AWS Identity and Access Management
Using IAM (API Version 2010-05-08)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Creating an IAM User in Your AWS Account

This section describes the process for creating an IAM user in your AWS account. You might create an IAM user when someone joins your organization, or when you have a new application that needs to make API calls to AWS.

Overview

In outline, the process of creating a user consists of these steps:

  1. Use the AWS Management Console or a AWS CLI or IAM API command to create the user.

  2. (Optional) Add the user to one or more groups.

  3. Attach a policy to the user or the group that grants permissions to perform the actions you want to allow.

  4. If the user will administer AWS resources using the AWS Management Console, create a password for the user.

  5. If the user will be making API calls or using the AWS Command Line Interface (AWS CLI), create an access key (an access key ID and a secret access key) for that user.

    Important

    The time you create the access key is your only opportunity to view or download the secret access key, and you must provide this information to your users before they can begin using an AWS API. If you don't download and save the access key now, you will need to create a new access key for the users later. Save the access key ID and secret access key in a safe and secure place. You will not have access to the secret access key again after this step.

  6. (Optional) Configure a multi-factor authentication (MFA) device for the user, which requires the user to provide a temporary code each time he or she signs into the AWS Management Console.

  7. Provide the user with the information needed to sign in. This includes the credentials and the URL for the web page where the user enters those credentials. For more information, see How IAM Users Sign In to Your AWS Account.

  8. You can give users permissions to manage their own security credentials. (By default, users do not have permissions to manage their own credentials.) For more information, see Permissions for Administering IAM Users, Groups, and Credentials.

For information about the permissions that you need in order to create a user, see Permissions for Administering IAM Users, Groups, and Credentials.

AWS-Assigned User Identifiers

When you create a user, IAM creates these ways to identify the user:

  • A "friendly name" for the user, which is the name that you specified when you created the user, such as Bob and Alice. These are the names you see in the AWS Management Console.

  • An Amazon Resource Name (ARN) for the user. You use the ARN when you need to uniquely identify the user across all of AWS, such as when you specify the user as a principal in an IAM policy for an Amazon S3 bucket. An ARN for an IAM user might look like the following:

    arn:aws:iam::account-ID-without-hyphens:user/Bob

  • A unique identifier for the user. This ID is returned only when you use the IAM API or AWS CLI to create the user, not in the AWS Management Console.

For more information about these identifiers, see IAM Identifiers.

Creating an IAM User (AWS Management Console)

To create a user using the AWS Management Console

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users, and then choose Create New Users.

  3. Type the user names for the users that you want to create. You can create up to five users at one time.

    Note

    User names can contain only alphanumeric characters plus these characters: plus (+), equal (=), comma (,), period (.), at (@), and hyphen (-). For more information about limitations on IAM entities, see Limitations on IAM Entities.

  4. If you want to generate an access key ID and secret access key for new users, select Generate an access key for each user. Users must have keys if they need to work with the AWS CLI or with the AWS SDKs or APIs. Choose Create.

    Note

    If you have users who will work with the AWS Management Console, you must create passwords for each of them. Creating passwords is described in a later step.

  5. Choose Download Credentials to save the access keys for the new user or users. This lets you save the access key IDs and secret access keys to a CSV file on your computer.

    Important

    This is your only opportunity to view or download the secret access keys, and you must provide this information to your users before they can begin using an AWS API. If you don't download and save them now, you will need to create new access keys for the users later. Save the access keys in a safe and secure place. You will not have access to the secret access keys again after this step.

  6. After you have downloaded the credentials, choose Close.

  7. (Optional) Give the user permission to manage his or her own security credentials. For more information, see Allow Users to Manage Their Own Passwords and Access Keys.

  8. (Optional) Create a password if the user needs to access the AWS Management Console. If the user will only access AWS by using the AWS CLI or the API, then you only need the access keys from step 5. For more information, see Creating, Changing, or Deleting an IAM User Password (AWS Management Console).

  9. (Optional) Attach a policy to the user (or to a group the user is a member of) to grant the user permissions to access AWS resources. For more information, see Attaching Managed Policies.

  10. (Optional) Provide the information that the user needs to sign in. This includes the user name and password, and the URL to the sign-in page for the account, substituting the correct account ID or account alias for AWS-account-ID:

    https://AWS-account-ID.signin.aws.amazon.com/console

    For more information, see How IAM Users Sign In to Your AWS Account.

Creating an IAM User (AWS Command Line Tools or API)

  1. Create a user.

    AWS CLI: aws iam create-user

    Tools for Windows PowerShell: New-IAMUser

    IAM API: CreateUser

  2. (Optional) Give the user a password, which is required if the user needs to use the AWS Management Console. Then give them the URL of your account's sign-in page.

    AWS CLI: aws iam create-login-profile

    Tools for Windows PowerShell: New-IAMLoginProfile

    IAM API: CreateLoginProfile

  3. (Optional) Create an access key for the user, which is required if the user needs to programmatically access AWS resources.

    AWS CLI: aws iam create-access-key

    Tools for Windows PowerShell: New-IAMAccessKey

    IAM API: CreateAccessKey

    Important

    This is your only opportunity to view or save the secret access keys, and you must provide this information to your users before they can begin using an AWS API. If you don't download and save them now, you will need to create new access keys for the users later. Save the user's access key ID and secret access key in a safe and secure place. You will not have access to the secret access keys again after this step.

  4. (Optional) Attach a policy to the user that defines the user's permissions. Note that a best practice is to instead manage user permissions by adding the user to a group and attaching a policy to the group. (See next step.)

    AWS CLI: aws iam attach-user-policy

    Tools for Windows PowerShell: Register-IAMUserPolicy

    IAM API: AttachUserPolicy

  5. (Optional) Add the user to one or more groups.

    AWS CLI: aws iam add-user-to-group

    Tools for Windows PowerShell: Add-IAMUserToGroup

    IAM API: AddUserToGroup

  6. (Optional) Give the user permission to manage his or her own security credentials. For more information, see Allow Users to Manage Their Own Passwords and Access Keys.

For an example of how to use AWS CLI commands to perform these tasks, see AWS Identity and Access Management from the AWS Command Line Interface in the AWS Command Line Interface User Guide.