The Ops Community ⚙️

Cover image for Adding a New IAM User With AWS CLI
Patrick Londa for Blink Ops

Posted on • Originally published at blinkops.com

Adding a New IAM User With AWS CLI

Your development team is expanding quickly, and everyone is busy trying to meet delivery deadlines. In this post, we’ll show you how to quickly onboard a new IAM user so they can get to work and you can get back to other tasks.

Before we get into each step, let’s cover the basics.

Identity and Access Management (IAM) for AWS is the service that allows organizations to precisely control access across all of their AWS resources.

With IAM, you can specify the conditions under which users have access to resources and services. You can do this by connecting with an existing role-based access control (RBAC) directory outside of Amazon, or using IAM’s attribute-based access control (ABAC) option which enables more fine-grained resource permissions.

Whether you are using IAM with RBAC or ABAC, you should generally adhere to the security best practice of least-privilege permissions.

Before you can assign roles to a user, though, you must first create that user. Users can be created either through the command-line interface (CLI) or the AWS Management Console. For this post, we’ll focus on the CLI method which can be especially useful to teams that are looking to script or automate these steps.

Adding a New IAM User With the AWS CLI

Here are the steps to add a new IAM user through the Amazon CLI:

Step 1: Create a New IAM User

To create a new IAM user, use the command:

create-user
[--path <value>]
--user-name <value>
[--permissions-boundary <value>]
[--tags <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
Enter fullscreen mode Exit fullscreen mode

"--path" takes a string used to define the path of the username. If left empty, it defaults to "\". If you'd like to designate a specific path for the user, make sure that it begins and ends with "\".

"--user-name" takes a string used to define the name of the user. Each IAM username within an account must be unique. Names are not case-sensitive.

"--permissions-boundary" takes a string of an Amazon Resource Name (ARN) for a policy that sets permissions boundaries for the new user.

"--tags" takes a list of tags that will be attached to the new user.

Other than "--user-name", all of these inputs are optional.

Step 2: Add the User to a Group

To add a user to an IAM group that defines their permissions, use the command:

add-user-to-group
--group-name <value>
--user-name <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
Enter fullscreen mode Exit fullscreen mode

"--group-name" takes the name of the group you would like to add the user to.

"--user-name" takes the name of the user you would like to add to the group.

"--cli-input-json" reads arguments from the JSON string provided and expects the format provided by "--generate-cli-skeleton". You can also provide values through the command line to override the values specified by the JSON. "--cli-input-yaml" can be used instead.

"--generate-cli-skeleton" prints a JSON skeleton to standard output without sending an API request. Providing it with no value — or with "input" — prints a sample input JSON for use with "--cli-input-json". Providing it with "yaml-input" prints a sample input YAML for use with "--cli-input-yaml". Providing it with "output" validates the command inputs and prints a sample output JSON.

Step 3: Generate a Profile Login for the New User

Adding a user doesn't automatically create a login for that user. To create a login for a new user, use the command:

create-login-profile
--user-name <value>
--password <value>
[--password-reset-required | --no-password-reset-required]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
Enter fullscreen mode Exit fullscreen mode

"--user-name" takes the name of the user you would like to create a password for. Remember that every user has a unique name, and names are not case-sensitive.

"--password" takes a string that the user will use as their password when logging in.

"[--password-reset-required | --no-password-reset-required]" specifies whether the user will be asked to create a new password the first time they sign in.

"--cli-input-json" performs a service operation based on the JSON string provided. It expects the format provided by "--generate-cli-skeleton". You can also provide values through the command line to override the values specified by the JSON.

"--generate-cli-skeleton" prints a JSON skeleton to standard output without sending an API request. Providing it with no value, or with "input", prints a sample input JSON for use with "--cli-input-json". Providing it with the value "output" validates the command inputs and prints a sample output JSON.

Step 4: Send an Email Containing the New User's Sign-in URL

To notify the new user that their account has been set up, consider sending them an email containing their sign-in URL. You can also do this from the command line. Use the command:

  send-email
[--destination <value>]
[--message <value>]
[--reply-to-addresses <value>]
[--return-path <value>]
[--source-arn <value>]
[--return-path-arn <value>]
[--tags <value>]
[--configuration-set-name <value>]
--from <value>
[--to <value>]
[--cc <value>]
[--bcc <value>]
[--subject <value>]
[--text <value>]
[--html <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
Enter fullscreen mode Exit fullscreen mode

If you have access to the user's email from your browser and don't set up new users that often, the command line may not be the best way to send this information to a new user.

However, setting up a JSON or YAML file containing a pre-formatted email is a great way to improve the efficiency of sending sign-in URLs through the command line if you expect to create a large number of new IAM users regularly across your organization.

Now that you’ve created a new user, you can read more about user groups and applying policies to users, groups, and roles.

Automate Onboarding Tasks with Blink

As your organization grows, manual onboarding tasks take more time and are less unique. Instead of having to look up the specific command for each of these actions, you could use a low-code tool like Blink to handle tasks like this in a couple clicks.

Get started and create your free Blink account today.

Top comments (0)