AWS CLI IAM and STS Cheat Sheet

AWS CLI•Permalink

AWS CLI IAM and STS commands for users, groups, roles, policies, access keys, caller identity, and assume-role workflows.

View

Standard Detailed Compact

Export

Copy the compact sheet, download it, or print it.

Download

`D` dense toggle · `C` copy all

STS Identity and Sessions

Confirm who you are and assume roles.

Get caller identity

Show the current principal, account, and ARN.

↗#

bashANYawsstsidentity

bash

aws sts get-caller-identity

The quickest trust-but-verify command for active credentials.

Assume a role

Obtain temporary credentials for another role.

↗#

bashANYawsstsassume-role

bash

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/AdminRole --role-session-name admin-cli

Returns temporary access key, secret key, and session token values.

Assume role with web identity

Obtain credentials from a web identity token.

↗#

bashANYawsstsoidc

bash

aws sts assume-role-with-web-identity --role-arn arn:aws:iam::123456789012:role/GitHubOIDC --role-session-name ci --web-identity-token file://token.jwt

Common in OIDC-based CI/CD integrations.

Request a session token

Get temporary credentials for an IAM user.

↗#

bashANYawsstssession-token

bash

aws sts get-session-token --duration-seconds 3600

Often used with MFA-enforced IAM user workflows.

IAM Users and Groups

Inspect and manage IAM users, groups, and memberships.

List IAM users

Show IAM users in the account.

↗#

bashANYawsiamusers

bash

aws iam list-users

Core account identity inventory command.

Get current IAM user or a named user

Read user details.

↗#

bashANYawsiamuser

bash

aws iam get-user

Without `--user-name`, this can return details for the current IAM user identity.

Create an IAM user

Create a new user principal.

↗#

bashANYawsiamcreate-user

bash

aws iam create-user --user-name deploy-bot

Long-term IAM users should be minimized when role-based access is available.

Delete an IAM user

Remove a user principal.

↗#

bashANYawsiamdelete-user

bash

aws iam delete-user --user-name deploy-bot

The user must have dependent resources removed first.

List IAM groups

Show IAM groups in the account.

↗#

bashANYawsiamgroups

bash

aws iam list-groups

Useful in older user/group-based access models.

Add user to group

Attach an IAM user to a group.

↗#

bashANYawsiamgroups

bash

aws iam add-user-to-group --user-name deploy-bot --group-name Developers

Adds inherited permissions from the group to the user.

Remove user from group

Detach a user from a group.

↗#

bashANYawsiamgroups

bash

aws iam remove-user-from-group --user-name deploy-bot --group-name Developers

Useful during access cleanup.

IAM Policies

Create, attach, and inspect IAM policies.

List managed policies

Show AWS-managed and customer-managed policies.

↗#

bashANYawsiampolicy

bash

aws iam list-policies --scope Local

Use `--scope Local` to focus on customer-managed policies.

Get policy metadata

Read high-level metadata for a managed policy.

↗#

bashANYawsiampolicy

bash

aws iam get-policy --policy-arn arn:aws:iam::123456789012:policy/ReadOnlyS3

Returns default version ID and attachment counts.

Get policy document version

Read the JSON document for a specific policy version.

↗#

bashANYawsiampolicy

bash

aws iam get-policy-version --policy-arn arn:aws:iam::123456789012:policy/ReadOnlyS3 --version-id v1

Use this when you need the actual statement document.

Create a managed policy

Create a new customer-managed policy from JSON.

↗#

bashANYawsiampolicycreate

bash

aws iam create-policy --policy-name ReadOnlyS3 --policy-document file://readonly-s3-policy.json

Managed policies can be attached to users, groups, and roles.

Attach a managed policy to a role

Grant a role the permissions from a managed policy.

↗#

bashANYawsiamrolepolicy

bash

aws iam attach-role-policy --role-name AppRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Common role permission workflow.

Detach a managed policy from a role

Remove a managed policy from a role.

↗#

bashANYawsiamrolepolicy

bash

aws iam detach-role-policy --role-name AppRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Used during least-privilege cleanup.

Simulate effective permissions

Test whether a principal can perform an action on a resource.

↗#

bashANYawsiampolicysimulate

bash

aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:role/AppRole --action-names s3:GetObject --resource-arns arn:aws:s3:::my-bucket/*

Very useful when debugging access denied errors.

Roles, Trust, and Access Keys

Role creation, trust policies, and access key workflows.

List roles

Show IAM roles in the account.

↗#

bashANYawsiamroles

bash

aws iam list-roles

Core inventory command for role-based access setups.

Create a role

Create a role with a trust policy.

↗#

bashANYawsiamrolestrust

bash

aws iam create-role --role-name AppRole --assume-role-policy-document file://trust-policy.json

The trust policy defines who can assume the role.

Update a role trust policy

Replace the trust policy on an existing role.

↗#

bashANYawsiamrolestrust

bash

aws iam update-assume-role-policy --role-name AppRole --policy-document file://trust-policy.json

Useful when adding or tightening OIDC and cross-account trust.

Create an access key

Generate a long-term access key for an IAM user.

↗#

bashANYawsiamaccess-key

bash

aws iam create-access-key --user-name deploy-bot

Handle returned secrets carefully; long-lived keys should be minimized.

List access keys for a user

Inspect active access keys for an IAM user.

↗#

bashANYawsiamaccess-key

bash

aws iam list-access-keys --user-name deploy-bot

Useful for rotation and audit workflows.

Disable an access key

Change an access key status.

↗#

bashANYawsiamaccess-key

bash

aws iam update-access-key --user-name deploy-bot --access-key-id AKIAIOSFODNN7EXAMPLE --status Inactive

Useful during rotation or incident response.

Delete an access key

Remove an old access key from an IAM user.

↗#

bashANYawsiamaccess-keydelete

bash

aws iam delete-access-key --user-name deploy-bot --access-key-id AKIAIOSFODNN7EXAMPLE

Use after confirming replacement credentials work.

More in AWS CLI

AWS CLI ECR and ECS Cheat Sheet

AWS CLI ECR and ECS commands for repositories, image login and cleanup, clusters, services, task definitions, and tasks.

AWS CLI CloudFormation Cheat Sheet

AWS CLI CloudFormation commands for templates, stacks, change sets, events, package, and deploy workflows.

AWS CLI EC2 Cheat Sheet

AWS CLI EC2 commands for instances, AMIs, key pairs, VPC networking, security groups, EBS volumes, and snapshots.

AWS CLI S3 Cheat Sheet

High-level and low-level AWS CLI S3 commands for buckets, objects, sync, versioning, encryption, and presigned URLs.

AWS CLI Cheat Sheet

Comprehensive AWS CLI commands for configuration, profiles, global options, queries, and common cross-service recipes.

Recommended next

No recommendations yet.

Browse all sheets →