Skip to main content

users

Creates, updates, deletes or gets a user resource or lists users in a region

Overview

Nameusers
TypeResource
DescriptionCreates a new IAM user for your AWS-account.
For information about quotas for the number of IAM users you can create, see [IAM and quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide*.
Idawscc.iam.users

Fields

NameDatatypeDescription
pathstringThe path for the user name. For more information about paths, see &#91;IAM identifiers&#93;(https://docs.aws.amazon.com/IAM/latest/UserGuide/Using&#95;Identifiers.html) in the &#42;IAM User Guide&#42;.<br />This parameter is optional. If it is not included, it defaults to a slash (/).<br />This parameter allows (through its &#91;regex pattern&#93;(https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! (&#96;&#96;\u0021&#96;&#96;) through the DEL character (&#96;&#96;\u007F&#96;&#96;), including most punctuation characters, digits, and upper and lowercased letters.
managed_policy_arnsarrayA list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the user.<br />For more information about ARNs, see &#91;Amazon Resource Names (ARNs) and Service Namespaces&#93;(https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the &#42;General Reference&#42;.
policiesarrayAdds or updates an inline policy document that is embedded in the specified IAM user. To view AWS::IAM::User snippets, see &#91;Declaring an User Resource&#93;(https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user).<br />The name of each policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail. <br />For information about limits on the number of inline policies that you can embed in a user, see &#91;Limitations on Entities&#93;(https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the &#42;User Guide&#42;.
user_namestringThe name of the user to create. Do not include the path in this value.<br />This parameter allows (per its &#91;regex pattern&#93;(https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: &#95;+=,.@-. The user name must be unique within the account. User names are not distinguished by case. For example, you cannot create users named both "John" and "john".<br />If you don't specify a name, CFN generates a unique physical ID and uses that ID for the user name.<br />If you specify a name, you must specify the &#96;&#96;CAPABILITY&#95;NAMED&#95;IAM&#96;&#96; value to acknowledge your template's capabilities. For more information, see &#91;Acknowledging Resources in Templates&#93;(https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities).<br />Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using &#96;&#96;Fn::Join&#96;&#96; and &#96;&#96;AWS::Region&#96;&#96; to create a Region-specific name, as in the following example: &#96;&#96;&#123;"Fn::Join": &#91;"", &#91;&#123;"Ref": "AWS::Region"&#125;, &#123;"Ref": "MyResourceName"&#125;&#93;&#93;&#125;&#96;&#96;.
groupsarrayA list of group names to which you want to add the user.
arnstring
login_profileobjectCreates a password for the specified IAM user. A password allows an IAM user to access AWS services through the console.<br />You can use the CLI, the AWS API, or the &#42;Users&#42; page in the IAM console to create a password for any IAM user. Use &#91;ChangePassword&#93;(https://docs.aws.amazon.com/IAM/latest/APIReference/API&#95;ChangePassword.html) to update your own existing password in the &#42;My Security Credentials&#42; page in the console.<br />For more information about managing passwords, see &#91;Managing passwords&#93;(https://docs.aws.amazon.com/IAM/latest/UserGuide/Using&#95;ManagingLogins.html) in the &#42;User Guide&#42;.
tagsarrayA list of tags that you want to attach to the new user. Each tag consists of a key name and an associated value. For more information about tagging, see &#91;Tagging IAM resources&#93;(https://docs.aws.amazon.com/IAM/latest/UserGuide/id&#95;tags.html) in the &#42;IAM User Guide&#42;.<br />If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.
permissions_boundarystringThe ARN of the managed policy that is used to set the permissions boundary for the user.<br />A permissions boundary policy defines the maximum permissions that identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity. To learn more, see &#91;Permissions boundaries for IAM entities&#93;(https://docs.aws.amazon.com/IAM/latest/UserGuide/access&#95;policies&#95;boundaries.html) in the &#42;IAM User Guide&#42;.<br />For more information about policy types, see &#91;Policy types&#93;(https://docs.aws.amazon.com/IAM/latest/UserGuide/access&#95;policies.html#access&#95;policy-types) in the &#42;IAM User Guide&#42;.
regionstringAWS region.

For more information, see AWS::IAM::User.

Methods

NameAccessible byRequired Params
create_resourceINSERTregion
delete_resourceDELETEdata__Identifier, region
update_resourceUPDATEdata__Identifier, data__PatchDocument, region
list_resourcesSELECTregion
get_resourceSELECTdata__Identifier, region

SELECT examples

Gets all properties from an individual user.

SELECT
region,
path,
managed_policy_arns,
policies,
user_name,
groups,
arn,
login_profile,
tags,
permissions_boundary
FROM awscc.iam.users
WHERE data__Identifier = '<UserName>';

INSERT example

Use the following StackQL query and manifest file to create a new user resource, using stack-deploy.

/*+ create */
INSERT INTO awscc.iam.users (
 Path,
 ManagedPolicyArns,
 Policies,
 UserName,
 Groups,
 LoginProfile,
 Tags,
 PermissionsBoundary,
 region
)
SELECT 
'{{ Path }}',
 '{{ ManagedPolicyArns }}',
 '{{ Policies }}',
 '{{ UserName }}',
 '{{ Groups }}',
 '{{ LoginProfile }}',
 '{{ Tags }}',
 '{{ PermissionsBoundary }}',
'{{ region }}';

DELETE example

/*+ delete */
DELETE FROM awscc.iam.users
WHERE data__Identifier = '<UserName>'
AND region = 'us-east-1';

Permissions

To operate on the users resource, the following permissions are required:

Create

iam:CreateLoginProfile,
iam:AddUserToGroup,
iam:PutUserPolicy,
iam:AttachUserPolicy,
iam:CreateUser,
iam:GetUser,
iam:TagUser

Read

iam:GetUserPolicy,
iam:ListGroupsForUser,
iam:ListAttachedUserPolicies,
iam:ListUserPolicies,
iam:GetUser,
iam:GetLoginProfile

Update

iam:UpdateLoginProfile,
iam:UpdateUser,
iam:PutUserPermissionsBoundary,
iam:AttachUserPolicy,
iam:DeleteUserPolicy,
iam:DeleteUserPermissionsBoundary,
iam:TagUser,
iam:UntagUser,
iam:CreateLoginProfile,
iam:RemoveUserFromGroup,
iam:AddUserToGroup,
iam:PutUserPolicy,
iam:DetachUserPolicy,
iam:GetLoginProfile,
iam:DeleteLoginProfile,
iam:GetUser,
iam:ListUserTags

Delete

iam:DeleteAccessKey,
iam:RemoveUserFromGroup,
iam:DeleteUserPolicy,
iam:DeleteUser,
iam:DetachUserPolicy,
iam:DeleteLoginProfile,
iam:ListAccessKeys,
iam:GetUserPolicy,
iam:ListGroupsForUser,
iam:ListAttachedUserPolicies,
iam:ListUserPolicies,
iam:GetUser,
iam:GetLoginProfile

List

iam:listUsers