Skip to main content

users

Creates, updates, deletes or gets a user resource or lists users in a region

Overview

Nameusers
TypeResource
Description
Creates a new IAM user for your AWS-account.For information about quotas for the number of IAM users you can create, see IAM and quotas in the IAM User Guide.
Idawscc.iam.users

Fields

NameDatatypeDescription
pathstring
The path for the user name. For more information about paths, see IAM identifiers in the IAM User Guide.This parameter is optional. If it is not included, it defaults to a slash (/).
This parameter allows (through its regex pattern) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! (\u0021) through the DEL character (\u007F), including most punctuation characters, digits, and upper and lowercased letters.
managed_policy_arnsarray
A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the user.For more information about ARNs, see Amazon Resource Names (ARNs) and Service Namespaces in the General Reference.
policiesarray
Adds or updates an inline policy document that is embedded in the specified IAM user. To view AWS::IAM::User snippets, see Declaring an User Resource.The name of each policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail.
For information about limits on the number of inline policies that you can embed in a user, see Limitations on Entities in the User Guide.
user_namestring
The name of the user to create. Do not include the path in this value.This parameter allows (per its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The user name must be unique within the account. User names are not distinguished by case. For example, you cannot create users named both "John" and "john".
If you don't specify a name, CFN generates a unique physical ID and uses that ID for the user name.
If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see Acknowledging Resources in Templates.
Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}.
groupsarrayA list of group names to which you want to add the user.
arnstring
login_profileobject
Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the console.You can use the CLI, the AWS API, or the Users page in the IAM console to create a password for any IAM user. Use ChangePassword to update your own existing password in the My Security Credentials page in the console.
For more information about managing passwords, see Managing passwords in the User Guide.
tagsarray
A list of tags that you want to attach to the new user. Each tag consists of a key name and an associated value. For more information about tagging, see Tagging IAM resources in the IAM User Guide.If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.
permissions_boundarystring
The ARN of the managed policy that is used to set the permissions boundary for the user.A permissions boundary policy defines the maximum permissions that identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity. To learn more, see Permissions boundaries for IAM entities in the IAM User Guide.
For more information about policy types, see Policy types in the IAM User Guide.
regionstringAWS region.

For more information, see AWS::IAM::User.

Methods

NameResourceAccessible byRequired Params
create_resourceusersINSERTregion
delete_resourceusersDELETEIdentifier, region
update_resourceusersUPDATEIdentifier, PatchDocument, region
list_resourcesusers_list_onlySELECTregion
get_resourceusersSELECTIdentifier, region

SELECT examples

Gets all properties from an individual user.

SELECT
  region,
  path,
  managed_policy_arns,
  policies,
  user_name,
  groups,
  arn,
  login_profile,
  tags,
  permissions_boundary
FROM awscc.iam.users
WHERE
  region = 'us-east-1' AND
  Identifier = '{{ user_name }}';

INSERT example

Use the following StackQL query and manifest file to create a new user resource, using stack-deploy.

/*+ create */
INSERT INTO awscc.iam.users (
  Path,
  ManagedPolicyArns,
  Policies,
  UserName,
  Groups,
  LoginProfile,
  Tags,
  PermissionsBoundary,
  region
)
SELECT
  '{{ path }}',
  '{{ managed_policy_arns }}',
  '{{ policies }}',
  '{{ user_name }}',
  '{{ groups }}',
  '{{ login_profile }}',
  '{{ tags }}',
  '{{ permissions_boundary }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

UPDATE example

Use the following StackQL query and manifest file to update a user resource, using stack-deploy.

/*+ update */
UPDATE awscc.iam.users
SET PatchDocument = string('{{ {
    "Path": path,
    "ManagedPolicyArns": managed_policy_arns,
    "Policies": policies,
    "Groups": groups,
    "LoginProfile": login_profile,
    "Tags": tags,
    "PermissionsBoundary": permissions_boundary
} | generate_patch_document }}')
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ user_name }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

DELETE example

/*+ delete */
DELETE FROM awscc.iam.users
WHERE
  Identifier = '{{ user_name }}' AND
  region = 'us-east-1'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

Additional Parameters

Mutable resources in the Cloud Control provider support additional optional parameters which can be supplied with INSERT, UPDATE, or DELETE operations. These include:

ParameterDescription
ClientToken
A unique identifier to ensure the idempotency of the resource request.This allows the provider to accurately distinguish between retries and new requests.
A client token is valid for 36 hours once used.
After that, a resource request with the same client token is treated as a new request.
If you do not specify a client token, one is generated for inclusion in the request.
RoleArn
The ARN of the IAM role used to perform this resource operation.The role specified must have the permissions required for this operation.
If you do not specify a role, a temporary session is created using your AWS user credentials.
TypeVersionId
For private resource types, the type version to use in this resource operation.If you do not specify a resource version, the default version is used.

Permissions

To operate on the users resource, the following permissions are required:

iam:CreateLoginProfile,
iam:AddUserToGroup,
iam:PutUserPolicy,
iam:AttachUserPolicy,
iam:CreateUser,
iam:GetUser,
iam:TagUser