AWS Identity and Access Management
IAM User Guide
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Creating an IAM User in Your AWS Account

You can create one or more IAM users in your AWS account. You might create an IAM user when someone joins your organization, or when you have a new application that needs to make API calls to AWS.

In outline, the process of creating a user consists of these steps:

  1. Create the user in the AWS Management Console or from an AWS CLI, Tools for Windows PowerShell, or IAM API command.

  2. (Optional) Add the user to one or more groups. We recommend that you put your users in groups and manage their policies and permissions through those groups rather than directly on the users.

  3. If the user needs to access AWS resources from the AWS Management Console, create a password for the user and attach a policy to the user or group that grants permissions to perform the actions that you want to allow.

  4. If the user needs to make API calls or use the AWS CLI or the Tools for Windows PowerShell, create an access key (an access key ID and a secret access key) for that user. This is the only time the secret key is available.

  5. (Optional) Configure multi-factor authentication (MFA) for the user, which requires the user to provide a temporary code each time he or she signs into the AWS Management Console.

  6. Provide the user with the information needed to sign-in. This includes the credentials and the URL for the web page where the user enters those credentials. For more information, see How IAM Users Sign In to Your AWS Account.

  7. (Optional) Give users permissions to manage their own security credentials. (By default, users do not have permissions to manage their own credentials.) For more information, see Permitting IAM Users to Change Their Own Passwords.

For information about the permissions that you need in order to create a user, see Delegating Permissions to Administer IAM Users, Groups, and Credentials.

Creating an IAM User (AWS Management Console)

Follow these steps to use the console to create IAM users:

To create one or more IAM users with the AWS Management Console

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, click Users and then click Create New Users.

  3. Type the user names for the users you want to create. You can create up to five users at one time.

    Note

    User names can use only a combination of alphanumeric characters and these characters: plus (+), equal (=), comma (,), period (.), at (@), and hyphen (-). For more information about limitations on IAM entities, see Limitations on IAM Entities and Objects.

  4. If the users require access to the API, AWS CLI, Tools for Windows PowerShell, then they must have access keys. To generate access key for new users at this time, select Generate an access key for each user. Then click Create.

  5. The confirmation page offers the chance to download the access key IDs and secret keys for the new users. To see these keys, click Show User Security Credentials. To save the access keys for the new user or users, click Download Credentials. Then save the access key IDs and secret access keys to a CSV file.

    Important

    This is your only opportunity to view or download the keys, and you must provide this information to your users before they can use the AWS API. If you don't download and save them now, you will need to create new access keys for the users later. Save the user's new access key ID and secret access key in a safe and secure place. You will not have access to the secret access keys again after this step.

  6. (Optional) Give the user permission to manage his or her own security credentials. For more information, see Allow Users to Manage Their Own Passwords and Access Keys.

  7. (Optional) Create a password if the user needs to access the AWS Management Console. For more information, see Creating, Changing, or Deleting an IAM User Password (AWS Management Console).

  8. (Optional) Make the user a member of a group that has policies attached that provide the appropriate permissions for this user to access AWS resources. We recommend that you use groups rather than attaching policies directly to users. For more information, see Attaching Managed Policies.

  9. Provide the user with the sign-in information:

    • User name,

    • Password and/or access keys

    • URL to the sign-in page for the owner account

    For the URL, use the following example, substituting the correct account ID number or account alias:

    https://AWS-account-ID or alias.signin.aws.amazon.com/console

    For more information, see How IAM Users Sign In to Your AWS Account.

Creating an IAM User (AWS CLI, Windows PowerShell, or API)

Follow these steps to use the AWS CLI, Tools for Windows PowerShell or AWS API to create a user.

To create an IAM user from the AWS CLI, Windows PowerShell, or API

  1. Create a user.

  2. (Optional) Give the user a password. This is required if the user needs to use the AWS Management Console. You will also need to give the user theURL of your account's sign-in page.

  3. (Optional) Create an access key for the user. This is required if the user needs to programmatically access AWS resources.

    • AWS CLI: aws iam create-access-key

    • Tools for Windows PowerShell: New-IAMAccessKey

    • IAM API: CreateAccessKey

      Important

      This is your only opportunity to view or download the keys, and you must provide this information to your users before they can use the AWS API. If you don't download and save them now, you will need to create new access keys for the users later. Save the user's new access key ID and secret access key in a safe and secure place. You will not have access to the secret access keys again after this step.

  4. Add the user to one or more groups. The groups that you specify should have policies attached that grant the appropriate permissions for the user.

  5. (Optional) Attach a policy to the user that defines the user's permissions. Note: We recommend that you manage user permissions by adding the user to a group and attaching a policy to the group instead of attaching directly to a user.

  6. (Optional) Give the user permission to manage his or her own security credentials. For more information, see Allow Users to Manage Their Own Passwords and Access Keys.