Menu
AWS Identity and Access Management
User Guide

Creating an IAM User in Your AWS Account

You can create one or more IAM users in your AWS account. You might create an IAM user when someone joins your organization, or when you have a new application that needs to make API calls to AWS.

In outline, the process of creating a user consists of these steps:

  1. Create the user in the AWS Management Console or from an AWS CLI, Tools for Windows PowerShell, or IAM API command.

  2. (Optional) Add the user to one or more groups. We recommend that you put your users in groups and manage their policies and permissions through those groups rather than directly on the users.

  3. If the user needs to access AWS resources from the AWS Management Console, create a password for the user and attach a policy to the user or group that grants permissions to perform the actions that you want to allow.

  4. If the user needs to make API calls or use the AWS CLI or the Tools for Windows PowerShell, create an access key (an access key ID and a secret access key) for that user. This is the only time the secret key is available.

  5. (Optional) Configure multi-factor authentication (MFA) for the user, which requires the user to provide a one-time-use code each time he or she signs into the AWS Management Console.

  6. Provide the user with the information needed to sign-in. This includes the credentials and the URL for the account sign-in web page where the user enters those credentials. For more information, see How IAM Users Sign In to Your AWS Account.

  7. (Optional) Give users permissions to manage their own security credentials. (By default, users do not have permissions to manage their own credentials.) For more information, see Permitting IAM Users to Change Their Own Passwords.

For information about the permissions that you need in order to create a user, see Delegating Permissions to Administer IAM Users, Groups, and Credentials.

Creating IAM Users (AWS Management Console)

To create one or more IAM users with the AWS Management Console

  1. Sign in to the Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users and then choose Create New Users.

  3. Type the user names for the users to create. You can create up to five users at one time.

    Note

    User names can use only a combination of alphanumeric characters and these characters: plus (+), equal (=), comma (,), period (.), at (@), and hyphen (-). Names must be unique within an account. For more information about limitations on IAM entities, see Limitations on IAM Entities and Objects.

  4. If the users require access to the API, AWS CLI, or Tools for Windows PowerShell, then they must have access keys. To generate access key for new users at this time, select Generate an access key for each user.

  5. Choose Create.

  6. (Optional) To view the users' access keys (access key IDs and secret access keys), choose Show User Security Credentials. To save the access keys, choose Download Credentials and then save the file to a safe location on your computer.

    Important

    This is your only opportunity to view or download the secret access keys, and you must provide this information to your users before they can use the AWS API. If you don't download and save them now, you will need to create new access keys for the users later. Save the user's new access key ID and secret access key in a safe and secure place. You will not have access to the secret access keys again after this step.

  7. (Optional) Give the user(s) permission to manage their own security credentials. For more information, see Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys.

  8. (Optional) To enable the user(s) to access the AWS Management Console, create a password for each user. For more information, see Creating, Changing, or Deleting an IAM User Password (AWS Management Console).

  9. (Optional) Make the user a member of a group that has policies attached that provide the appropriate permissions for this user to access AWS resources. We recommend using groups rather than attaching policies directly to users. For more information, see Attaching Managed Policies.

  10. Provide each user with his or her credentials:

    • User name

    • Password and/or access keys

    • URL to the account sign-in web page. Use the following example, substituting the correct account ID number or account alias:

      https://AWS-account-ID or alias.signin.aws.amazon.com/console

    For more information, see How IAM Users Sign In to Your AWS Account.

Creating IAM Users (AWS CLI, Tools for Windows PowerShell, or IAM HTTP API)

To create an IAM user from the AWS CLI, Tools for Windows PowerShell, or IAM HTTP API

  1. Create a user.

  2. (Optional) Give the user a password. This is required if the user needs to use the AWS Management Console. You will also need to give the user theURL of your account's sign-in page.

  3. (Optional) Create an access key for the user. This is required if the user needs to programmatically access AWS resources.

    • AWS CLI: aws iam create-access-key

    • Tools for Windows PowerShell: New-IAMAccessKey

    • IAM API: CreateAccessKey

      Important

      This is your only opportunity to view or download the secret access keys, and you must provide this information to your users before they can use the AWS API. If you don't download and save them now, you will need to create new access keys for the users later. Save the user's new access key ID and secret access key in a safe and secure place. You will not have access to the secret access keys again after this step.

  4. Add the user to one or more groups. The groups that you specify should have policies attached that grant the appropriate permissions for the user.

  5. (Optional) Attach a policy to the user that defines the user's permissions. Note: We recommend that you manage user permissions by adding the user to a group and attaching a policy to the group instead of attaching directly to a user.

  6. (Optional) Give the user permission to manage his or her own security credentials. For more information, see Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys.