Attach an Inline Policy to a User with AWS CLI

avatar

Borislav Hadzhiev

Thu Sep 16 20213 min read

Table of Contents #

  1. Attaching Inline Policies to an IAM User with AWS CLI
  2. Deleting Inline Policies from an IAM User with AWS CLI

Attaching Inline Policies to an IAM User with AWS CLI #

IAM policies define specific permissions needed to access AWS resources and can be associated with IAM users, roles or groups.

To attach an inline policy to an IAM user, we have to:

  1. write the policy and store it in a json file on the local file system
  2. run the AWS CLI put-user-policy command

Let's look at an example inline policy, that grants read permissions on a specific S3 bucket:

read-bucket.json
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:Get*", "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::MYBUCKET", "arn:aws:s3:::MYBUCKET/*" ] } ] }

To attach the inline policy to an IAM user, open your terminal in the directory, where the read-bucket.json file is located and run the put-user-policy command:

shell
aws iam put-user-policy --user-name YourUsername --policy-name YourPolicyName --policy-document file://read-bucket.json

attach inline policy to user

The local file path must be prefixed with file://.

Anytime you pass local files as --parameters to the AWS CLI, prefix the path with file:// for human-readable files or with fileb:// for binary (non human-readable) files.

In the code snippet, the shell is opened in the directory where the read-bucket.json file is located. If your terminal is opened in a different directory, you can pass a local or absolute path leading to the file.

For example on linux and macOS you can use relative and absolute paths as follows:

shell
# relative path, navigate to directory aws iam put-user-policy --user-name YourUsername --policy-name YourPolicyName --policy-document file://./my-folder/read-bucket.json # absolute path (notice 3 `/` characters in file:/// prefix) aws iam put-user-policy --user-name YourUsername --policy-name YourPolicyName --policy-document file:///home/john/read-bucket.json

On windows you can specify a file:// prefix as follows:

shell
aws iam put-user-policy --user-name YourUsername --policy-name YourPolicyName --policy-document file://C:\my-folder\read-bucket.json

To verify that the inline policy has been attached successfully to the IAM user, run the list-user-policies command:

shell
aws iam list-user-policies --user-name YourUser

verify policy attached

Inline policies have a one-to-one relationship with the Principal (IAM User, Role or Group), therefore if you delete the User, the inline policy will also get deleted.

When attaching inline policies to an IAM user, make sure the contents of the .json file are valid json.

If you have a syntactical error in the policy, the AWS CLI throws an error:"(MalformedPolicyDocument) when calling the PutUserPolicy operation: Syntax errors in policy":

malformed policy document

Deleting Inline Policies from an IAM User with AWS CLI #

To get the name of the policy that should get deleted, run the list-user-policies command:

shell
aws iam list-user-policies --user-name YourUser

verify policy attached

To delete an inline policy, attached to an IAM User, using the AWS CLI, run the delete-user-policy command:

shell
aws iam delete-user-policy --user-name YourUser --policy-name YourPolicy

delete inline policy from user

To verify that the inline policy has been deleted from the user, run the list-user-policies command:

shell
aws iam list-user-policies --user-name YourUser

verify policy deleted

Further Reading #

Join my newsletter

I'll send you 1 email a week with links to all of the articles I've written that week

Buy Me A Coffee