# Use cases for IAM users
IAM users that you create in your AWS account have long-term credentials that you manage directly.
When it comes to managing access in AWS, IAM users are generally not the best choice. There are a few key reasons why you should avoid relying on IAM users for most of your use cases.
First, IAM users are designed for individual accounts, so they don't scale well as your organization grows. Managing permissions and security for a large number of IAM users can quickly become a challenge.
IAM users also lack the centralized visibility and auditing capabilities that you get with other AWS identity management solutions. This can make it more challenging to maintain security and regulatory compliance.
Finally, implementing security best practices like multi-factor authentication, password policies, and role separation is much easier with more scalable identity management approaches.
Instead of relying on IAM users, we recommend using more robust solutions like IAM Identity Center with AWS Organizations, or federated identities from external providers. These options will give you better control, security, and operational efficiency as your AWS environment grows.
As a result, we recommend that you only use IAM users for [use cases not supported by federated users](https://docs.aws.amazon.com//IAM/latest/UserGuide/id.html#id_which-to-choose).
The following list identifies the specific use cases that require long-term credentials with IAM users in AWS. You can use IAM to create these IAM users under the umbrella of your AWS account, and use IAM to manage their permissions.
+ Emergency access to your AWS account
+ Workloads that can't use IAM roles
+ AWS CodeCommit access
+ Amazon Keyspaces (for Apache Cassandra) access
+ Third-party AWS clients
+ AWS IAM Identity Center isn't available for your account and you have no other identity provider
# Create an IAM user for emergency access
An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity within your AWS account that has specific permissions for a single person or application.
Having an IAM user for emergency access is one of the recommended reasons to create an IAM user so that you can access your AWS account if your identity provider isn't accessible.
**Note**
As a security [best practice](best-practices.md), we recommend that you provide access to your resources through identity federation instead of creating IAM users. For information about specific situations where an IAM user is required, see [When to create an IAM user (instead of a role)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html#id_which-to-choose).
## To create an IAM user for emergency access
**Minimum permissions**
To perform the following steps, you must have at least the following IAM permissions:
`access-analyzer:ValidatePolicy`
`iam:AddUserToGroup`
`iam:AttachGroupPolicy`
`iam:CreateGroup`
`iam:CreateLoginProfile`
`iam:CreateUser`
`iam:GetAccountPasswordPolicy`
`iam:GetLoginProfile`
`iam:GetUser`
`iam:ListAttachedGroupPolicies`
`iam:ListAttachedUserPolicies`
`iam:ListGroupPolicies`
`iam:ListGroups`
`iam:ListGroupsForUser`
`iam:ListPolicies`
`iam:ListUserPolicies`
`iam:ListUsers`
------
#### [ Console ]
1. Follow the sign-in procedure appropriate to your user type as described in the topic [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
1. On the **IAM Console Home** page, in the left navigation pane, enter your query in the **Search IAM** text box.
1. In the navigation pane, select **Users** and then select **Create user**.
**Note**
If you have IAM Identity Center enabled, the AWS Management Console displays a reminder that it's best to manage users' access in IAM Identity Center. In this procedure, the IAM user you create is specifically for use only when your identity provider is unavailable.
1. On the **Specify user details** page, under **User details**, in **User name**, enter the name for the new user. This is their sign-in name for AWS. For this example, enter **EmergencyAccess**.
**Note**
User names can be a combination of up to 64 letters, digits, and these characters: plus (\$1), equal (=), comma (,), period (.), at sign (@), underscore (\$1), and hyphen (-). Names must be unique within an account. They are not distinguished by case. For example, you cannot create two users named TESTUSER and testuser. When a user name is used in a policy or as part of an ARN, the name is case sensitive. When a user name appears to customers in the console, such as during the sign-in process, the user name is case insensitive.
1. Choose the checkbox next to **Provide user access to the AWS Management Console– *optional*** and then choose **I want to create an IAM user**.
1. Under **Console password**, select **Autogenerated password**.
1. Clear the checkbox next to **User must create a new password at next sign-in (recommended)**. Because this IAM user is for emergency access, a trusted administrator retains the password and only provides it when needed.
1. On the **Set permissions** page, under **Permissions options**, select **Add user to group**. Then, under **User groups**, select **Create group**.
1. On the **Create user group** page, in **User group name**, enter **EmergencyAccessGroup**. Then, under **Permissions policies**, select **AdministratorAccess**.
1. Choose **Create user group** to return to the **Set permissions** page.
1. Under **User groups**, select the name of the **EmergencyAccessGroup** you created previously.
1. Choose **Next** to proceed to the **Review and create** page.
1. On the **Review and create** page, review the list of user group memberships to be added to the new user. When you are ready to proceed, select **Create user**.
1. On the **Retrieve password** page, select **Download .csv file** to save a .csv file with the user credential information (Connection URL, username, and password).
1. Save this file to use if you need to sign-in to IAM and don't have access to your identity provider.
The new IAM user is displayed in the **Users** list. Select the **User name** link to view the user details.
------
#### [ AWS CLI ]
1. Create a user named **EmergencyAccess**.
+ [aws iam create-user](https://docs.aws.amazon.com/cli/latest/reference/iam/create-user.html)
```
aws iam create-user \
--user-name EmergencyAccess
```
1. (Optional) Give the user access to the AWS Management Console. This requires a password. To create a password for an IAM user you can use the `--cli-input-json` parameter to pass a JSON file that contains the password.You must also give the user the [URL of your account's sign-in page.](id_users_sign-in.md)
+ [aws iam create-login-profile](https://docs.aws.amazon.com/cli/latest/reference/iam/create-login-profile.html)
```
aws iam create-login-profile \
--generate-cli-skeleton > create-login-profile.json
```
+ Open the `create-login-profile.json` file in a text editor and enter a password that complies with your password policy, then save the file. For example:
```
{
"UserName": "EmergencyAccess",
"Password": "Ex@3dRA0djs",
"PasswordResetRequired": false
}
```
+ Use the `aws iam create-login-profile` command again, passing the `--cli-input-json` parameter to specify your JSON file.
```
aws iam create-login-profile \
--cli-input-json file://create-login-profile.json
```
**Note**
If the password you provided in the JSON file violates your account's password policy, you will receive a `PassworPolicyViolation` error. If this happens, review the [password policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#default-policy-details) for your account and update the password in the JSON file to comply with the requirements.
1. Create the **EmergencyAccessGroup**, attach the AWS managed policy `AdministratorAccess` to the group, and add the **EmergencyAccess** user to the group.
**Note**
An *AWS managed policy* is a standalone policy that is created and administered by AWS. Each policy has its own Amazon Resource Name (ARN) that includes the policy name. For example, `arn:aws:iam::aws:policy/IAMReadOnlyAccess` is an AWS managed policy. For more information about ARNs, see [IAM ARNs](reference_identifiers.md#identifiers-arns). For a list of AWS managed policies for AWS services, see [AWS managed policies](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/policy-list.html).
+ [aws iam create-group](https://docs.aws.amazon.com/cli/latest/reference/iam/create-group.html)
```
aws iam create-group \
--group-name EmergencyAccessGroup
```
+ [aws iam attach-group-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/attach-group-policy.html)
```
aws iam attach-group-policy \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess \
--group-name >EmergencyAccessGroup
```
+ [aws iam add-user-to-group](https://docs.aws.amazon.com/cli/latest/reference/iam/add-user-to-group.html)
```
aws iam add-user-to-group \
--user-name EmergencyAccess \
--group-name EmergencyAccessGroup
```
+ Run the [aws iam get-group](https://docs.aws.amazon.com/cli/latest/reference/iam/get-group.html) command to list the**EmergencyAccessGroup** and its members.
```
aws iam get-group \
--group-name EmergencyAccessGroup
```
------
# Create an IAM user for workloads that can't use IAM roles
**Important**
As a [best practice](best-practices.md#lock-away-credentials), we recommend you require your human users to use [temporary credentials](id_credentials_temp.md) when accessing AWS.
Alternatively, you can manage your user identities, including your administrative user, with [AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/getting-started.html). We recommend you use IAM Identity Center to manage access to your accounts and permissions within those accounts. If you are using an external identity provider, you can also configure the access permissions for user identities in IAM Identity Center.
If your use case requires IAM users with programmatic access and long-term credentials, we recommend that you establish procedures to update access keys when needed. For more information, see [Update access keys](id-credentials-access-keys-update.md).
To perform some account and service management tasks, you must sign in using root user credentials. To view the tasks that require you to sign in as the root user, see [Tasks that require root user credentials](id_root-user.md#root-user-tasks).
## To create an IAM user for workloads that can't use IAM roles
**Minimum permissions**
To perform the following steps, you must have at least the following IAM permissions:
`iam:AddUserToGroup`
`iam:AttachGroupPolicy`
`iam:CreateAccessKey`
`iam:CreateGroup`
`iam:CreateServiceSpecificCredential`
`iam:CreateUser`
`iam:GetAccessKeyLastUsed`
`iam:GetAccountPasswordPolicy`
`iam:GetAccountSummary`
`iam:GetGroup`
`iam:GetLoginProfile`
`iam:GetPolicy`
`iam:GetRole`
`iam:GetUser`
`iam:ListAccessKeys`
`iam:ListAttachedGroupPolicies`
`iam:ListAttachedUserPolicies`
`iam:ListGroupPolicies`
`iam:ListGroups`
`iam:ListGroupsForUser`
`iam:ListInstanceProfilesForRole`
`iam:ListMFADevices`
`iam:ListPolicies`
`iam:ListRoles`
`iam:ListRoleTags`
`iam:ListSSHPublicKeys`
`iam:ListServiceSpecificCredentials`
`iam:ListSigningCertificates`
`iam:ListUserPolicies`
`iam:ListUserTags`
`iam:ListUsers`
`iam:UploadSSHPublicKey`
`iam:UploadSigningCertificate`
------
#### [ Console ]
1. Follow the sign-in procedure appropriate to your user type as described in the topic [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
1. On the **IAM Console Home** page, in the left navigation pane, enter your query in the **Search IAM** text box.
1. In the navigation pane, choose **Users** and then choose **Create users**.
1. On the **Specify user details** page, do the following:
1. For **User name**, type ***WorkloadName***. Replace ***WorkloadName*** with the name of the workload that will be using the account.
1. Choose **Next**.
1. (Optional) On the **Set Permissions** page, do the following:
1. Choose **Add user to group**.
1. Choose **Create group**.
1. In the **Create user group** dialog box, for **User group name** type a name that represents the use of the workloads in the group. For this example, use the name **Automation**.
1. Under **Permissions policies** select the checkbox for the **PowerUserAccess** managed policy.
**Tip**
Enter *Power* into the **Permissions policies** search box to quickly find the managed policy.
1. Choose **Create user group**.
1. Back on the page with the list of IAM groups, select the checkbox for your new user group. Choose **Refresh** if you don't see the new user group in the list.
1. Choose **Next**.
1. (Optional) In the **Tags** section, add metadata to the user by attaching tags as key-value pairs. For more information, see [Tags for AWS Identity and Access Management resources](id_tags.md).
1. Verify the user group memberships for the new user. When you are ready to proceed, choose **Create user**.
1. A status notification appears informing you that the user was created successfully. Select **View user** to go to the user details page
1. Select the **Security credentials** tab. Then create the credentials needed for the workload.
+ **Access keys**–Select **Create access key** to generate and download access keys for the user.
**Important**
This is your only opportunity to view or download the secret access keys, and you must provide this information to your users before they can use the AWS API. Save the user's new access key ID and secret access key in a safe and secure place. **You will not have access to the secret keys again after this step.**
+ **SSH public keys for AWS CodeCommit**–Select **Upload SSH public key** to upload an SSH public key so that the user can communicate with CodeCommit repositories over SSH.
+ **HTTPS Git credentials for AWS CodeCommit**–Select **Generate credentials** to generate a unique set of user credentials to use with Git repositories. Select **Download credentials** to save the user name and password to a .csv file. This is the only time that information is available. If you forget or lose the password you will need to reset it.
+ **Credentials for Amazon Keyspaces (for Apache Cassandra)**–Select **Generate credentials** to generate a service-specific user credentials to use with Amazon Keyspaces. Select **Download credentials** to save the user name and password to a .csv file. This is the only time that information is available. If you forget or lose the password you will need to reset it.
**Important**
Service-specific credentials are long-term credentials associated with a specific IAM user and can only be used for the service they were created for. To give IAM roles or federated identities permissions to access all your AWS resources using temporary credentials, use AWS authentication with the SigV4 authentication plugin for Amazon Keyspaces. For more information see, [Using temporary credentials to connect to Amazon Keyspaces (for Apache Cassandra) using an IAM role and the SigV4 plugin](https://docs.aws.amazon.com/keyspaces/latest/devguide/access.credentials.html#temporary.credentials.IAM) in the *Amazon Keyspaces (for Apache Cassandra) Developer Guide*.
+ **X.509 Signing certificates**–Select **Create X.509 Certificate** if you need to make secure SOAP-protocol requests and are in a Region that's not supported by AWS Certificate Manager. ACM is the preferred tool to provision, manage, and deploy your server certificates. For more information about using ACM, see the [https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html).
You have created a user with programmatic access and configured it with the **PowerUserAccess** job function. This user's permissions policy grants full access to every service except for IAM and AWS Organizations.
You can use this same process to give additional workloads programmatic access to your AWS account resources, if the workloads are unable to assume IAM roles. This procedure used the **PowerUserAccess** managed policy to assign permissions. To follow the best practice of least privilege, consider using a more restrictive policy or creating a custom policy that restricts access to only resources required by the program. To learn about using policies that restrict user permissions to specific AWS resources, see [Access management for AWS resources](access.md) and [Example IAM identity-based policies](access_policies_examples.md). To add additional users to the user group after it's created, see [Edit users in IAM groups](id_groups_manage_add-remove-users.md).
------
#### [ AWS CLI ]
1. Create a user named **Automation**.
+ [aws iam create-user](https://docs.aws.amazon.com/cli/latest/reference/iam/create-user.html)
```
aws iam create-user \
--user-name Automation
```
1. Create an IAM user group named **AutomationGroup**, attach the AWS managed policy `PowerUserAccess` to the group, and then add the **Automation** user to the group.
**Note**
An *AWS managed policy* is a standalone policy that is created and administered by AWS. Each policy has its own Amazon Resource Name (ARN) that includes the policy name. For example, `arn:aws:iam::aws:policy/IAMReadOnlyAccess` is an AWS managed policy. For more information about ARNs, see [IAM ARNs](reference_identifiers.md#identifiers-arns). For a list of AWS managed policies for AWS services, see [AWS managed policies](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/policy-list.html).
+ [aws iam create-group](https://docs.aws.amazon.com/cli/latest/reference/iam/create-group.html)
```
aws iam create-group \
--group-name AutomationGroup
```
+ [aws iam attach-group-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/attach-group-policy.html)
```
aws iam attach-group-policy \
--policy-arn arn:aws:iam::aws:policy/PowerUserAccess \
--group-name AutomationGroup
```
+ [aws iam add-user-to-group](https://docs.aws.amazon.com/cli/latest/reference/iam/add-user-to-group.html)
```
aws iam add-user-to-group \
--user-name Automation \
--group-name AutomationGroup
```
+ Run the [aws iam get-group](https://docs.aws.amazon.com/cli/latest/reference/iam/get-group.html) command to list the **AutomationGroup** and its members.
```
aws iam get-group \
--group-name AutomationGroup
```
1. Create the security credentials needed for the workload.
+ **Create access keys for testing**–[aws iam create-access-key](https://docs.aws.amazon.com/cli/latest/reference/iam/create-access-key.html)
```
aws iam create-access-key \
--user-name Automation
```
The output of this command displays the secret access key and the access key ID. Record and store this information in a secure location. If these credentials are lost, they can't be recovered, and you must create a new access key.
**Important**
These IAM user access keys are long-term credentials that present a security-risk to your account. After you have completed testing, we recommend that you delete these access keys. If you have scenarios in which you are considering access keys, investigate whether you can enable MFA for your workload IAM user and use [aws sts get-session-token](https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html) to obtain temporary credentials for the session instead of using IAM access keys.
+ **Upload SSH public keys for AWS CodeCommit**–[aws iam upload-ssh-public-key](https://docs.aws.amazon.com/cli/latest/reference/iam/upload-ssh-public-key.html)
The following example assumes that you have your SSH public keys stored in the file `sshkey.pub`.
```
aws upload-ssh-public-key \
--user-name Automation \
--ssh-public-key-body file://sshkey.pub
```
+ **Upload an X.509 signing certificate**–[aws iam upload-signing-certificate](https://docs.aws.amazon.com/cli/latest/reference/iam/upload-signing-certificate.html)
Upload an X.509 certificate if you need to make secure SOAP-protocol requests and are in a Region that's not supported by AWS Certificate Manager. ACM is the preferred tool to provision, manage, and deploy your server certificates. For more information about using ACM, see the [https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html).
The following example assumes that you have your X.509 signing certificate stored in the file `certificate.pem`.
```
aws iam upload-signing-certificate \
--user-name Automation \
--certificate-body file://certificate.pem
```
You can use this same process to give additional workloads programmatic access to your AWS account resources, if the workloads are unable to assume IAM roles. This procedure used the **PowerUserAccess** managed policy to assign permissions. To follow the best practice of least privilege, consider using a more restrictive policy or creating a custom policy that restricts access to only resources required by the program. To learn about using policies that restrict user permissions to specific AWS resources, see [Access management for AWS resources](access.md) and [Example IAM identity-based policies](access_policies_examples.md). To add additional users to the user group after it's created, see [Edit users in IAM groups](id_groups_manage_add-remove-users.md).
------