AWS CLI IAM and STS Cheat Sheet

AWS CLI•Permalink

AWS CLI IAM and STS commands for users, groups, roles, policies, access keys, caller identity, and assume-role workflows.

View

Standard Detailed Compact

Export

Copy the compact sheet, download it, or print it.

Download

`D` dense toggle · `C` copy all

## STS Identity and Sessions

Get caller identity

↗#

aws sts get-caller-identity

# Show the current principal, account, and ARN.

Assume a role

↗#

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/AdminRole --role-session-name admin-cli

# Obtain temporary credentials for another role.

Assume role with web identity

↗#

aws sts assume-role-with-web-identity --role-arn arn:aws:iam::123456789012:role/GitHubOIDC --role-session-name ci --web-identity-token file://token.jwt

# Obtain credentials from a web identity token.

Request a session token

↗#

aws sts get-session-token --duration-seconds 3600

# Get temporary credentials for an IAM user.

## IAM Users and Groups

List IAM users

↗#

aws iam list-users

# Show IAM users in the account.

Get current IAM user or a named user

↗#

aws iam get-user

# Read user details.

Create an IAM user

↗#

aws iam create-user --user-name deploy-bot

# Create a new user principal.

Delete an IAM user

↗#

aws iam delete-user --user-name deploy-bot

# Remove a user principal.

List IAM groups

↗#

aws iam list-groups

# Show IAM groups in the account.

Add user to group

↗#

aws iam add-user-to-group --user-name deploy-bot --group-name Developers

# Attach an IAM user to a group.

Remove user from group

↗#

aws iam remove-user-from-group --user-name deploy-bot --group-name Developers

# Detach a user from a group.

## IAM Policies

List managed policies

↗#

aws iam list-policies --scope Local

# Show AWS-managed and customer-managed policies.

Get policy metadata

↗#

aws iam get-policy --policy-arn arn:aws:iam::123456789012:policy/ReadOnlyS3

# Read high-level metadata for a managed policy.

Get policy document version

↗#

aws iam get-policy-version --policy-arn arn:aws:iam::123456789012:policy/ReadOnlyS3 --version-id v1

# Read the JSON document for a specific policy version.

Create a managed policy

↗#

aws iam create-policy --policy-name ReadOnlyS3 --policy-document file://readonly-s3-policy.json

# Create a new customer-managed policy from JSON.

Attach a managed policy to a role

↗#

aws iam attach-role-policy --role-name AppRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

# Grant a role the permissions from a managed policy.

Detach a managed policy from a role

↗#

aws iam detach-role-policy --role-name AppRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

# Remove a managed policy from a role.

Simulate effective permissions

↗#

aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:role/AppRole --action-names s3:GetObject --resource-arns arn:aws:s3:::my-bucket/*

# Test whether a principal can perform an action on a resource.

## Roles, Trust, and Access Keys

List roles

↗#

aws iam list-roles

# Show IAM roles in the account.

Create a role

↗#

aws iam create-role --role-name AppRole --assume-role-policy-document file://trust-policy.json

# Create a role with a trust policy.

Update a role trust policy

↗#

aws iam update-assume-role-policy --role-name AppRole --policy-document file://trust-policy.json

# Replace the trust policy on an existing role.

Create an access key

↗#

aws iam create-access-key --user-name deploy-bot

# Generate a long-term access key for an IAM user.

List access keys for a user

↗#

aws iam list-access-keys --user-name deploy-bot

# Inspect active access keys for an IAM user.

Disable an access key

↗#

aws iam update-access-key --user-name deploy-bot --access-key-id AKIAIOSFODNN7EXAMPLE --status Inactive

# Change an access key status.

Delete an access key

↗#

aws iam delete-access-key --user-name deploy-bot --access-key-id AKIAIOSFODNN7EXAMPLE

# Remove an old access key from an IAM user.

More in AWS CLI

AWS CLI ECR and ECS Cheat Sheet

AWS CLI ECR and ECS commands for repositories, image login and cleanup, clusters, services, task definitions, and tasks.

AWS CLI CloudFormation Cheat Sheet

AWS CLI CloudFormation commands for templates, stacks, change sets, events, package, and deploy workflows.

AWS CLI EC2 Cheat Sheet

AWS CLI EC2 commands for instances, AMIs, key pairs, VPC networking, security groups, EBS volumes, and snapshots.

AWS CLI S3 Cheat Sheet

High-level and low-level AWS CLI S3 commands for buckets, objects, sync, versioning, encryption, and presigned URLs.

AWS CLI Cheat Sheet

Comprehensive AWS CLI commands for configuration, profiles, global options, queries, and common cross-service recipes.

Recommended next

No recommendations yet.

Browse all sheets →