users
Creates, updates, deletes or gets a user resource or lists users in a region
Overview
| Name | users |
| Type | Resource |
| Description | Creates a new IAM user for your AWS-account. For information about quotas for the number of IAM users you can create, see [IAM and quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide*. |
| Id | awscc.iam.users |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
path | string | The path for the user name. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.<br />This parameter is optional. If it is not included, it defaults to a slash (/).<br />This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! (``\u0021``) through the DEL character (``\u007F``), including most punctuation characters, digits, and upper and lowercased letters. |
managed_policy_arns | array | A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the user.<br />For more information about ARNs, see [Amazon Resource Names (ARNs) and Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *General Reference*. |
policies | array | Adds or updates an inline policy document that is embedded in the specified IAM user. To view AWS::IAM::User snippets, see [Declaring an User Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user).<br />The name of each policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail. <br />For information about limits on the number of inline policies that you can embed in a user, see [Limitations on Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *User Guide*. |
user_name | string | The name of the user to create. Do not include the path in this value.<br />This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The user name must be unique within the account. User names are not distinguished by case. For example, you cannot create users named both "John" and "john".<br />If you don't specify a name, CFN generates a unique physical ID and uses that ID for the user name.<br />If you specify a name, you must specify the ``CAPABILITY_NAMED_IAM`` value to acknowledge your template's capabilities. For more information, see [Acknowledging Resources in Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities).<br />Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using ``Fn::Join`` and ``AWS::Region`` to create a Region-specific name, as in the following example: ``{"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}``. |
groups | array | A list of group names to which you want to add the user. |
arn | string | |
login_profile | object | Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the console.<br />You can use the CLI, the AWS API, or the *Users* page in the IAM console to create a password for any IAM user. Use [ChangePassword](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ChangePassword.html) to update your own existing password in the *My Security Credentials* page in the console.<br />For more information about managing passwords, see [Managing passwords](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingLogins.html) in the *User Guide*. |
tags | array | A list of tags that you want to attach to the new user. Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.<br />If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. |
permissions_boundary | string | The ARN of the managed policy that is used to set the permissions boundary for the user.<br />A permissions boundary policy defines the maximum permissions that identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity. To learn more, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.<br />For more information about policy types, see [Policy types](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types) in the *IAM User Guide*. |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
user_name | string | The name of the user to create. Do not include the path in this value.<br />This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The user name must be unique within the account. User names are not distinguished by case. For example, you cannot create users named both "John" and "john".<br />If you don't specify a name, CFN generates a unique physical ID and uses that ID for the user name.<br />If you specify a name, you must specify the ``CAPABILITY_NAMED_IAM`` value to acknowledge your template's capabilities. For more information, see [Acknowledging Resources in Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities).<br />Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using ``Fn::Join`` and ``AWS::Region`` to create a Region-specific name, as in the following example: ``{"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}``. |
region | string | AWS region. |
For more information, see AWS::IAM::User.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | users | INSERT | region |
delete_resource | users | DELETE | Identifier, region |
update_resource | users | UPDATE | Identifier, PatchDocument, region |
list_resources | users_list_only | SELECT | region |
get_resource | users | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual user.
SELECT
region,
path,
managed_policy_arns,
policies,
user_name,
groups,
arn,
login_profile,
tags,
permissions_boundary
FROM awscc.iam.users
WHERE
region = 'us-east-1' AND
Identifier = '{{ user_name }}';
Lists all users in a region.
SELECT
region,
user_name
FROM awscc.iam.users_list_only
WHERE
region = 'us-east-1';
INSERT example
Use the following StackQL query and manifest file to create a new user resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.iam.users (
Path,
ManagedPolicyArns,
Policies,
UserName,
Groups,
LoginProfile,
Tags,
PermissionsBoundary,
region
)
SELECT
'{{ path }}',
'{{ managed_policy_arns }}',
'{{ policies }}',
'{{ user_name }}',
'{{ groups }}',
'{{ login_profile }}',
'{{ tags }}',
'{{ permissions_boundary }}',
'{{ region }}';
/*+ create */
INSERT INTO awscc.iam.users (
Path,
ManagedPolicyArns,
Policies,
UserName,
Groups,
LoginProfile,
Tags,
PermissionsBoundary,
region
)
SELECT
'{{ path }}',
'{{ managed_policy_arns }}',
'{{ policies }}',
'{{ user_name }}',
'{{ groups }}',
'{{ login_profile }}',
'{{ tags }}',
'{{ permissions_boundary }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: user
props:
- name: path
value: '{{ path }}'
- name: managed_policy_arns
value:
- '{{ managed_policy_arns[0] }}'
- name: policies
value:
- policy_document: {}
policy_name: '{{ policy_name }}'
- name: user_name
value: '{{ user_name }}'
- name: groups
value:
- '{{ groups[0] }}'
- name: login_profile
value:
password_reset_required: '{{ password_reset_required }}'
password: '{{ password }}'
- name: tags
value:
- value: '{{ value }}'
key: '{{ key }}'
- name: permissions_boundary
value: '{{ permissions_boundary }}'
UPDATE example
Use the following StackQL query and manifest file to update a user resource, using stack-deploy.
/*+ update */
UPDATE awscc.iam.users
SET PatchDocument = string('{{ {
"Path": path,
"ManagedPolicyArns": managed_policy_arns,
"Policies": policies,
"Groups": groups,
"LoginProfile": login_profile,
"Tags": tags,
"PermissionsBoundary": permissions_boundary
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ user_name }}';
DELETE example
/*+ delete */
DELETE FROM awscc.iam.users
WHERE
Identifier = '{{ user_name }}' AND
region = 'us-east-1';
Permissions
To operate on the users resource, the following permissions are required:
- Create
- Read
- Update
- Delete
- List
iam:CreateLoginProfile,
iam:AddUserToGroup,
iam:PutUserPolicy,
iam:AttachUserPolicy,
iam:CreateUser,
iam:GetUser,
iam:TagUser
iam:GetUserPolicy,
iam:ListGroupsForUser,
iam:ListAttachedUserPolicies,
iam:ListUserPolicies,
iam:GetUser,
iam:GetLoginProfile
iam:UpdateLoginProfile,
iam:UpdateUser,
iam:PutUserPermissionsBoundary,
iam:AttachUserPolicy,
iam:DeleteUserPolicy,
iam:DeleteUserPermissionsBoundary,
iam:TagUser,
iam:UntagUser,
iam:CreateLoginProfile,
iam:RemoveUserFromGroup,
iam:AddUserToGroup,
iam:PutUserPolicy,
iam:DetachUserPolicy,
iam:GetLoginProfile,
iam:DeleteLoginProfile,
iam:GetUser,
iam:ListUserTags
iam:DeleteAccessKey,
iam:RemoveUserFromGroup,
iam:DeleteUserPolicy,
iam:DeleteUser,
iam:DetachUserPolicy,
iam:DeleteLoginProfile,
iam:ListAccessKeys,
iam:GetUserPolicy,
iam:ListGroupsForUser,
iam:ListAttachedUserPolicies,
iam:ListUserPolicies,
iam:GetUser,
iam:GetLoginProfile
iam:listUsers