Menu
AWS Identity and Access Management
User Guide

Creating an IAM User in Your AWS Account

You can create one or more IAM users in your AWS account. You might create an IAM user when someone joins your organization, or when you have a new application that needs to make API calls to AWS.

In outline, the process of creating a user and making it usable for work tasks consists of these steps:

  1. Create the user in the AWS Management Console or from an AWS CLI, Tools for Windows PowerShell, or IAM API command. If you create the user in the AWS Management Console then steps 1–4 are handled automatically. If you create the users programmatically, then you must perform each of those steps individually.

  2. Create credentials for the user, depending on the type of access the user requires:

    • Programmatic access: If the user needs to make API calls or use the AWS CLI or the Tools for Windows PowerShell, create an access key (an access key ID and a secret access key) for that user.

      AWS Management Console access: If the user needs to access AWS resources from the AWS Management Console, create a password for the user.

    As a best practice, do not create credentials of a certain type for a user that will never need that kind of access. For example, for a user that requires access through the AWS Management Console only, do not create access keys.

  3. Give the user permissions to perform the required tasks by adding the user to one or more groups. Although you can grant permissions by attaching IAM permission policies directly to the user, we recommend that you put your users in groups and manage permissions through policies attached to those groups rather than directly on the users.

  4. Provide the user with the information needed to sign in. This includes the password and the URL for the account sign-in web page where the user enters those credentials. For more information, see How IAM Users Sign In to Your AWS Account.

  5. (Optional) Configure multi-factor authentication (MFA) for the user. MFAh requires the user to provide a one-time-use code each time he or she signs into the AWS Management Console.

  6. (Optional) Give users permissions to manage their own security credentials. (By default, users do not have permissions to manage their own credentials.) For more information, see Permitting IAM Users to Change Their Own Passwords.

For information about the permissions that you need in order to create a user, see Delegating Permissions to Administer IAM Users, Groups, and Credentials.

Creating IAM Users (Console)

To create one or more IAM users from the AWS Management Console

  1. Sign in to the Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users and then choose Add user.

  3. Type the user name for the new user. This is the sign-in name for AWS. If you want to add more than one user at the same time, choose Add another user for each additional user and type their user names. You can add up to 10 users at one time.

    Note

    User names can be a combination of up to 64 letters, digits, and these characters: plus (+), equal (=), comma (,), period (.), at sign (@), and hyphen (-). Names must be unique within an account. They are not distinguished by case. For example, you cannot create two users named TESTUSER and testuser,. For more information about limitations on IAM entities, see Limitations on IAM Entities and Objects.

  4. Select the type of access this set of users will have. You can select programmatic access to the APIs, AWS CLI, and Tools for Windows PowerShell, access to the AWS Management Console, or both.

    • Select Programmatic access if the users require access to the API, AWS CLI, or Tools for Windows PowerShell. This creates an access key for each new user. You can view or download the access keys when you get to the Final page.

       

    • Select AWS Management Console access if the users require access to the AWS Management Console. This creates a password for each new user.

       

      1. For Console password type, choose one of the following:

         

        • Autogenerated password. Each user gets a randomly generated password that meets the current password policy in effect (if any). You can view or download the passwords when you get to the Final page.

           

        • Custom password. Each user is assigned the password that you type in the box.

           

      2. (Optional) We recommend that you choose Require password reset to ensure that users are forced to change their password the first time they sign in.

        Note

        If you have not enabled the account-wide password policy setting Allow users to change their own password, then selecting Require password reset automatically attaches an AWS managed policy named IAMUserChangePassword to the new users that grants them permission to change their own passwords.

  5. Choose Next: Permissions.

  6. On the Set permissions page, specify how you want to assign permissions to this set of new users. Choose one of the following three options:

    • Add user to group. Choose this option if you have groups with appropriate permission policies already created and want to assign the users to those groups. IAM displays a list of all currently defined groups, along with their attached policies. You can select one or more existing groups, or choose Create group to create a new group. For more information, see Changing Permissions for an IAM User.

    • Copy permissions from existing user. Choose this option to copy all of the group memberships, attached managed policies, and embedded inline policies from an existing user to the new users. IAM displays a list of currently defined users. Select the one whose permissions most closely matches the needs of your new users. Each new user gets the same group memberships and attached policies as the selected user.

    • Attach existing policies to user directly Choose this option to select from existing managed policies or to create new managed policies that are attached to the new users. IAM displays a list of currently defined managed policies, both AWS- and customer-defined. Select the policies that you want to attach to the new users or choose Create policy to create a new policy from scratch. For more information, see step 4 in the procedure Create a policy.

  7. Choose Next: Review to see all of the choices you made up to this point. When you are ready to proceed, choose Create user.

  8. To view the users' access keys (access key IDs and secret access keys), choose Show next to each password and secret access key that you want to see. To save the access keys, choose Download .csv and then save the file to a safe location.

    Important

    This is your only opportunity to view or download the secret access keys, and you must provide this information to your users before they can use the AWS API. Save the user's new access key ID and secret access key in a safe and secure place. You will not have access to the secret keys again after this step.

  9. Provide each user with his or her credentials. On the final page you can choose Send email next to each user. Your local mail client opens with a draft that you can customize and send. The email template includes the following details to each user:

    • User name

       

    • URL to the account sign-in web page. Use the following example, substituting the correct account ID number or account alias:

      https://AWS-account-ID or alias.signin.aws.amazon.com/console

    For more information, see How IAM Users Sign In to Your AWS Account.

    Important

    The user's password is not included in the generated email. You must provide them to the customer in a way that complies with your organization's security guidelines.

  10. (Optional) Grant the user(s) permission to manage their own security credentials. For more information, see Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys.

Creating IAM Users (AWS CLI, Tools for Windows PowerShell, or IAM HTTP API)

To create an IAM user from the AWS CLI, Tools for Windows PowerShell, or IAM HTTP API

  1. Create a user.

  2. (Optional) Give the user access to the AWS Management Console. This requires a password. You must also give the user the URL of your account's sign-in page.

  3. (Optional) Give the user programmatic access. This requires access keys.

    • AWS CLI: aws iam create-access-key

    • Tools for Windows PowerShell: New-IAMAccessKey

    • IAM API: CreateAccessKey

      Important

      This is your only opportunity to view or download the secret access keys, and you must provide this information to your users before they can use the AWS API. Save the user's new access key ID and secret access key in a safe and secure place. You will not have access to the secret keys again after this step.

  4. Add the user to one or more groups. The groups that you specify should have attached policies that grant the appropriate permissions for the user.

  5. (Optional) Attach a policy to the user that defines the user's permissions. Note: We recommend that you manage user permissions by adding the user to a group and attaching a policy to the group instead of attaching directly to a user.

  6. (Optional) Give the user permission to manage his or her own security credentials. For more information, see Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys.