AWS CLI IAM and STS Cheat Sheet

AWS CLI•Permalink

AWS CLI IAM and STS commands for users, groups, roles, policies, access keys, caller identity, and assume-role workflows.

View

Standard Detailed Compact

Export

Copy the compact sheet, download it, or print it.

Download

`D` dense toggle · `C` copy all

STS Identity and Sessions

Confirm who you are and assume roles.

Get caller identity

Show the current principal, account, and ARN.

bashANYawsstsidentity

↗#

bash

aws sts get-caller-identity

Notes

The quickest trust-but-verify command for active credentials.

Assume a role

Obtain temporary credentials for another role.

bashANYawsstsassume-role

↗#

bash

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/AdminRole --role-session-name admin-cli

Notes

Returns temporary access key, secret key, and session token values.

Assume role with web identity

Obtain credentials from a web identity token.

bashANYawsstsoidc

↗#

bash

aws sts assume-role-with-web-identity --role-arn arn:aws:iam::123456789012:role/GitHubOIDC --role-session-name ci --web-identity-token file://token.jwt

Notes

Common in OIDC-based CI/CD integrations.

Request a session token

Get temporary credentials for an IAM user.

bashANYawsstssession-token

↗#

bash

aws sts get-session-token --duration-seconds 3600

Notes

Often used with MFA-enforced IAM user workflows.

IAM Users and Groups

Inspect and manage IAM users, groups, and memberships.

List IAM users

Show IAM users in the account.

bashANYawsiamusers

↗#

bash

aws iam list-users

Notes

Core account identity inventory command.

Get current IAM user or a named user

Read user details.

bashANYawsiamuser

↗#

bash

aws iam get-user

Notes

Without `--user-name`, this can return details for the current IAM user identity.

Create an IAM user

Create a new user principal.

bashANYawsiamcreate-user

↗#

bash

aws iam create-user --user-name deploy-bot

Notes

Long-term IAM users should be minimized when role-based access is available.

Delete an IAM user

Remove a user principal.

bashANYawsiamdelete-user

↗#

bash

aws iam delete-user --user-name deploy-bot

Notes

The user must have dependent resources removed first.

List IAM groups

Show IAM groups in the account.

bashANYawsiamgroups

↗#

bash

aws iam list-groups

Notes

Useful in older user/group-based access models.

Add user to group

Attach an IAM user to a group.

bashANYawsiamgroups

↗#

bash

aws iam add-user-to-group --user-name deploy-bot --group-name Developers

Notes

Adds inherited permissions from the group to the user.

Remove user from group

Detach a user from a group.

bashANYawsiamgroups

↗#

bash

aws iam remove-user-from-group --user-name deploy-bot --group-name Developers

Notes

Useful during access cleanup.

IAM Policies

Create, attach, and inspect IAM policies.

List managed policies

Show AWS-managed and customer-managed policies.

bashANYawsiampolicy

↗#

bash

aws iam list-policies --scope Local

Notes

Use `--scope Local` to focus on customer-managed policies.

Get policy metadata

Read high-level metadata for a managed policy.

bashANYawsiampolicy

↗#

bash

aws iam get-policy --policy-arn arn:aws:iam::123456789012:policy/ReadOnlyS3

Notes

Returns default version ID and attachment counts.

Get policy document version

Read the JSON document for a specific policy version.

bashANYawsiampolicy

↗#

bash

aws iam get-policy-version --policy-arn arn:aws:iam::123456789012:policy/ReadOnlyS3 --version-id v1

Notes

Use this when you need the actual statement document.

Create a managed policy

Create a new customer-managed policy from JSON.

bashANYawsiampolicycreate

↗#

bash

aws iam create-policy --policy-name ReadOnlyS3 --policy-document file://readonly-s3-policy.json

Notes

Managed policies can be attached to users, groups, and roles.

Attach a managed policy to a role

Grant a role the permissions from a managed policy.

bashANYawsiamrolepolicy

↗#

bash

aws iam attach-role-policy --role-name AppRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Notes

Common role permission workflow.

Detach a managed policy from a role

Remove a managed policy from a role.

bashANYawsiamrolepolicy

↗#

bash

aws iam detach-role-policy --role-name AppRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Notes

Used during least-privilege cleanup.

Simulate effective permissions

Test whether a principal can perform an action on a resource.

bashANYawsiampolicysimulate

↗#

bash

aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:role/AppRole --action-names s3:GetObject --resource-arns arn:aws:s3:::my-bucket/*

Notes

Very useful when debugging access denied errors.

Roles, Trust, and Access Keys

Role creation, trust policies, and access key workflows.

List roles

Show IAM roles in the account.

bashANYawsiamroles

↗#

bash

aws iam list-roles

Notes

Core inventory command for role-based access setups.

Create a role

Create a role with a trust policy.

bashANYawsiamrolestrust

↗#

bash

aws iam create-role --role-name AppRole --assume-role-policy-document file://trust-policy.json

Notes

The trust policy defines who can assume the role.

Update a role trust policy

Replace the trust policy on an existing role.

bashANYawsiamrolestrust

↗#

bash

aws iam update-assume-role-policy --role-name AppRole --policy-document file://trust-policy.json

Notes

Useful when adding or tightening OIDC and cross-account trust.

Create an access key

Generate a long-term access key for an IAM user.

bashANYawsiamaccess-key

↗#

bash

aws iam create-access-key --user-name deploy-bot

Notes

Handle returned secrets carefully; long-lived keys should be minimized.

List access keys for a user

Inspect active access keys for an IAM user.

bashANYawsiamaccess-key

↗#

bash

aws iam list-access-keys --user-name deploy-bot

Notes

Useful for rotation and audit workflows.

Disable an access key

Change an access key status.

bashANYawsiamaccess-key

↗#

bash

aws iam update-access-key --user-name deploy-bot --access-key-id AKIAIOSFODNN7EXAMPLE --status Inactive

Notes

Useful during rotation or incident response.

Delete an access key

Remove an old access key from an IAM user.

bashANYawsiamaccess-keydelete

↗#

bash

aws iam delete-access-key --user-name deploy-bot --access-key-id AKIAIOSFODNN7EXAMPLE

Notes

Use after confirming replacement credentials work.

More in AWS CLI

AWS CLI ECR and ECS Cheat Sheet

AWS CLI ECR and ECS commands for repositories, image login and cleanup, clusters, services, task definitions, and tasks.

AWS CLI CloudFormation Cheat Sheet

AWS CLI CloudFormation commands for templates, stacks, change sets, events, package, and deploy workflows.

AWS CLI EC2 Cheat Sheet

AWS CLI EC2 commands for instances, AMIs, key pairs, VPC networking, security groups, EBS volumes, and snapshots.

AWS CLI S3 Cheat Sheet

High-level and low-level AWS CLI S3 commands for buckets, objects, sync, versioning, encryption, and presigned URLs.

AWS CLI Cheat Sheet

Comprehensive AWS CLI commands for configuration, profiles, global options, queries, and common cross-service recipes.

Recommended next

No recommendations yet.

Browse all sheets →