AWS Identity and Access Management
Using IAM (API Version 2010-05-08)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Creating an IAM User in Your AWS Account

This section describes the process for creating an IAM user in your AWS account. You might create an IAM user when someone joins your organization, or when you have a new application that needs to make API calls to AWS.

Overview

In outline, the process of creating a user consists of these steps:

  1. Create the user using the console or a CLI or API command.

  2. (Optional) Add the user to one or more groups.

  3. If the user will administer AWS resources using the AWS Management Console, create a password for the user and attach a policy to the user or the group that grants permissions to perform the actions you want to allow.

  4. If the user will be making API calls or using the command line interface (CLI), create an access key (an access key ID and a secret access key) for that user.

  5. (Optional) Configure a multi-factor authentication (MFA) device for the user, which requires the user to provide a temporary code each time he or she signs into the AWS Management Console.

    You can give users permissions to manage their own security credentials. (By default, users do not have permissions to manage their own credentials.) For more information, see Permissions for Administering IAM Users, Groups, and Credentials.

For information about the permissions that you need in order to create a user, see Permissions for Administering IAM Users, Groups, and Credentials.

AWS-Assigned User Identifiers

When you create a user, IAM creates these ways to identify the user:

  • A "friendly name" for the user, which is the name that you specified when you created the user, such as Bob and Alice. These are the names you see in the AWS Management Console.

  • An Amazon Resource Name (ARN) for the user. You use the ARN when you need to uniquely identify the user across all of AWS, such as when you specify the user as a principal in an IAM policy for an Amazon S3 bucket. An ARN for an IAM user might look like the following:

    arn:aws:iam::account-number-without-hyphens:user/Bob

  • A unique identifier for the user. (This ID is returned only when you use the API or CLI to create the user, not in the console.)

For more information about these identifiers, see IAM Identifiers.

Creating an IAM User (AWS Management Console)

To create a user using the AWS Management Console

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, click Users and then click Create New Users.

  3. Enter the user names for the users you want to create. You can create up to five users at one time.

    Note

    User names can use only alphanumeric characters plus these characters: plus (+), equal (=), comma (,), period (.), at (@), and hyphen (-). For more information about limitations on IAM entities, see Limitations on IAM Entities.

  4. If you want to generate an access key ID and secret access key for new users, select Generate an access key for each user. Users need keys if they will be working with the AWS CLI or with the AWS SDKs or APIs.

    Note

    If you have users who will work with the AWS Management Console, you must create passwords for each of them. Creating passwords is described later in this procedure.

  5. Click Create. A page is displayed that gives you an opportunity to download the access key IDs for the new user or users.

    Note

    This is your only opportunity to download the credentials. If you don't download and save the credentials now, you must create a new access key for each user later.

  6. To save the access keys for the new user or users, click Download Credentials. This lets you save the access key IDs and secret access keys to a CSV file on your computer.

    Important

    Be sure that you save the user's new access key ID and secret access key in a safe and secure place—you will not have access to the secret access keys again after this step, and you must provide this information to your users before they can begin using an AWS API.

  7. (Optional) Give the user permission to manage his or her own security credentials. For more information, see Allow Users to Manage Their Own Passwords, Access Keys, and Signing Certificate .

Creating an IAM User (CLI or API)

  1. Create a user.

    CLI command: aws iam create-user

    API command: CreateUser

  2. (Optional) Give the user a password, which is required if the user needs to use the AWS Management Console. Then give them the URL of your account's sign-in page.

    CLI command: aws iam create-login-profile

    API command: CreateLoginProfile

  3. (Optional) Create an access key for the user, which is required if the user needs to programmatically access AWS resources.

    CLI command: aws iam create-access-key

    API command: CreateAccessKey

    Important

    Save the user's new access key ID and secret access key in a secure place—you cannot recover a lost secret access key.

  4. (Optional) Attach a policy to the user that defines the user's permissions. Note that a best practice is to instead manage user permissions by adding the user to a group and attaching a policy to the group. (See next step.)

    CLI command: aws iam put-user-policy

    API command: PutUserPolicy

  5. (Optional) Add the user to one or more groups.

    CLI command: aws iam add-user-to-group

    API command: AddUserToGroup

  6. (Optional) Give the user permission to manage his or her own security credentials. For more information, see Allow Users to Manage Their Own Passwords, Access Keys, and Signing Certificate .

For an example of how to use AWS CLI commands to perform these tasks, see AWS Identity and Access Management from the AWS Command Line Interface in the AWS Command Line Interface User Guide.