'AWS CLI Usage for IAM Users
I created a IAM Admin user for my myself as per the best practices. The way I have done is by creating a Role attach AdminAccess and assigning it to a UserGroup. My IAM User is added to this group. On console, I could easily switch to this role and perform all Admin actions.
However, while using CLI, it seems like I could not switch to this AdminRole and only getting AccessDenied for everything I tried except for aws iam list-users
I have temporarily fixed this by configuring the cli with root credentials but this is still not the best solution for me.
Any idea how to address this?
Using on Windows 11 and CLI Version 2.7.0
UPDATE
Template used to create my IAM roles and groups
Users were created manually via console and assigned to respective groups. The user I am using belongs to all the 3 groups given, AllUsersGroup, DeveloperGroup, AdminGroup
amazon-web-servicescommand-line-interfaceamazon-cloudformation">
amazon-cloudformationaws-cliazure-logic-appshttp-status-code-400
Solution 1:[1]
So, if I understand, you have an IAM User that has credentials and that IAM User has permission to assume an Admin role. So, in the awscli configuration file (~/.aws/config) you need two sets of credentials: one for the IAM User and the other for the role, for example:
[profile sriharsha]
aws_access_key_id = xxx
aws_secret_access_key = yyy
region = us-east-1
[profile admin]
region = us-east-1
role_arn=arn:aws:iam::111111111111:role/my-admin-role
source_profile=sriharsha
You can then use the awscli with the relevant set of credentials, for example:
- aws s3 ls --profile sriharsha
- aws iam list-users --profile admin
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | jarmod |