How to Create a New IAM User With AWS CLI

Learn how to create a new IAM user using AWS CLI for efficient onboarding. Explore the necessary steps to streamline and automate the process.

Patrick Londa
Author
Jan 11, 2022
 • 
6
 min read
Share this post

Your development team is expanding quickly, and everyone is busy trying to meet delivery deadlines. In this post, we’ll show you how to quickly onboard a new IAM user so they can get to work and you can get back to other tasks.

Before we get into each step, let’s cover the basics.

Identity and Access Management (IAM) for AWS is the service that allows organizations to precisely control access across all of their AWS resources. 

With IAM, you can specify the conditions under which users have access to resources and services. You can do this by connecting with an existing role-based access control (RBAC) directory outside of Amazon, or using IAM’s attribute-based access control (ABAC) option which enables more fine-grained resource permissions.

Whether you are using IAM with RBAC or ABAC, you should generally adhere to the security best practice of least-privilege permissions.

Before you can assign roles to a user, though, you must first create that user. Users can be created either through the command-line interface (CLI) or the AWS Management Console. For this post, we’ll focus on the CLI method which can be especially useful to teams that are looking to script or automate these steps.

Blink Automation: Add a New IAM User in AWS
Blink + AWS
Try This Automation

Steps For Adding a New IAM User With the AWS CLI

Here are the steps to add a new IAM user through the Amazon CLI.

1. Create a New IAM User

To create a new IAM user, use the command:

create-user
[--path <value>]
--user-name <value>
[--permissions-boundary <value>]
[--tags <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]

"--path" takes a string used to define the path of the username. If left empty, it defaults to "\". If you'd like to designate a specific path for the user, make sure that it begins and ends with "\".

"--user-name" takes a string used to define the name of the user. Each IAM username within an account must be unique. Names are not case-sensitive.

"--permissions-boundary" takes a string of an Amazon Resource Name (ARN) for a policy that sets permissions boundaries for the new user.

"--tags" takes a list of tags that will be attached to the new user.

Other than "--user-name", all of these inputs are optional.

2. Add the User to a Group

To add a user to an IAM group that defines their permissions, use the command:

add-user-to-group
--group-name <value>
--user-name <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]

"--group-name" takes the name of the group you would like to add the user to.

"--user-name" takes the name of the user you would like to add to the group.

"--cli-input-json" reads arguments from the JSON string provided and expects the format provided by "--generate-cli-skeleton". You can also provide values through the command line to override the values specified by the JSON. "--cli-input-yaml" can be used instead.

"--generate-cli-skeleton" prints a JSON skeleton to standard output without sending an API request. Providing it with no value — or with "input" — prints a sample input JSON for use with "--cli-input-json". Providing it with "yaml-input" prints a sample input YAML for use with "--cli-input-yaml". Providing it with "output" validates the command inputs and prints a sample output JSON.

3. Generate a Profile Login for the New User

Adding a user doesn't automatically create a login for that user. To create a login for a new user, use the command:

create-login-profile
--user-name <value>
--password <value>
[--password-reset-required | --no-password-reset-required]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]

"--user-name" takes the name of the user you would like to create a password for. Remember that every user has a unique name, and names are not case-sensitive.

"--password" takes a string that the user will use as their password when logging in.

"[--password-reset-required | --no-password-reset-required]" specifies whether the user will be asked to create a new password the first time they sign in.

"--cli-input-json" performs a service operation based on the JSON string provided. It expects the format provided by "--generate-cli-skeleton". You can also provide values through the command line to override the values specified by the JSON.

"--generate-cli-skeleton" prints a JSON skeleton to standard output without sending an API request. Providing it with no value, or with "input", prints a sample input JSON for use with "--cli-input-json". Providing it with the value "output" validates the command inputs and prints a sample output JSON.

4. Send an Email Containing the New User's Sign-in URL

To notify the new user that their account has been set up, consider sending them an email containing their sign-in URL. You can also do this from the command line. Use the command:

  send-email
[--destination <value>]
[--message <value>]
[--reply-to-addresses <value>]
[--return-path <value>]
[--source-arn <value>]
[--return-path-arn <value>]
[--tags <value>]
[--configuration-set-name <value>]
--from <value>
[--to <value>]
[--cc <value>]
[--bcc <value>]
[--subject <value>]
[--text <value>]
[--html <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]

If you have access to the user's email from your browser and don't set up new users that often, the command line may not be the best way to send this information to a new user.

However, setting up a JSON or YAML file containing a pre-formatted email is a great way to improve the efficiency of sending sign-in URLs through the command line if you expect to create a large number of new IAM users regularly across your organization.

Now that you’ve created a new user, you can read more about user groups and applying policies to users, groups, and roles.

Automate Onboarding Tasks with Blink:

As your organization grows, manual onboarding tasks take more time and become less unique.

With Blink, you can simplify tasks like adding new IAM users with no-code automations like this one:

Blink Automation: Create an AWS IAM User
Blink Automation: Create an AWS IAM User

This automation is available in the Blink library. When it runs, it does the following steps:

  1. Creates an IAM user.
  2. Creates an IAM login profile.
  3. Creates an IAM access key.
  4. Sends email with new account information.
  5. Adds new user to groups.

This simple automation is easy to customize. Trigger it to run from events in other tools or send confirmations via email, Slack, or Teams.

There are over 5K automations in the Blink library to choose from, or you can build your own to match your unique needs.

Get started with Blink today and see how easy automation can be.