iam list-users command can be used to list the IAM users that have been created.
~]$ aws iam list-users
{
"Users": [
{
"Path": "/",
"UserName": "john.doe",
"UserId": "AIDAABCDL76GLUA6B21234",
"Arn": "arn:aws:iam::123456789012:user/john.doe",
"CreateDate": "2022-09-13T11:13:03+00:00"
}
]
}
The aws iam list-access-keys command can be used to list the access key ID associated with a user.
~]$ aws iam list-access-keys --user-name john.doe
{
"AccessKeyMetadata": [
{
"UserName": "john.doe",
"AccessKeyId": "AKIA2MABCD6GDQ1234RY",
"Status": "Active",
"CreateDate": "2022-09-13T11:13:04+00:00"
}
]
}
An access key has two "parts:, the key ID and the key value. You can only get the key ID. If you lose the key value, you'll probably just need to delete the access key.
~]$ aws iam delete-access-key --access-key-id AKIA2MABCD6GDQ1234RY --user-name john.doe
The aws iam delete-access-key command is a bit strange in that no output will be returned so you may want to reissue the list-access-keys command just to ensure the access key was deleted.
~]$ aws iam list-access-keys --user-name john.doe
{
"AccessKeyMetadata": []
}
And then use the aws iam create-access-key command to create a new access key. Notice that the output will include both the access key ID and value. Make note of the value!
~]$ aws iam create-access-key --user-name john.doe
{
"AccessKey": {
"UserName": "john.doe",
"AccessKeyId": "AKIAABDCL76GBNCJ1235",
"Status": "Active",
"SecretAccessKey": "Fd0vB55rDXABCDB3wVUnkE1234vx+dgI1234HQqC",
"CreateDate": "2023-03-22T01:55:29+00:00"
}
}
Did you find this article helpful?
If so, consider buying me a coffee over at