AWS IAM Basics using AWS Tools for Windows PowerShell – Wrap Up

Over the last few blog posts I have quickly gone over AWS IAM Users, Groups and Roles. Specifically the PowerShell cmdlets to interact with these IAM identities inside of your AWS account. To end the AWS IAM Basics series, I’ll demonstrate how to put them altogether.


Let’s create 2 users, junior and senior.


Let’s create a group called SysAdmins and add our 2 users to the group. We’ll then grant the IAMReadOnlyAccess policy to the SysAdmins group.


We’ll create a role called SeniorSysAdmin, grant our senior user the ability to assume this role (by way of the AssumeRolePolicyDocument) and grant the role full IAM access.

The contents of the TrustPolicyUser.json document is as below, make sure to replace aws_account_number with your actual AWS account number:

  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": { "AWS": "arn:aws:iam::aws_account_number:user/senior" },
    "Action": "sts:AssumeRole"

Let’s test!

To test we need to login as our junior and senior users. I’ve manually created AWS Access and Secret keys for both users via the AWS console. I’ve used these to create profiles for each user. You can find instructions on how to do that here using the Set-AWSCredentials cmdlet.

I set my profile so that I run under the junior AWS user and execute Get-IAMUser to confirm.

I can execute Get-IAMUsers and Get-IAMGroups successfully. However if I try to create a group (remember that the SysAdmins group only has IAMReadOnlyAccess) I get an error.

Let’s try with our senior user. We call the Set-AWSCredentials cmdlet again and this time use ProfileSenior, which holds the Access and Secret key details for our senior AWS user.

Again, I can call Get-IAMUsers and Get-IAMGroups successfully, but I also get an error when trying to create a new group. It is not until our senior user assumes the SeniorSysAdmin role, which has the IAMFullAccess permissions, that the senior user can create the Testers group successfully.

And that’s it! This will be the last of the IAM blog posts (for now), next I will be looking to explore some of the S3 PowerShell cmdlets and anything else I find interesting around S3.

Leave a Reply

Your email address will not be published. Required fields are marked *