# Manage passwords for IAM users
IAM users who use the AWS Management Console to work with AWS resources must have a password in order to sign in. You can create, change, or delete a password for an IAM user in your AWS account.
After you have assigned a password to a user, the user can sign in to the AWS Management Console using the sign-in URL for your account, which looks like this:
```
https://12-digit-AWS-account-ID or alias.signin.aws.amazon.com/console
```
For more information about how IAM users sign in to the AWS Management Console, see [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
Even if your users have their own passwords, they still need permissions to access your AWS resources. By default, a user has no permissions. To give your users the permissions they need, you assign policies to them or to the groups they belong to. For information about creating users and groups, see [IAM Identities](id.md). For information about using policies to set permissions, see [Change permissions for an IAM user](id_users_change-permissions.md).
You can grant users permission to change their own passwords. For more information, see [Permit IAM users to change their own passwords](id_credentials_passwords_enable-user-change.md). For information about how users access your account sign-in page, see [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
**Topics**
+ [
## Creating, changing, or deleting an IAM user password (console)
](#id_credentials_passwords_admin-change-user_console)
## Creating, changing, or deleting an IAM user password (console)
You can use the AWS Management Console to manage passwords for your IAM users.
The access needs of your users can change over time. You might need to enable a user intended for CLI access to have console access, change a user's password because they receive the email with their credentials, or delete a user when they leave your organization or no longer need AWS access.
### To create an IAM user password (console)
Use this procedure to give a user console access by creating a password that is associated with the username.
------
#### [ Console ]
1. Follow the sign-in procedure appropriate to your user type as described in the topic [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
1. On the **IAM Console Home** page, in the left navigation pane, enter your query in the **Search IAM** text box.
1. In the navigation pane, choose **Users**.
1. Choose the name of the user whose password you want to create.
1. Choose the **Security credentials** tab, and then under **Console sign-in**, choose **Enable console access**.
1. In the **Enable console access** dialog box, select **Reset password**, then choose whether to have IAM generate a password or create a custom password:
+ To have IAM generate a password, choose **Autogenerated password**.
+ To create a custom password, choose **Custom password**, and type the password.
**Note**
The password that you create must meet the account's [password policy](id_credentials_passwords_account-policy.md).
1. To require the user to create a new password when signing in, choose **Require password change at the next sign-in**.
1. To require the user to use the new password immediately, select **Revoke active console sessions**. This attaches an inline policy to the IAM user that denies the user access to resources if their credentials are older than the time specified by the policy.
1. Choose **Reset password**
1. The **Console password** dialog informs you that you have enabled the user's new password. To view the password so you can share it with the user, choose **Show** in the **Console password** dialog box. Select **Download .csv file** to download a file with the user's credentials.
**Important**
For security reasons, you cannot access the password after completing this step, but you can create a new password at any time.
The console displays a status message informing you that console access has been enabled.
------
### To change the password for an IAM user (console)
Use this procedure to update a password that is associated with the username.
------
#### [ Console ]
1. Follow the sign-in procedure appropriate to your user type as described in the topic [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
1. On the **IAM Console Home** page, in the left navigation pane, enter your query in the **Search IAM** text box.
1. In the navigation pane, choose **Users**.
1. Choose the name of the user whose password you want to change.
1. Choose the **Security credentials** tab, and then under **Console sign-in**, choose **Manage console access**.
1. In the **Manage console access** dialog box, select **Reset password**, then choose whether to have IAM generate a password or create a custom password:
+ To have IAM generate a password, choose **Autogenerated password**.
+ To create a custom password, choose **Custom password**, and type the password.
**Note**
The password that you create must meet the account's [password policy](id_credentials_passwords_account-policy.md).
1. To require the user to create a new password when signing in, choose **Require password change at the next sign-in**.
1. To require the user to use the new password immediately, select **Revoke active console sessions**. This attaches an inline policy to the IAM user that denies the user access to resources if their credentials are older than the time specified by the policy.
1. Choose **Reset password**
1. The **Console password** dialog informs you that you have enabled the user's new password. To view the password so you can share it with the user, choose **Show** in the **Console password** dialog box. Select **Download .csv file** to download a file with the user's credentials.
**Important**
For security reasons, you cannot access the password after completing this step, but you can create a new password at any time.
The console displays a status message informing you that console access has been updated.
------
### To delete (disable) an IAM user password (console)
Use this procedure to delete a password that is associated with the username, removing console access for the user.
**Important**
You can prevent an IAM user from accessing the AWS Management Console by removing their password. This prevents them from signing in to the AWS Management Console using their sign-in credentials. It does not change their permissions or prevent them from accessing the console using an assumed role. If the user has active access keys, they continue to function and allow access through the AWS CLI, Tools for Windows PowerShell, AWS API, or the AWS Console Mobile Application.
------
#### [ Console ]
1. Follow the sign-in procedure appropriate to your user type as described in the topic [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
1. On the **IAM Console Home** page, in the left navigation pane, enter your query in the **Search IAM** text box.
1. In the navigation pane, choose **Users**.
1. Choose the name of the user whose password you want to delete.
1. Choose the **Security credentials** tab, and then under **Console sign-in**, choose **Manage console access**.
1. To require the user to stop using the console immediately, select **Revoke active console sessions**. This attaches an inline policy to the IAM user that denies the user access to resources if their credentials are older than the time specified by the policy.
1. Choose **Disable access**
The console displays a status message informing you that console access has been disabled.
------
### Creating, changing, or deleting an IAM user password (AWS CLI)
You can use the AWS CLI API to manage passwords for your IAM users.
**To create a password (AWS CLI)**
1. (Optional) To determine whether a user has a password, run this command: [aws iam get-login-profile](https://docs.aws.amazon.com/cli/latest/reference/iam/get-login-profile.html)
1. To create a password, run this command: [aws iam create-login-profile](https://docs.aws.amazon.com/cli/latest/reference/iam/create-login-profile.html)
**To change a user's password (AWS CLI)**
1. (Optional) To determine whether a user has a password, run this command: [aws iam get-login-profile](https://docs.aws.amazon.com/cli/latest/reference/iam/get-login-profile.html)
1. To change a password, run this command: [aws iam update-login-profile](https://docs.aws.amazon.com/cli/latest/reference/iam/update-login-profile.html)
**To delete (disable) a user's password (AWS CLI)**
1. (Optional) To determine whether a user has a password, run this command: [aws iam get-login-profile](https://docs.aws.amazon.com/cli/latest/reference/iam/get-login-profile.html)
1. (Optional) To determine when a password was last used, run this command: [aws iam get-user](https://docs.aws.amazon.com/cli/latest/reference/iam/get-user.html)
1. To delete a password, run this command: [aws iam delete-login-profile](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-login-profile.html)
**Important**
When you delete a user's password, the user can no longer sign in to the AWS Management Console. If the user has active access keys, they continue to function and allow access through the AWS CLI, Tools for Windows PowerShell, or AWS API function calls. When you use the AWS CLI, Tools for Windows PowerShell, or AWS API to delete a user from your AWS account, you must first delete the password using this operation. For more information, see [Deleting an IAM user (AWS CLI)](id_users_remove.md#id_users_deleting_cli).
**To revoke a user's active console sessions before a specified time (AWS CLI)**
1. To embed an inline policy that revokes an IAM user's active console sessions before a specified time, use the following inline policy and run this command: [aws iam put-user-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/put-user-policy.html)
This inline policy denies all permissions and includes the `aws:TokenIssueTime` condition key. It revokes the user's active console sessions before the specified time in the `Condition` element of the inline policy. Replace the `aws:TokenIssueTime` condition key value with your own value.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"DateLessThan": {
"aws:TokenIssueTime": "2014-05-07T23:47:00Z"
}
}
}
}
```
------
1. (Optional) To list the names of the inline policies embedded in the IAM user, run this command: [aws iam list-user-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-user-policies.html)
1. (Optional) To view the named inline policy embedded in the IAM user, run this command: [aws iam get-user-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-user-policy.html)
### Creating, changing, or deleting an IAM user password (AWS API)
You can use the AWS API to manage passwords for your IAM users.
**To create a password (AWS API)**
1. (Optional) To determine whether a user has a password, call this operation: [GetLoginProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetLoginProfile.html)
1. To create a password, call this operation: [CreateLoginProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html)
**To change a user's password (AWS API)**
1. (Optional) To determine whether a user has a password, call this operation: [GetLoginProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetLoginProfile.html)
1. To change a password, call this operation: [UpdateLoginProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateLoginProfile.html)
**To delete (disable) a user's password (AWS API)**
1. (Optional) To determine whether a user has a password, run this command: [GetLoginProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetLoginProfile.html)
1. (Optional) To determine when a password was last used, run this command: [GetUser](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetUser.html)
1. To delete a password, run this command: [DeleteLoginProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteLoginProfile.html)
**Important**
When you delete a user's password, the user can no longer sign in to the AWS Management Console. If the user has active access keys, they continue to function and allow access through the AWS CLI, Tools for Windows PowerShell, or AWS API function calls. When you use the AWS CLI, Tools for Windows PowerShell, or AWS API to delete a user from your AWS account, you must first delete the password using this operation. For more information, see [Deleting an IAM user (AWS CLI)](id_users_remove.md#id_users_deleting_cli).
**To revoke a user's active console sessions before a specified time (AWS API)**
1. To embed an inline policy that revokes an IAM user's active console sessions before a specified time, use the following inline policy and run this command: [PutUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html)
This inline policy denies all permissions and includes the `aws:TokenIssueTime` condition key. It revokes the user's active console sessions before the specified time in the `Condition` element of the inline policy. Replace the `aws:TokenIssueTime` condition key value with your own value.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"DateLessThan": {
"aws:TokenIssueTime": "2014-05-07T23:47:00Z"
}
}
}
}
```
------
1. (Optional) To list the names of the inline policies embedded in the IAM user, run this command: [ListUserPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUserPolicies.html)
1. (Optional) To view the named inline policy embedded in the IAM user, run this command: [GetUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetUserPolicy.html)