IAM administration in AWS with PowerShell

Identity and Access Management (IAM) in AWS enables managing users, groups, and their permissions. With IAM, we can create users, remove them, and assign permissions to different services. By using the AWSPowerShell.NetCore module, we are able to perform these tasks from the command line. With reusable code, the administrator can automate and perform these tasks faster.

In this article, I will review many of these scenarios using PowerShell. By the end of the article, you will know how to accomplish the following tasks with PowerShell:

  • Create a user
  • Create a group
  • Find and assign policies
  • Add a user to a group
  • Attach a policy to a user instead of a group
  • Give the user access to the console
  • Give the user access to AWS via PowerShell

We have a lot to get through, so let's get started!

Creating an IAM user ^

I will be carrying out all these tasks with PowerShell. Since I am an admin user, I will require programmatic access. To do this, please refer to a previous article of mine located here.

Discover in PowerShell is made easy with use of the Get-Command cmdlet. Using the following cmdlet reveals we have 138 IAM cmdlets at our disposal:

If we narrow this list down to the verb "New," we have 14 cmdlets. We use the New-IAMUser cmdlet to create a new user:

Creating a new user with the New IAMUser cmdlet

Creating a new user with the New IAMUser cmdlet

The new user we have created does not have any permissions; nor is it a member of any group.

Creating an IAM Group ^

Creating a group with the permissions of a required role is a good way to administer your users. Groups can be created with permissions attached to them. When added to the group, the user inherits these permissions. Creating a group is as straightforward as creating the new user:

Creating a new IAM group

Creating a new IAM group

Finding and assigning polices ^

Once the group is created, we need to find one or more polices that we want to assign to it. AWS comes with many built-in polices and also allows customizing your own. The Get-IAMPolicies command lists all the managed policies that are available in your AWS account. There is no filter on this cmdlet, so a Where-Object cmdlet is required to narrow down the polices for a particular service:

Finding a policy to attach to an IAM group

Finding a policy to attach to an IAM group

To apply the specified policy to the group, use the Register-IAMGroupPolicy cmdlet. The Register-IAMGroupPolicy cmdlet takes pipeline input for the parameter PolicyArn by PropertyName:

Parameter PolicyArn pipeline input

Parameter PolicyArn pipeline input

I mention this because the Get-IAMPolicies cmdlet does not return this property by default. I like to make use of the pipeline in PowerShell. Finding a policy and passing it to the next cmdlet makes for a cleaner process. The simplest way to do this is with an expression on a Select-Object:

I thought this might be a useful technique to demonstrate. There are other ways to achieve this, but this is probably the cleanest way to do it.

The policy, AmazonS3FullAccess, has now been applied to our group, called Storage.

Adding a user to the group ^

Moving the user into the IAM group is a pretty straightforward process. I like to make use of the pipeline to do this, by getting the user and passing it to the Add-IAMUserToGroup cmdlet:

Attaching a policy to the user instead of the group ^

Before continuing to configure our user, I want to demonstrate that you can apply a policy to the user instead of the group. You may be asked to do this on occasion.

In this example, I am adding the PowerUserAccess policy to the user:

Providing the user with access to the console ^

To allow access to the console, we need to create an IAM profile for the new user. This is done with the New-IAMLoginProfile cmdlet. The command below enables the IAM profile for our Test_User. I’ve also set the password to be reset at first login:

Enabling AWS console access

Enabling AWS console access

If you are unsure of password complexity when setting this parameter, then use the

Get-IAMAccountPasswordPolicy cmdlet. This will display all the rules that have been set in the AWS account.

Providing the user access to AWS via PowerShell ^

The last item I will cover in this article is providing the user programmatic access to AWS. Giving the user programmatic access allows access to AWS through API calls and the CLI.

The New-IAMAccessKey cmdlet generates an access key and a secret key. The secret key is only displayed once, so make sure you store it somewhere safe! You will need both these keys to access AWS programmatically.

To create both keys, the New-IAMAccessKey cmdlet only needs the username parameter to be populated:

Creating the access key and the secret key for the command line

Creating the access key and the secret key for the command line

Programmatic access to AWS still honors the same permissions given to the user. So in the case of our Test_User, permissions to S3 are all that is accessible.

Summary ^

The PowerShell cmdlets to administer IAM in AWS are as rich as performing the same tasks in the console. The added advantage to doing these tasks with PowerShell is that it allows for automation. Being able to automate provides performance benefits and a more convenient methodology for the person carrying out these tasks.

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2020


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account