Menu
AWS Identity and Access Management
User Guide

Delegating Permissions to Administer IAM Users, Groups, and Credentials

If you are signed in with AWS account root user credentials, you have no restrictions on administering IAM users or groups or on managing their credentials. However, IAM users must explicitly be given permissions to administer users or credentials for themselves or for other IAM users. This topic describes IAM policies that let IAM users manage other users and user credentials.

Overview

In general, the permissions that are required in order to administer users, groups, and credentials correspond to the API actions for the task. For example, in order to create users, a user must have the iam:CreateUser permission (API command: CreateUser). To allow a user to create other IAM users, you could attach a policy like the following one to that user:

Copy
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "iam:CreateUser", "Resource": "*" } }

In a policy, the value of the Resource element depends on the action and what resources the action can affect. In the preceding example, the policy allows a user to create any user (* is a wildcard that matches all strings). In contrast, a policy that allows users to change only their own access keys (API actions CreateAccessKey and UpdateAccessKey) typically has a Resource element where the ARN includes a variable that resolves to the current user's name, as in the following example (replace ACCOUNT-ID-WITHOUT-HYPHENS with your AWS account ID):

Copy
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:UpdateAccessKey" ], "Resource": "arn:aws:iam::accountid:user/${aws:username}" } }

In the previous example, ${aws:username} is a variable that resolves to the user name of the current user. For more information about policy variables, see IAM Policy Variables Overview.

Using a wildcard character (*) in the action name often makes it easier to grant permissions for all the actions related to a specific task. For example, to allow users to perform any IAM action, you can use iam:* for the action. To allow users to perform any action related just to access keys, you can use iam:*AccessKey* in the Action element of a policy statement. This gives the user permission to perform the CreateAccessKey, DeleteAccessKey, GetAccessKeyLastUsed, ListAccessKeys, and UpdateAccessKey actions. (If an action is added to IAM in the future that has "AccessKey" in the name, using iam:*AccessKey* for the Action element will also give the user permission to that new action.) The following example shows a policy that allows users to perform all actions pertaining to their own access keys (replace ACCOUNT-ID-WITHOUT-HYPHENS with your AWS account ID):

Copy
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "iam:*AccessKey*", "Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/${aws:username}" } }

Some tasks, such as deleting a group, involve multiple actions: You must first remove users from the group, then detach or delete the group's policies, and then actually delete the group. If you want a user to be able to delete a group, you must be sure to give the user permissions to perform all of the related actions.

Permissions for Working in the AWS Management Console

The preceding examples show policies that allow a user to perform the actions with the AWS CLI or the AWS SDKs. If users want to use the AWS Management Console to administer users, groups, and permissions, they need additional permissions. As users work with the console, the console issues requests to IAM to list users and groups, get the policies associated with a user or group, get AWS account information, and so on.

For example, if user Bob wants to use the console to change his own access keys, he goes to the IAM console and chooses Users. This action causes the console to make a ListUsers request. If Bob doesn't have permission for the iam:ListUsers action, the console is denied access when it tries to list users. As a result, Bob can't get to his own name and to his own access keys, even if he has permissions for the CreateAccessKey and UpdateAccessKey actions.

If you want to give users permissions to administer users, groups, and credentials with the AWS Management Console, you need to include permissions for the actions that the console performs. For some examples of policies that you can use to grant a user for these permissions, see Example Policies for Administering IAM Resources.