To create an IAM user (console)

1. Follow the sign-in procedure appropriate to your user type as described in the topic How to sign in to AWS in the AWS Sign-In User Guide.
2. On the Console Home page, select the IAM service.
3. In the navigation pane, select Users and then select Add users.
4. On the Specify user details page, under User details, in User name, enter the name for the new user. This is their sign-in name for AWS.

   Note

   The number and size of IAM resources in an AWS account are limited. For more information, see IAM and AWS STS quotas. User names can be a combination of up to 64 letters, digits, and these characters: plus (+), equal (=), comma (,), period (.), at sign (@), underscore (_), and hyphen (-). Names must be unique within an account. They are not distinguished by case. For example, you cannot create two users named TESTUSER and testuser. When a user name is used in a policy or as part of an ARN, the name is case sensitive. When a user name appears to customers in the console, such as during the sign-in process, the user name is case insensitive.

5. Select Provide user access to the – AWS Management Console optional This produces AWS Management Console sign-in credentials for the new user.

   You are asked whether you are providing console access to a person. We recommend that you create users in IAM Identity Center rather than IAM.

   • To switch to creating the user in IAM Identity Center, select Specify a user in Identity Center.

     If you have not enabled IAM Identity Center, selecting this option takes you to the service page in the console so that you can enable the service. For details on this procedure, see https://docs.aws.amazon.com/singlesignon/latest/userguide/getting-started.html in the AWS IAM Identity Center User Guide

     If you have enabled IAM Identity Center, selecting this option takes you to the Specify user details page in IAM Identity Center. For details on this procedure, see https://docs.aws.amazon.com/singlesignon/latest/userguide/addusers.html in the AWS IAM Identity Center User Guide

   • If you cannot use IAM Identity Center, select I want to create an IAM user and continue following this procedure.
   1. For Console password, select one of the following:
      • Autogenerated password – The user gets a randomly generated password that meets the account password policy. You can view or download the password when you get to the Retrieve password page.
      • Custom password – The user is assigned the password that you enter in the box.
   2. (Optional) Users must create a new password at next sign-in (recommended) is selected by default to ensure that the user is forced to change their password the first time they sign in.

      Note

      If an administrator has enabled the Allow users to change their own password account password policy setting, then this check box does nothing. Otherwise, it automatically attaches an AWS managed policy named IAMUserChangePassword to the new users. The policy grants them permission to change their own passwords.

6. Select Next.
7. On the Set permissions page, specify how you want to assign permissions for this user. Select one of the following three options:
   • Add user to group – Select this option if you want to assign the user to one or more groups that already have permissions policies. IAM displays a list of the groups in your account, along with their attached policies. You can select one or more existing groups, or select Create group to create a new group. For more information, see Changing permissions for an IAM user.
   • Copy permissions – Select this option to copy all of the group memberships, attached managed policies, embedded inline policies, and any existing permissions boundaries from an existing user to the new user. IAM displays a list of the users in your account. Select the one whose permissions most closely match the needs of your new user.
   • Attach policies directly – Select this option to see a list of the AWS managed and customer managed policies in your account. Select the policies that you want to attach to the user or select Create policy to open a new browser tab and create a new policy. For more information, see step 4 in the procedure Creating IAM policies. After you create the policy, close that tab and return to your original tab to add the policy to the user.

     Tip

     Whenever possible, attach your policies to a group and then make users members of the appropriate groups.

8. (Optional) Set a permissions boundary. This is an advanced feature.

   Open the Permissions boundary section and select Use a permissions boundary to control the maximum permissions. IAM displays a list of the AWS managed and customer managed policies in your account. Select the policy to use for the permissions boundary or select Create policy to open a new browser tab and create a new policy. For more information, see step 4 in the procedure Creating IAM policies. After you create the policy, close that tab and return to your original tab to select the policy to use for the permissions boundary.

9. Select Next.
10. (Optional) On the Review and create page, under Tags, select Add new tag to add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM resources.
11. Review all of the choices you made up to this point. When you are ready to proceed, select Create user.
12. On the Retrieve password page, get the password assigned to the user:
    • Select Show next to the password to view the user’s password so that you can record it manually.
    • Select Download .csv to download the user’s sign in credentials as a .csv file that you can save to a safe location.
13. Select Email sign-in instructions. Your local mail client opens with a draft that you can customize and send to the user. The email template includes the following details to each user:
    • User name
    • URL to the account sign-in page. Use the following example, substituting the correct account ID number or account alias:

      https://AWS-account-ID or alias.signin.aws.amazon.com/console

    Important

    The user’s password is not included in the generated email. You must provide the password to the user in a way that complies with your organization’s security guidelines.

14. If the user also requires access keys, refer to Managing access keys for IAM users.

To create an IAM user (AWS CLI)

1. Create a user.
   • aws iam create-user
2. (Optional) Give the user access to the AWS Management Console. This requires a password. You must also give the user the URL of your account’s sign-in page.
   • aws iam create-login-profile
3. (Optional) Give the user programmatic access. This requires access keys.
   • aws iam create-access-key
   • Tools for Windows PowerShell: New-IAMAccessKey
   • IAM API: CreateAccessKey

     Important

     This is your only opportunity to view or download the secret access keys, and you must provide this information to your users before they can use the AWS API. Save the user’s new access key ID and secret access key in a safe and secure place. You will not have access to the secret keys again after this step.

4. Add the user to one or more groups. The groups that you specify should have attached policies that grant the appropriate permissions for the user.
   • aws iam add-user-to-group
5. (Optional) Attach a policy to the user that defines the user’s permissions. Note: We recommend that you manage user permissions by adding the user to a group and attaching a policy to the group instead of attaching directly to a user.
   • aws iam attach-user-policy
6. (Optional) Add custom attributes to the user by attaching tags. For more information, see Managing tags on IAM users (AWS CLI or AWS API).
7. (Optional) Give the user permission to manage their own security credentials. For more information, see AWS: Allows MFA-authenticated IAM users to manage their own credentials on the Security credentials page.

To create an IAM user from the (AWS API)

1. Create a user.
   • CreateUser
2. (Optional) Give the user access to the AWS Management Console. This requires a password. You must also give the user the URL of your account’s sign-in page.
   • CreateLoginProfile
3. (Optional) Give the user programmatic access. This requires access keys.
   • CreateAccessKey

     Important

     This is your only opportunity to view or download the secret access keys, and you must provide this information to your users before they can use the AWS API. Save the user’s new access key ID and secret access key in a safe and secure place. You will not have access to the secret keys again after this step.

4. Add the user to one or more groups. The groups that you specify should have attached policies that grant the appropriate permissions for the user.
   • AddUserToGroup
5. (Optional) Attach a policy to the user that defines the user’s permissions. Note: We recommend that you manage user permissions by adding the user to a group and attaching a policy to the group instead of attaching directly to a user.
   • AttachUserPolicy
6. (Optional) Add custom attributes to the user by attaching tags. For more information, see Managing tags on IAM users (AWS CLI or AWS API).
7. (Optional) Give the user permission to manage their own security credentials. For more information, see AWS: Allows MFA-authenticated IAM users to manage their own credentials on the Security credentials page.