Using AWS CLI to Update And Manage User Permissions

If your team is using AWS for your cloud infrastructure, you’ll need to become familiar with Identity Access Management (IAM) as the most common way to manage users and permissions. Understanding IAM policies, IAM groups, and how the two work together is vital when you are setting up and managing AWS user permissions.

Understanding IAM Groups

IAM groups refer to groups of users. By defining multiple groups and associating them with a given role, you can distribute permissions to groups of users (administrators, for instance) rather than determining permissions for users one at a time.

A given user can be a member of multiple groups, and therefore, have the combined permissions of all of those groups. 

You will likely adapt your approach to permissions as your organization grows or new projects start. By using groups, you can move someone to a different group to update permissions instead of assigning each permission manually. In this post, we will walk through the commands you can run to make changes to your policies or groups using the AWS CLI tool.

Blink Automation: Update Permissions for an IAM User in AWS

Blink + AWS

Get Started

Adding or Removing Someone from an IAM Group with the AWS CLI Tool

Whether you want to reassign someone from one project to another, onboard a new user, or upgrade someone’s permissions, here is how you can make adjustments to your IAM groups.

To add a user to an IAM group with the AWS CLI tool, use the command:

aws iam add-user-to-group --user-name <NAMEOFUSER> --group-name <NAMEOFGROUP>

You can just swap out the variables <NAMEOFUSER> and <NAMEOFGROUP> with the specifics for your situation. For this next example, we’ll show that for removing Bob from the Admins group.

To remove a user from an IAM group with the AWS CLI tool, use the command:

aws iam remove-user-from-group --user-name Bob --group-name Admins

These two commands are all it takes to make group member adjustments, provided that you have the appropriate permissions to make these changes.

Understanding IAM Policies

An IAM policy is an object that defines the permissions of an identity or resource. The most common types are Identity-based policies; which apply to users, groups, or roles; and Resource-based policies, which apply to resources such as Amazon S3 buckets.

The two types of identity-based policies are managed and inline. Manage policies are set up and controlled either by AWS or by your organization and can be attached to groups, roles, or multiple users. These managed policies are most scalable.

In contrast, there are inline policies, which are applied directly to individual users, groups, or roles. Each inline policy can only impact the single related identity.

For this post, we’ll show changing a managed identity-based policy.

Adding or Removing IAM Policies with the AWS CLI Tool

Using the AWS CLI Tool, you can also add or remove — attach or detach — policies directly from the command line.

View Information About a Managed Policy

To view information about a managed policy, run the command:

aws iam list-policies --max-items <NUMBER-OF-POLICIES>

This will output a list of the currently active policies. If you need more detailed information about a specific policy, then use:

aws iam get-policy --policy-arn arn:aws:iam::<ACCOUNT>:policy/<NAME-OF-POLICY>

Attach a Managed Policy to an Identity

There are three different types of identities to which you may attach a managed policy: users, groups, and roles. Attaching a policy to a user will affect the access of just that specific user. When you attach a policy to a group or role, that change will affect all of the users' access in that group or role.

To attach a policy to a user, use:

aws iam attach-user-policy --policy-arn arn:aws:iam:<ACCOUNT-ID>:aws:policy/<NAME-OF-POLICY> --user-name <NAME-OF-USER>

To attach a policy to a group, use:

aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/<NAME-OF-POLICY> --group-name <NAME-OF-GROUP>

To attach a policy to a role, use:

aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/<NAME-OF-POLICY> --role-name <NAME-OF-ROLE> 

Finding Which Policies Apply to Which Identities

Once you have policies associated with identities, you can output that information from your terminal to help you keep track.

To list the identities associated with a policy, use:

aws iam list-entities-for-policy --policy-arn arn:aws:iam::<ACCOUNT-ID>:policy/<NAME-OF-POLICY>

To list all policies associated with a user, use:

aws iam list-attached-user-policies --user-name <NAME-OF-USER>

To list all policies associated with a group, use:

aws iam list-attached-group-policies --group-name <NAME-OF-GROUP>

To list all policies associated with a role, use:

aws iam list-attached-role-policies --role-name <NAME-OF-ROLE>

Remove Policies From an Identity

Just like attaching a policy to an identity, there are three different types of identities from which you may remove a policy: users, groups, and roles. Just like adding a policy, removing a policy will apply to a specific user or all users associated with the group or role you are detaching.

To detach a policy from a user, use:

aws iam detach-user-policy --user-name <NAME-OF-USER> --policy-arn arn:aws:iam::<ACCOUNT-ID>:policy/<NAME-OF-POLICY>

To detach a policy from a group, use:

aws iam detach-group-policy --group-name <NAME-OF-GROUP> --policy-arn arn:aws:iam::<ACCOUNT-ID>:policy/<NAME-OF-POLICY>

To detach a policy from a role, use:

aws iam detach-role-policy --role-name <NAME-OF-ROLE> --policy-arn arn:aws:iam::<ACCOUNT-ID>:policy/<NAME-OF-POLICY>

Automate Permissions Tasks with Blink:

Most likely, as your organization grows, changing and updating permissions and policies will take up more time. Instead of having to look up the specific command for each of these actions, you could use a low-code tool like Blink to handle tasks like this in a couple clicks.

Get started with Blink today.