How to Create an IAM User in AWS from the CLI: Complete Guide
Introduction
AWS Identity and Access Management (IAM) is the service that controls who can access what within your Amazon Web Services account. While the web console is intuitive, mastering the AWS CLI to manage IAM users lets you automate processes, create reproducible scripts, and work much faster.
In this article, you'll learn step by step how to create an IAM user from the command line, assign permissions, generate programmatic access credentials, and apply security best practices. All with real-world examples you can copy and run.
Source: FlyD — Unsplash
Prerequisites
Before getting started, make sure you have the following:
- An active AWS account with administrator permissions (or at least IAM permissions)
- AWS CLI v2 installed on your machine
- Credentials configured via
aws configure
Installing AWS CLI v2
If you don't have it installed yet, run the appropriate command for your operating system:
1# macOS (Homebrew)
2brew install awscli
3
4# Linux (official)
5curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
6unzip awscliv2.zip
7sudo ./aws/install
8
9# Windows (MSI installer)
10# Download from: https://awscli.amazonaws.com/AWSCLIV2.msi
11
12# Verify installation
13aws --versionConfiguring credentials
Set up your access credentials. You'll need the Access Key ID and Secret Access Key from a user with IAM permissions:
1aws configure
2# AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
3# AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
4# Default region name [None]: us-east-1
5# Default output format [None]: jsonStep 1: Create the IAM User
The fundamental command is aws iam create-user. You only need to specify the user name:
1# Create an IAM user
2aws iam create-user --user-name backend-developer
3
4# Expected response:
5# {
6# "User": {
7# "Path": "/",
8# "UserName": "backend-developer",
9# "UserId": "AIDAJEXAMPLE12345678",
10# "Arn": "arn:aws:iam::123456789012:user/backend-developer",
11# "CreateDate": "2026-04-04T10:00:00+00:00"
12# }
13# }You can also organize users with paths for logical grouping:
1# Create user with organizational path
2aws iam create-user --user-name jane-smith --path "/engineering/backend/"
3
4# Create user with tags for identification
5aws iam create-user --user-name john-doe --tags Key=Department,Value=Engineering Key=Project,Value=PaymentAPI
Source: Gabriel Heinzer — Unsplash
Step 2: Create Programmatic Access Credentials
An IAM user without credentials can't do anything. There are two types of access:
Access Keys (for API/CLI/SDK)
1# Generate Access Key for the user
2aws iam create-access-key --user-name backend-developer
3
4# Response:
5# {
6# "AccessKey": {
7# "UserName": "backend-developer",
8# "AccessKeyId": "AKIAI44QH8DHBEXAMPLE",
9# "Status": "Active",
10# "SecretAccessKey": "je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY",
11# "CreateDate": "2026-04-04T10:05:00+00:00"
12# }
13# }SecretAccessKey is shown only ONCE at creation time. Save it securely immediately. If you lose it, you'll need to create a new Access Key.
Login Profile (for web console access)
1# Create login profile with temporary password
2aws iam create-login-profile --user-name backend-developer --password "TempP@ss2026!" --password-reset-required
3
4# The user will be required to change the password on first sign-inStep 3: Assign Permissions with Policies
A user without policies has zero permissions. AWS uses the principle of least privilege: only grant the permissions strictly necessary.
Attach an AWS-managed policy
1# Grant read-only access to S3
2aws iam attach-user-policy --user-name backend-developer --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
3
4# Grant full access to DynamoDB
5aws iam attach-user-policy --user-name backend-developer --policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
6
7# View policies attached to the user
8aws iam list-attached-user-policies --user-name backend-developerCreate and attach a custom policy
Custom policies give you granular control. Create a JSON file with the policy:
1{
2 "Version": "2012-10-17",
3 "Statement": [
4 {
5 "Effect": "Allow",
6 "Action": [
7 "s3:GetObject",
8 "s3:PutObject",
9 "s3:ListBucket"
10 ],
11 "Resource": [
12 "arn:aws:s3:::my-production-bucket",
13 "arn:aws:s3:::my-production-bucket/*"
14 ]
15 },
16 {
17 "Effect": "Allow",
18 "Action": [
19 "logs:CreateLogGroup",
20 "logs:CreateLogStream",
21 "logs:PutLogEvents"
22 ],
23 "Resource": "arn:aws:logs:*:*:*"
24 }
25 ]
26}1# Create the policy from the JSON file
2aws iam create-policy --policy-name S3-And-Logs-Backend --policy-document file://backend-policy.json --description "Access to production S3 and CloudWatch Logs"
3
4# Attach the policy to the user (use the returned ARN)
5aws iam attach-user-policy --user-name backend-developer --policy-arn arn:aws:iam::123456789012:policy/S3-And-Logs-BackendStep 4: Add the User to a Group
Best practice is to manage permissions through groups, not directly on users. This simplifies administration when you have many users.
1# Create a group
2aws iam create-group --group-name backend-developers
3
4# Attach policies to the group
5aws iam attach-group-policy --group-name backend-developers --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
6
7aws iam attach-group-policy --group-name backend-developers --policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
8
9# Add the user to the group
10aws iam add-user-to-group --user-name backend-developer --group-name backend-developers
11
12# Verify the user's groups
13aws iam list-groups-for-user --user-name backend-developer
Source: Markus Spiske — Unsplash
Step 5: Enable MFA (Multi-Factor Authentication)
Multi-factor authentication adds an extra layer of security. It's mandatory per AWS best practices.
1# Create a virtual MFA device
2aws iam create-virtual-mfa-device --virtual-mfa-device-name backend-developer-mfa --outfile qr-code.png --bootstrap-method QRCodePNG
3
4# The qr-code.png file contains the QR code to scan
5# with Google Authenticator, Authy, or another TOTP app
6
7# Activate MFA with two consecutive codes from the device
8aws iam enable-mfa-device --user-name backend-developer --serial-number arn:aws:iam::123456789012:mfa/backend-developer-mfa --authentication-code1 123456 --authentication-code2 789012aws:MultiFactorAuthPresent is true. This is known as an "MFA required" policy.
Step 6: Verify and Audit the User
After creating the user, verify everything is correctly configured:
1# View complete user information
2aws iam get-user --user-name backend-developer
3
4# List all Access Keys
5aws iam list-access-keys --user-name backend-developer
6
7# View directly attached policies
8aws iam list-attached-user-policies --user-name backend-developer
9
10# View inline policies
11aws iam list-user-policies --user-name backend-developer
12
13# View user's groups
14aws iam list-groups-for-user --user-name backend-developer
15
16# View user tags
17aws iam list-user-tags --user-name backend-developer
18
19# List ALL IAM users in the account
20aws iam list-users --output tableStep 7: Additional Useful Operations
Rotating Access Keys
AWS recommends rotating Access Keys periodically (every 90 days):
1# Create a new Access Key (keep the old one active temporarily)
2aws iam create-access-key --user-name backend-developer
3
4# Update your applications with the new key, then deactivate the old one
5aws iam update-access-key --user-name backend-developer --access-key-id AKIAI44QH8DHBEXAMPLE --status Inactive
6
7# Once confirmed everything works, delete the old key
8aws iam delete-access-key --user-name backend-developer --access-key-id AKIAI44QH8DHBEXAMPLEDeleting an IAM User
Deleting a user requires removing all its dependencies first:
1# 1. Delete Access Keys
2aws iam delete-access-key --user-name backend-developer --access-key-id AKIAI44QH8DHBEXAMPLE
3
4# 2. Detach policies
5aws iam detach-user-policy --user-name backend-developer --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
6
7# 3. Remove from groups
8aws iam remove-user-from-group --user-name backend-developer --group-name backend-developers
9
10# 4. Delete login profile (if exists)
11aws iam delete-login-profile --user-name backend-developer
12
13# 5. Finally, delete the user
14aws iam delete-user --user-name backend-developerFull Script: Automate the Creation
Here's a Bash script that automates the entire IAM user creation process:
1#!/bin/bash
2set -euo pipefail
3
4# --- Configuration ---
5USERNAME="$1"
6GROUP_NAME="${2:-developers}"
7REGION="us-east-1"
8
9if [ -z "$USERNAME" ]; then
10 echo "Usage: ./create-iam-user.sh <username> [group]"
11 exit 1
12fi
13
14echo "=== Creating IAM user: $USERNAME ==="
15
16# 1. Create user with tags
17aws iam create-user --user-name "$USERNAME" --tags Key=CreatedBy,Value=CLI Key=Date,Value="$(date +%Y-%m-%d)" --output json
18
19echo "[OK] User created"
20
21# 2. Generate Access Key and save it
22CREDENTIALS=$(aws iam create-access-key --user-name "$USERNAME" --output json)
23ACCESS_KEY=$(echo "$CREDENTIALS" | jq -r '.AccessKey.AccessKeyId')
24SECRET_KEY=$(echo "$CREDENTIALS" | jq -r '.AccessKey.SecretAccessKey')
25
26echo "[OK] Access Key generated: $ACCESS_KEY"
27echo " Secret Key: $SECRET_KEY"
28echo " (Store these credentials securely)"
29
30# 3. Create or verify group and add user
31aws iam create-group --group-name "$GROUP_NAME" 2>/dev/null || true
32aws iam add-user-to-group --user-name "$USERNAME" --group-name "$GROUP_NAME"
33
34echo "[OK] User added to group: $GROUP_NAME"
35
36# 4. Create login profile with temporary password
37TEMP_PASS="TempP@ss$(date +%Y)!"
38aws iam create-login-profile --user-name "$USERNAME" --password "$TEMP_PASS" --password-reset-required
39
40echo "[OK] Console login created (temporary password: $TEMP_PASS)"
41echo ""
42echo "=== Summary ==="
43echo "User: $USERNAME"
44echo "Group: $GROUP_NAME"
45echo "Access Key: $ACCESS_KEY"
46echo "Console: https://console.aws.amazon.com/"
47echo ""
48echo "Remember: attach policies to the '$GROUP_NAME' group to grant permissions."IAM Security Best Practices
To keep your AWS account secure, follow these recommendations:
| Practice | Description | Priority |
|---|---|---|
| Least privilege | Only grant permissions that are strictly necessary | Critical |
| Use groups | Manage permissions via groups, not individual users | High |
| Mandatory MFA | Enable MFA on all users, especially root | Critical |
| Rotate credentials | Change Access Keys every 90 days maximum | High |
| Don't use root | Create an admin user and lock the root account | Critical |
| Audit regularly | Use IAM Access Analyzer and review unused users | Medium |
| Use roles for apps | Prefer IAM Roles over Access Keys on EC2/Lambda | High |
| Password policy | Configure complexity requirements and expiration | Medium |
Conclusion
Creating and managing IAM users from the AWS CLI is an essential skill for any cloud engineer. The commands we covered span the full lifecycle: user creation, credential generation, permission assignment through policies and groups, MFA enablement, and auditing.
The key takeaway is to always apply the principle of least privilege, use groups to manage permissions, rotate credentials regularly, and enable MFA. With the automation script included, you can standardize the onboarding process for new team members.
To go deeper, check out the official AWS IAM CLI documentation.
Comments
Sign in to leave a comment
No comments yet. Be the first!