Managing passwords for IAM users
IAM users who use the AWS Management Console to work with AWS resources must have a password in order to sign in. You can create, change, or delete a password for an IAM user in your AWS account.
After you have assigned a password to a user, the user can sign in to the AWS Management Console using the sign-in URL for your account, which looks like this:
https://12-digit-AWS-account-ID or alias.signin.aws.amazon.com/console
For more information about how IAM users sign in to the AWS Management Console, see How to sign in to AWS in the AWS Sign-In User Guide.
Even if your users have their own passwords, they still need permissions to access your AWS resources. By default, a user has no permissions. To give your users the permissions they need, you assign policies to them or to the groups they belong to. For information about creating users and groups, see IAM Identities (users, user groups, and roles). For information about using policies to set permissions, see Changing permissions for an IAM user.
You can grant users permission to change their own passwords. For more information, see Permitting IAM users to change their own passwords. For information about how users access your account sign-in page, see How to sign in to AWS in the AWS Sign-In User Guide.
Topics
Creating, changing, or deleting an IAM user password (console)
You can use the AWS Management Console to manage passwords for your IAM users.
When users leave your organization or no longer need AWS access, it is important to find the credentials that they were using and ensure that they are no longer operational. Ideally, you delete credentials if they are no longer needed. You can always recreate them at a later date if the need arises. At the very least, you should change the credentials so that the former users no longer have access.
To add a password for an IAM user (console)
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Users.
-
Choose the name of the user whose password you want to create.
-
Choose the Security credentials tab, and then under Console sign-in, choose Enable console access.
-
In Enable console access, for Console password, choose whether to have IAM generate a password or create a custom password:
-
To have IAM generate a password, choose Autogenerated password.
-
To create a custom password, choose Custom password, and type the password.
Note
The password that you create must meet the account's password policy.
-
-
To require the user to create a new password when signing in, choose User must create a new password at next sign-in. Then choose Enable console access.
Important
If you select the User must create a new password at next sign-in option, make sure that the user has permission to change his or her password. For more information, see Permitting IAM users to change their own passwords.
-
To view the password so you can share it with the user, choose Show in the Console password dialog box.
Important
For security reasons, you cannot access the password after completing this step, but you can create a new password at any time.
To change the password for an IAM user (console)
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Users.
-
Choose the name of the user whose password you want to change.
-
Choose the Security credentials tab, and then under Console sign-in, choose Manage console access.
-
In Manage console access, choose Reset password if not already selected. If console access is disabled, then no password is required.
-
For Console access, choose whether to have IAM generate a password or create a custom password:
-
To have IAM generate a password, choose Autogenerated password.
-
To create a custom password, choose Custom password, and type the password.
Note
The password that you create must meet the account's password policy, if one is currently set.
-
-
To require the user to create a new password when signing in, choose User must create a new password at next sign-in.
Important
If you select the User must create a new password at next sign-in option, make sure that the user has permission to change his or her password. For more information, see Permitting IAM users to change their own passwords.
-
To revoke the user's active console sessions, choose Revoke active console sessions. Then choose Apply.
When you revoke active console sessions for a user, IAM attaches a new inline policy to the user that denies all permissions to all actions. It includes a condition that applies the restrictions only if the session was created before the point in time when you revoke the permissions, as well as approximately 30 seconds into the future. If the user creates a new session after you revoked the permissions, then the deny policy does not apply to that user. If a user revokes their own active console sessions using this method, they will be immediately signed out from the AWS Management Console.
Important
To successfully revoke active console sessions for a user, you must have the
PutUserPolicypermission for the user. This allows you to attach theAWSRevokeOlderSessionsinline policy to the user. -
To view the password so you can share it with the user, choose Show in the Console password dialog box.
Important
For security reasons, you cannot access the password after completing this step, but you can create a new password at any time.
To delete (disable) an IAM user password (console)
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Users.
-
Choose the name of the user whose password you want to delete.
-
Choose the Security credentials tab, and then under Console sign-in, choose Manage console access.
-
In Manage console access, choose Disable console access if not already selected. If console access is disabled, then no password is required.
-
To revoke the user's active console sessions, choose Revoke active console sessions. Then choose Disable access.
Important
To successfully revoke active console sessions for a user, you must have the
PutUserPolicypermission for the user. This allows you to attach theAWSRevokeOlderSessionsinline policy to the user.When you revoke active console sessions for a user, IAM embeds a new inline policy in the IAM user that denies all permissions to all actions. It includes a condition that applies the restrictions only if the session was created before the point in time when you revoke the permissions, as well as approximately 30 seconds into the future. If the user creates a new session after you revoked the permissions, then the deny policy does not apply to that user. If a user revokes their own active console sessions using this method, they will be immediately signed out from the AWS Management Console.
Important
You can prevent an IAM user from accessing the AWS Management Console by removing their password. This prevents them from signing in to the AWS Management Console using their sign-in credentials. It does not change their permissions or prevent them from accessing the console using an assumed role. If the user has active access keys, they continue to function and allow access through the AWS CLI, Tools for Windows PowerShell, AWS API, or the AWS Console Mobile Application.
Creating, changing, or deleting an IAM user password (AWS CLI)
You can use the AWS CLI API to manage passwords for your IAM users.
To create a password (AWS CLI)
-
(Optional) To determine whether a user has a password, run this command: aws iam get-login-profile
-
To create a password, run this command: aws iam create-login-profile
To change a user's password (AWS CLI)
-
(Optional) To determine whether a user has a password, run this command: aws iam get-login-profile
-
To change a password, run this command: aws iam update-login-profile
To delete (disable) a user's password (AWS CLI)
-
(Optional) To determine whether a user has a password, run this command: aws iam get-login-profile
-
(Optional) To determine when a password was last used, run this command: aws iam get-user
-
To delete a password, run this command: aws iam delete-login-profile
Important
When you delete a user's password, the user can no longer sign in to the AWS Management Console. If the user has active access keys, they continue to function and allow access through the AWS CLI, Tools for Windows PowerShell, or AWS API function calls. When you use the AWS CLI, Tools for Windows PowerShell, or AWS API to delete a user from your AWS account, you must first delete the password using this operation. For more information, see Deleting an IAM user (AWS CLI).
To revoke a user's active console sessions before a specified time (AWS CLI)
-
To embed an inline policy that revokes an IAM user's active console sessions before a specified time, use the following inline policy and run this command: aws iam put-user-policy
This inline policy denies all permissions and includes the
aws:TokenIssueTimecondition key. It revokes the user's active console sessions before the specified time in theConditionelement of the inline policy. Replace theaws:TokenIssueTimecondition key value with your own value.{ "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "DateLessThan": { "aws:TokenIssueTime": "2014-05-07T23:47:00Z" } } } } -
(Optional) To list the names of the inline policies embedded in the IAM user, run this command: aws iam list-user-policies
-
(Optional) To view the named inline policy embedded in the IAM user, run this command: aws iam get-user-policy
Creating, changing, or deleting an IAM user password (AWS API)
You can use the AWS API to manage passwords for your IAM users.
To create a password (AWS API)
-
(Optional) To determine whether a user has a password, call this operation: GetLoginProfile
-
To create a password, call this operation: CreateLoginProfile
To change a user's password (AWS API)
-
(Optional) To determine whether a user has a password, call this operation: GetLoginProfile
-
To change a password, call this operation: UpdateLoginProfile
To delete (disable) a user's password (AWS API)
-
(Optional) To determine whether a user has a password, run this command: GetLoginProfile
-
(Optional) To determine when a password was last used, run this command: GetUser
-
To delete a password, run this command: DeleteLoginProfile
Important
When you delete a user's password, the user can no longer sign in to the AWS Management Console. If the user has active access keys, they continue to function and allow access through the AWS CLI, Tools for Windows PowerShell, or AWS API function calls. When you use the AWS CLI, Tools for Windows PowerShell, or AWS API to delete a user from your AWS account, you must first delete the password using this operation. For more information, see Deleting an IAM user (AWS CLI).
To revoke a user's active console sessions before a specified time (AWS API)
-
To embed an inline policy that revokes an IAM user's active console sessions before a specified time, use the following inline policy and run this command: PutUserPolicy
This inline policy denies all permissions and includes the
aws:TokenIssueTimecondition key. It revokes the user's active console sessions before the specified time in theConditionelement of the inline policy. Replace theaws:TokenIssueTimecondition key value with your own value.{ "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "DateLessThan": { "aws:TokenIssueTime": "2014-05-07T23:47:00Z" } } } } -
(Optional) To list the names of the inline policies embedded in the IAM user, run this command: ListUserPolicies
-
(Optional) To view the named inline policy embedded in the IAM user, run this command: GetUserPolicy
