Attach a Policy to a User with AWS CLI - Complete Guide

avatar

Borislav Hadzhiev

Sun Sep 19 20213 min read

Table of Contents #

  1. Attach an Inline Policy to a User with AWS CLI
  2. Attach an AWS Managed Policy to a User with AWS CLI
  3. Attach a Customer Managed Policy to a User with AWS CLI

Attach an Inline Policy to a User with AWS CLI #

IAM policies define specific permissions needed to access AWS resources and can be associated with IAM users, roles and groups.

To attach an inline policy to a user, we have to:

  1. write and store the policy in a json file on the local file system
  2. run the put-user-policy command

Let's create a simple policy that grants some dynamodb read permissions. Create a file called read-dynamodb.json with the following content:

read-dynamodb.json
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:List*" ], "Effect": "Allow", "Resource": "*" } ] }

To attach the policy, open your terminal in the directory where the read-dynamodb.json file is stored and run the put-user-policy command:

shell
aws iam put-user-policy --user-name YOUR_USERNAME --policy-name YOUR_POLICY_NAME --policy-document file://read-dynamodb.json

attach inline policy to user

To verify the inline policy has been successfully attached to the user, run the list-user-policies command.

shell
aws iam list-user-policies --user-name YOUR_USER

list inline policies of user

Attach an AWS Managed Policy to a User with AWS CLI #

An AWS managed policy is one that's created and managed by AWS. These policies aim to provide permissions for the most common use cases.

To attach an AWS managed policy to an IAM user with the AWS CLI, use the attach-user-policy command.

Let's attach an AWS managed policy, that grants S3 read access to our user.

shell
aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess --user-name YOUR_USER

attach aws managed policy to user

To verify that the AWS managed policy has been successfully attached to the user, run the list-attached-user-policies command.

shell
aws iam list-attached-user-policies --user-name YOUR_USER

list aws managed policies of user

Attach a Customer Managed Policy to a User with AWS CLI #

Customer managed policies are created and managed by the user. They can be attached to multiple principal entities at the same time.

To attach a customer managed policy to a user with AWS CLI, we have to:

  1. Create the managed policy and note down the policy's arn
  2. Use the attach-user-policy command to attach the policy to the user

Let's create a simple policy that grants a single rds action, store the following content in a read-rds.json file:

read-rds.json
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "rds:Describe*" ], "Effect": "Allow", "Resource": "*" } ] }

To create a customer managed policy, open your terminal in the directory where the read-rds.json file is stored and run the create-policy command.

shell
aws iam create-policy --policy-name read-rds --policy-document file://read-rds.json

create customer managed policy

Note down the ARN of the policy, because we'll need it when attaching the policy to the user.

To attach a customer managed policy to a user, run the attach-user-policy command.

shell
aws iam attach-user-policy --policy-arn YOUR_POLICY_ARN --user-name YOUR_USER

attach customer managed policy to user

To verify that the customer managed policy has been successfully attached to the user, run the list-attached-user-policies command.

shell
iam list-attached-user-policies --user-name YOUR_USER

list all managed policies of user

The output shows both of our managed policies - the AWS and customer managed ones.

Further Reading #

Join my newsletter

I'll send you 1 email a week with links to all of the articles I've written that week

Buy Me A Coffee