creating ‘test.user’
aws --profile ${PROFILE} iam create-user --user-name test.user
adding loging profile for user ‘test.user’
aws --profile ${PROFILE} iam create-login-profile --user-name test.user --password 'My!User1Login8P@ssword'
removing user login profile
aws --profile ${PROFILE} iam delete-login-profile --user-name test.user
adding user to the group
aws --profile ${PROFILE} iam add-user-to-group --group-name Accountant --user-name test.user
removing user from the group
aws --profile ${PROFILE} iam remove-user-from-group --group-name Accountant --user-name test.user
removing user
aws --profile ${PROFILE} iam delete-user --user-name test.user
listing groups
aws --profile ${PROFILE} iam list-groups --output table
getting instance profile
aws --profile ${PROFILE} iam get-instance-profile --instance-profile-name server-zone
listing role policies
aws --profile ${PROFILE} iam list-role-policies --role-name server-zone
getting role policy
aws --profile ${PROFILE} iam get-role-policy --role-name server-zone --policy-name ReadOnlyAccess-server-zone-201412011143
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRunInstancesOnlyWithProperTagging",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:REGION:AWS_ACCOUNT_ID:instance/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/Name": "${aws:username}",
"ec2:InstanceType": "t2.micro",
"aws:RequestTag/Owner": "${aws:username}"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Owner",
"Name"
]
}
}
},
{
"Sid": "AllowManagingSecurityGroups",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeNetworkAcls",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
},
{
"Sid": "AllowManagingInstancesSpecificToCurrentUser",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:RebootInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:REGION:AWS_ACCOUNT_ID:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Owner": "${aws:username}"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "Owner"
}
}
},
{
"Sid": "AllowDescribingInstancesResources",
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Sid": "AllowRunInstancesResources",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:subnet/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:key-pair/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:security-group/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:snapshot/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:volume/*",
"arn:aws:ec2:REGION::image/ami-*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:network-interface/*"
]
},
{
"Sid": "AllowCreateTagsOnlyLaunching",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:REGION:AWS_ACCOUNT_ID:*/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
}
]
}
list iam cert
aws --profile ${PROFILE} --region ap-southeast-1 iam list-server-certificates
print policy permissions ( use –filter for ‘User’|‘Role’|‘Group’|‘LocalManagedPolicy’|‘AWSManagedPolicy’ )
aws iam get-account-authorization-details | jq '.Policies[] | select(.PolicyName == "PolicyName")'
or
aws iam get-account-authorization-details --filter LocalManagedPolicy --query "Policies[?PolicyName=='OSD-5107-policy']"
create empty change-password.json
#!bash
aws --profile ${PROFILE} iam --generate-cli-skeleton > change-password.json
update change-password.json
aws --profile ${PROFILE} iam change-password --cli-input-json file://change-password.json