|« PreviousNext »|
|Did this page help you? Yes | No | Tell us about it...|
This section describes the process for creating an IAM user in your AWS account. You might create an IAM user when someone joins your organization, or when you have a new application that needs to make API calls to AWS.
In outline, the process of creating a user consists of these steps:
Create the user using the console or a CLI or API command.
(Optional) Add the user to one or more groups.
If the user will administer AWS resources using the AWS Management Console, create a password for the user, and attach a policy to the user or the group that grants permissions to perform the actions you want to allow.
If the user will be making API calls or using the command line interface (CLI), create an access key (an access key ID and a secret access key) for that user. As with using the console, the user must have permissions to perform the actions that you want to allow.
(Optional), Configure a multi-factor authentication (MFA) device for the user, which requires the user to provide a temporary code each time he or she signs into the AWS Management Console.
You can give users permissions to manage their own security credentials. (By default, users do not have permissions to manage their own credentials.) For more information, see Permissions for Administering IAM Users, Groups, and Credentials.
For information about the permissions that you need in order to add a user, see Permissions for Administering IAM Users, Groups, and Credentials.
When you create a user, IAM creates these ways to identify the user:
A "friendly name" for the user, which is the name that you specified when you created the
user, such as
Alice. These are the names you see in the
AWS Management Console.
An Amazon Resource Name (ARN) for the user. You use the ARN when you need to uniquely identify the user across all of AWS, such as specifying the user as a principal in an IAM policy for an Amazon S3 bucket. An ARN for an IAM user might look like the following example:
A unique identifier for the user. (This ID is returned only when you use the API or CLI to create the user, not in the console.)
For more information about these identifiers, see IAM Identifiers.
To add a user
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane of the console, click Users, and then click Create New Users.
Enter the user names for the users you want to create. You can create up to five users at one time.
User names can use only alphanumeric characters plus these characters: plus (+), equal (=), comma (,), period (.), at (@), and hyphen (-). For more information about limitations on IAM entities, see Limitations on IAM Entities.
If you want to generate an access key ID and secret access key for new users, select Generate an access key for each user. Users need keys if they will be working with the AWS CLI or with the AWS SDKs or APIs.
If you have users who will be working with the AWS Management Console, you need to create passwords for each of them. Creating passwords is described later in this procedure.
Click Create. If you chose to create security credentials for the users, a dialog box is displayed that gives you your only opportunity to download the access key IDs for the new user or users.
This is your only opportunity to download the credentials. If you don't download and save the credentials now, you must create a new access key for each user later.
To get the access keys for save the access keys for the new user or users, click Download Credentials. This lets you save the access key IDs and secret access keys to a .csv file on your computer.
Be sure that you save the user's new access key ID and secret access key in a safe and secure place—you will not have access to the secret access keys again after this dialog box closes, and you will need to provide this information to your users before they can begin using an AWS API.
When you are finished downloading your users' security credentials, click Close Window.
(Optional) Give the user permission to manage his or her own security credentials. For more information, go to Allow Users to Manage Their Own Passwords, Access Keys, and Signing Certificate .
Create a user.
aws iam create-user
(Optional) Give the user a password, which is required if the user needs to use the AWS Management Console. Then give them the URL of your account's sign-in page.
aws iam create-login-profile
(Optional) Create an access key for the user, which is required if the user needs to programmatically access AWS resources
Save the user's new access key ID and secret access key in a secure place—you cannot recover a lost secret access key.
(Optional) Attach a policy to the user that defines the user's permissions. Note that a best practice is to instead manage user permissions by adding the user to a group and attaching a policy to the group. (See next step.)
(Optional) Add the user to one or more groups.
(Optional) Give the user permission to manage his or her own security credentials. For more information, go to .
For an example of how to use AWS CLI commands to perform these tasks, see AWS Identity and Access Management from the AWS Command Line Interface in the AWS Command Line Interface User Guide.