# Create an IAM user for emergency access
An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity within your AWS account that has specific permissions for a single person or application.
Having an IAM user for emergency access is one of the recommended reasons to create an IAM user so that you can access your AWS account if your identity provider isn't accessible.
**Note**
As a security [best practice](best-practices.md), we recommend that you provide access to your resources through identity federation instead of creating IAM users. For information about specific situations where an IAM user is required, see [When to create an IAM user (instead of a role)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html#id_which-to-choose).
## To create an IAM user for emergency access
**Minimum permissions**
To perform the following steps, you must have at least the following IAM permissions:
`access-analyzer:ValidatePolicy`
`iam:AddUserToGroup`
`iam:AttachGroupPolicy`
`iam:CreateGroup`
`iam:CreateLoginProfile`
`iam:CreateUser`
`iam:GetAccountPasswordPolicy`
`iam:GetLoginProfile`
`iam:GetUser`
`iam:ListAttachedGroupPolicies`
`iam:ListAttachedUserPolicies`
`iam:ListGroupPolicies`
`iam:ListGroups`
`iam:ListGroupsForUser`
`iam:ListPolicies`
`iam:ListUserPolicies`
`iam:ListUsers`
------
#### [ Console ]
1. Follow the sign-in procedure appropriate to your user type as described in the topic [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
1. On the **IAM Console Home** page, in the left navigation pane, enter your query in the **Search IAM** text box.
1. In the navigation pane, select **Users** and then select **Create user**.
**Note**
If you have IAM Identity Center enabled, the AWS Management Console displays a reminder that it's best to manage users' access in IAM Identity Center. In this procedure, the IAM user you create is specifically for use only when your identity provider is unavailable.
1. On the **Specify user details** page, under **User details**, in **User name**, enter the name for the new user. This is their sign-in name for AWS. For this example, enter **EmergencyAccess**.
**Note**
User names can be a combination of up to 64 letters, digits, and these characters: plus (\$1), equal (=), comma (,), period (.), at sign (@), underscore (\$1), and hyphen (-). Names must be unique within an account. They are not distinguished by case. For example, you cannot create two users named TESTUSER and testuser. When a user name is used in a policy or as part of an ARN, the name is case sensitive. When a user name appears to customers in the console, such as during the sign-in process, the user name is case insensitive.
1. Choose the checkbox next to **Provide user access to the AWS Management Console– *optional*** and then choose **I want to create an IAM user**.
1. Under **Console password**, select **Autogenerated password**.
1. Clear the checkbox next to **User must create a new password at next sign-in (recommended)**. Because this IAM user is for emergency access, a trusted administrator retains the password and only provides it when needed.
1. On the **Set permissions** page, under **Permissions options**, select **Add user to group**. Then, under **User groups**, select **Create group**.
1. On the **Create user group** page, in **User group name**, enter **EmergencyAccessGroup**. Then, under **Permissions policies**, select **AdministratorAccess**.
1. Choose **Create user group** to return to the **Set permissions** page.
1. Under **User groups**, select the name of the **EmergencyAccessGroup** you created previously.
1. Choose **Next** to proceed to the **Review and create** page.
1. On the **Review and create** page, review the list of user group memberships to be added to the new user. When you are ready to proceed, select **Create user**.
1. On the **Retrieve password** page, select **Download .csv file** to save a .csv file with the user credential information (Connection URL, username, and password).
1. Save this file to use if you need to sign-in to IAM and don't have access to your identity provider.
The new IAM user is displayed in the **Users** list. Select the **User name** link to view the user details.
------
#### [ AWS CLI ]
1. Create a user named **EmergencyAccess**.
+ [aws iam create-user](https://docs.aws.amazon.com/cli/latest/reference/iam/create-user.html)
```
aws iam create-user \
--user-name EmergencyAccess
```
1. (Optional) Give the user access to the AWS Management Console. This requires a password. To create a password for an IAM user you can use the `--cli-input-json` parameter to pass a JSON file that contains the password.You must also give the user the [URL of your account's sign-in page.](id_users_sign-in.md)
+ [aws iam create-login-profile](https://docs.aws.amazon.com/cli/latest/reference/iam/create-login-profile.html)
```
aws iam create-login-profile \
--generate-cli-skeleton > create-login-profile.json
```
+ Open the `create-login-profile.json` file in a text editor and enter a password that complies with your password policy, then save the file. For example:
```
{
"UserName": "EmergencyAccess",
"Password": "Ex@3dRA0djs",
"PasswordResetRequired": false
}
```
+ Use the `aws iam create-login-profile` command again, passing the `--cli-input-json` parameter to specify your JSON file.
```
aws iam create-login-profile \
--cli-input-json file://create-login-profile.json
```
**Note**
If the password you provided in the JSON file violates your account's password policy, you will receive a `PasswordPolicyViolation` error. If this happens, review the [password policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#default-policy-details) for your account and update the password in the JSON file to comply with the requirements.
1. Create the **EmergencyAccessGroup**, attach the AWS managed policy `AdministratorAccess` to the group, and add the **EmergencyAccess** user to the group.
**Note**
An *AWS managed policy* is a standalone policy that is created and administered by AWS. Each policy has its own Amazon Resource Name (ARN) that includes the policy name. For example, `arn:aws:iam::aws:policy/IAMReadOnlyAccess` is an AWS managed policy. For more information about ARNs, see [IAM ARNs](reference_identifiers.md#identifiers-arns). For a list of AWS managed policies for AWS services, see [AWS managed policies](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/policy-list.html).
+ [aws iam create-group](https://docs.aws.amazon.com/cli/latest/reference/iam/create-group.html)
```
aws iam create-group \
--group-name EmergencyAccessGroup
```
+ [aws iam attach-group-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/attach-group-policy.html)
```
aws iam attach-group-policy \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess \
--group-name >EmergencyAccessGroup
```
+ [aws iam add-user-to-group](https://docs.aws.amazon.com/cli/latest/reference/iam/add-user-to-group.html)
```
aws iam add-user-to-group \
--user-name EmergencyAccess \
--group-name EmergencyAccessGroup
```
+ Run the [aws iam get-group](https://docs.aws.amazon.com/cli/latest/reference/iam/get-group.html) command to list the**EmergencyAccessGroup** and its members.
```
aws iam get-group \
--group-name EmergencyAccessGroup
```
------