Last post I wrote about how to use AWS Tools for Windows PowerShell to create, get, update and remove IAM users in your AWS account. In this post I will show you how to create, list, edit and remove IAM groups. Let’s jump straight in!
To create a new IAM group we call the New-IAMGroup cmdlet, passing the desired name of the group to the -GroupName parameter. For the purpose of this demo we’ll create a group called Developers.
To get a list of IAM groups in your AWS account we call the Get-IAMGroups cmdlet. As you can see in the screenshot below, we have an Admin group and the new Developers group we just created.
You can also get a list of users for a given group by calling Get-IAMGroup and passing the group name to the -GroupName parameter. As you can see in the screenshot below, our group does not have any users in it. Let’s look at how we add users to our group.
To add a user we call the Add-IAMUserToGroup cmdlet. We need to pass the group name and user name to the -GroupName and -UserName parameters respectively. I created a user named TestUser using the New-IAMUser cmdlet, you can find an example in my last post. Once we’ve added our TestUser user to our Developers group, we can call Get-IAMGroup again and we should see the Users list populated with our TestUser user.
To remove a user from a group, we call Remove-IAMUserFromGroup. Similar to adding a user, we need to pass the appropriate -GroupName and -UserName parameter values. By default, the cmdlet will ask for confirmation if you’re sure you want to remove the user from the group. To override the confirmation prompts we pass the -Force switch parameter.
You can also update the path and name of a group. Today we will only look at updating the group name. This is done by calling the Update-IAMGroup cmdlet. Note that by changing a group name, issues can arise with IAM policies. I will dive deeper into this in a future post. Below is an example of changing our Developers group name to Operations.
To remove a group we call the Remove-IAMGroup cmdlet. We only need to provide the -GroupName parameter and the -Force switch parameter to override confirmation prompt.
That’s all for Groups. In my next post I will look at IAM Roles.