AWS Identity and Access Management
Using IAM (API Version 2010-05-08)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Creating an IAM User in Your AWS Account

This section describes the process for creating an IAM user in your AWS account. You might create an IAM user when someone joins your organization, or when you have a new application that needs to make API calls to AWS.

Overview

In outline, the process of creating a user consists of these steps:

  1. Create the user using the console or a CLI or API command.

  2. (Optional) Add the user to one or more groups.

  3. If the user will administer AWS resources using the AWS Management Console, create a password for the user and attach a policy to the user or the group that grants permissions to perform the actions you want to allow.

  4. If the user will be making API calls or using the command line interface (CLI), create an access key (an access key ID and a secret access key) for that user.

    Important

    The time you create the access keys is your only opportunity to view or download the keys, and you must provide this information to your users before they can begin using an AWS API. If you don't download and save them now, you will need to create new access keys for the users later. Save the user's new access key ID and secret access key in a safe and secure place. You will not have access to the secret access keys again after this step.

  5. (Optional) Configure a multi-factor authentication (MFA) device for the user, which requires the user to provide a temporary code each time he or she signs into the AWS Management Console.

  6. Provide the user with the information needed to sign-in. This includes the credentials and the URL for the web page where the user enters those credentials. For more information, see How IAM Users Sign In to Your AWS Account.

  7. You can give users permissions to manage their own security credentials. (By default, users do not have permissions to manage their own credentials.) For more information, see Permissions for Administering IAM Users, Groups, and Credentials.

For information about the permissions that you need in order to create a user, see Permissions for Administering IAM Users, Groups, and Credentials.

AWS-Assigned User Identifiers

When you create a user, IAM creates these ways to identify the user:

  • A "friendly name" for the user, which is the name that you specified when you created the user, such as Bob and Alice. These are the names you see in the AWS Management Console.

  • An Amazon Resource Name (ARN) for the user. You use the ARN when you need to uniquely identify the user across all of AWS, such as when you specify the user as a principal in an IAM policy for an Amazon S3 bucket. An ARN for an IAM user might look like the following:

    arn:aws:iam::account-ID-without-hyphens:user/Bob

  • A unique identifier for the user. (This ID is returned only when you use the API or CLI to create the user, not in the console.)

For more information about these identifiers, see IAM Identifiers.

Creating an IAM User (AWS Management Console)

To create a user using the AWS Management Console

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, click Users and then click Create New Users.

  3. Enter the user names for the users you want to create. You can create up to five users at one time.

    Note

    User names can use only alphanumeric characters plus these characters: plus (+), equal (=), comma (,), period (.), at (@), and hyphen (-). For more information about limitations on IAM entities, see Limitations on IAM Entities.

  4. If you want to generate an access key ID and secret access key for new users, select Generate an access key for each user. Users must have keys if they need to work with the AWS CLI or with the AWS SDKs or APIs. Click Create.

    Note

    If you have users who will work with the AWS Management Console, you must create passwords for each of them. Creating passwords is described in a later step.

  5. A page appears that enables you to download the access key IDs for the new user or users. To save the access keys for the new user or users, click Download Credentials. This lets you save the access key IDs and secret access keys to a CSV file on your computer.

    Important

    This is your only opportunity to view or download the keys, and you must provide this information to your users before they can begin using an AWS API. If you don't download and save them now, you will need to create new access keys for the users later. Save the user's new access key ID and secret access key in a safe and secure place. You will not have access to the secret access keys again after this step.

  6. (Optional) Give the user permission to manage his or her own security credentials. For more information, see Allow Users to Manage Their Own Passwords and Access Keys.

  7. (Optional) Create a password if the user needs to access the console. If the user will only access AWS by using the CLI or the API, then you only need the access keys from step 5. For more information, see Creating, Changing, or Deleting an IAM User Password (AWS Management Console)

  8. (Optional) Attach a policy to the user (or to a group the user is a member of) to grant the user permissions to access AWS resources. For more information, see Attaching Managed Policies.

  9. Provide the information that the user needs to sign in. This includes the user name and password or access keys, and the URL to the sign-in page for the account, substituting the correct account ID number or account alias for AWS-account-ID:

    https://AWS-account-ID.signin.aws.amazon.com/console

    For more information, see How IAM Users Sign In to Your AWS Account.

Creating an IAM User (CLI or API)

  1. Create a user.

    CLI command: aws iam create-user

    API command: CreateUser

  2. (Optional) Give the user a password, which is required if the user needs to use the AWS Management Console. Then give them the URL of your account's sign-in page.

    CLI command: aws iam create-login-profile

    API command: CreateLoginProfile

  3. (Optional) Create an access key for the user, which is required if the user needs to programmatically access AWS resources.

    CLI command: aws iam create-access-key

    API command: CreateAccessKey

    Important

    This is your only opportunity to view or download the keys, and you must provide this information to your users before they can begin using an AWS API. If you don't download and save them now, you will need to create new access keys for the users later. Save the user's new access key ID and secret access key in a safe and secure place. You will not have access to the secret access keys again after this step.

  4. (Optional) Attach a policy to the user that defines the user's permissions. Note that a best practice is to instead manage user permissions by adding the user to a group and attaching a policy to the group. (See next step.)

    CLI command: aws iam attach-user-policy

    API command: AttachUserPolicy

  5. (Optional) Add the user to one or more groups.

    CLI command: aws iam add-user-to-group

    API command: AddUserToGroup

  6. (Optional) Give the user permission to manage his or her own security credentials. For more information, see Allow Users to Manage Their Own Passwords and Access Keys.

For an example of how to use AWS CLI commands to perform these tasks, see AWS Identity and Access Management from the AWS Command Line Interface in the AWS Command Line Interface User Guide.