AWS Identity and Access Management

This guide focuses on the AWS SDK for PHP client for AWS Identity and Access Management. This guide assumes that you have already downloaded and installed the AWS SDK for PHP. See Installation for more information on getting started.

Creating a client

First you need to create a client object using one of the following techniques.

Factory method

The easiest way to get up and running quickly is to use the Aws\Iam\IamClient::factory() method and provide your credential profile (via the profile option), which identifies the set of credentials you want to use from your ~/.aws/credentials file (see Using the AWS credentials file and credential profiles).

use Aws\Iam\IamClient;

$client = IamClient::factory(array(
    'profile' => '<profile in your aws credentials file>'

You can provide your credential profile like in the preceding example, specify your access keys directly (via key and secret), or you can choose to omit any credential information if you are using AWS Identity and Access Management (IAM) roles for EC2 instances or credentials sourced from the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.


The profile option and AWS credential file support is only available for version 2.6.1 of the SDK and higher. We recommend that all users update their copies of the SDK to take advantage of this feature, which is a safer way to specify credentials than explicitly providing key and secret.

Service builder

A more robust way to connect to AWS Identity and Access Management is through the service builder. This allows you to specify credentials and other configuration settings in a configuration file. These settings can then be shared across all clients so that you only have to specify your settings once.

use Aws\Common\Aws;

// Create a service builder using a configuration file
$aws = Aws::factory('/path/to/my_config.json');

// Get the client from the builder by namespace
$client = $aws->get('Iam');

For more information about configuration files, see Configuring the SDK.

API Reference

Please see the AWS Identity and Access Management Client API reference for a details about all of the available methods, including descriptions of the inputs and outputs.

AddClientIDToOpenIDConnectProvider AddRoleToInstanceProfile
AddUserToGroup AttachGroupPolicy
AttachRolePolicy AttachUserPolicy
ChangePassword CreateAccessKey
CreateAccountAlias CreateGroup
CreateInstanceProfile CreateLoginProfile
CreateOpenIDConnectProvider CreatePolicy
CreatePolicyVersion CreateRole
CreateSAMLProvider CreateUser
CreateVirtualMFADevice DeactivateMFADevice
DeleteAccessKey DeleteAccountAlias
DeleteAccountPasswordPolicy DeleteGroup
DeleteGroupPolicy DeleteInstanceProfile
DeleteLoginProfile DeleteOpenIDConnectProvider
DeletePolicy DeletePolicyVersion
DeleteRole DeleteRolePolicy
DeleteSAMLProvider DeleteSSHPublicKey
DeleteServerCertificate DeleteSigningCertificate
DeleteUser DeleteUserPolicy
DeleteVirtualMFADevice DetachGroupPolicy
DetachRolePolicy DetachUserPolicy
EnableMFADevice GenerateCredentialReport
GetAccessKeyLastUsed GetAccountAuthorizationDetails
GetAccountPasswordPolicy GetAccountSummary
GetContextKeysForCustomPolicy GetContextKeysForPrincipalPolicy
GetCredentialReport GetGroup
GetGroupPolicy GetInstanceProfile
GetLoginProfile GetOpenIDConnectProvider
GetPolicy GetPolicyVersion
GetRole GetRolePolicy
GetSAMLProvider GetSSHPublicKey
GetServerCertificate GetUser
GetUserPolicy ListAccessKeys
ListAccountAliases ListAttachedGroupPolicies
ListAttachedRolePolicies ListAttachedUserPolicies
ListEntitiesForPolicy ListGroupPolicies
ListGroups ListGroupsForUser
ListInstanceProfiles ListInstanceProfilesForRole
ListMFADevices ListOpenIDConnectProviders
ListPolicies ListPolicyVersions
ListRolePolicies ListRoles
ListSAMLProviders ListSSHPublicKeys
ListServerCertificates ListSigningCertificates
ListUserPolicies ListUsers
ListVirtualMFADevices PutGroupPolicy
PutRolePolicy PutUserPolicy
RemoveClientIDFromOpenIDConnectProvider RemoveRoleFromInstanceProfile
RemoveUserFromGroup ResyncMFADevice
SetDefaultPolicyVersion SimulateCustomPolicy
SimulatePrincipalPolicy UpdateAccessKey
UpdateAccountPasswordPolicy UpdateAssumeRolePolicy
UpdateGroup UpdateLoginProfile
UpdateOpenIDConnectProviderThumbprint UpdateSAMLProvider
UpdateSSHPublicKey UpdateServerCertificate
UpdateSigningCertificate UpdateUser
UploadSSHPublicKey UploadServerCertificate