Docs Home
AWS v6.73.0 published on Wednesday, Mar 19, 2025 by Pulumi
aws.iam.User
Explore with Pulumi AI
Provides an IAM user.
NOTE: If policies are attached to the user via the
aws.iam.PolicyAttachmentresource and you are modifying the usernameorpath, theforce_destroyargument must be set totrueand applied before attempting the operation otherwise you will encounter aDeleteConflicterror. Theaws.iam.UserPolicyAttachmentresource (recommended) does not have this requirement.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const lb = new aws.iam.User("lb", {
name: "loadbalancer",
path: "/system/",
tags: {
"tag-key": "tag-value",
},
});
const lbAccessKey = new aws.iam.AccessKey("lb", {user: lb.name});
const lbRo = aws.iam.getPolicyDocument({
statements: [{
effect: "Allow",
actions: ["ec2:Describe*"],
resources: ["*"],
}],
});
const lbRoUserPolicy = new aws.iam.UserPolicy("lb_ro", {
name: "test",
user: lb.name,
policy: lbRo.then(lbRo => lbRo.json),
});
import pulumi
import pulumi_aws as aws
lb = aws.iam.User("lb",
name="loadbalancer",
path="/system/",
tags={
"tag-key": "tag-value",
})
lb_access_key = aws.iam.AccessKey("lb", user=lb.name)
lb_ro = aws.iam.get_policy_document(statements=[{
"effect": "Allow",
"actions": ["ec2:Describe*"],
"resources": ["*"],
}])
lb_ro_user_policy = aws.iam.UserPolicy("lb_ro",
name="test",
user=lb.name,
policy=lb_ro.json)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
lb, err := iam.NewUser(ctx, "lb", &iam.UserArgs{
Name: pulumi.String("loadbalancer"),
Path: pulumi.String("/system/"),
Tags: pulumi.StringMap{
"tag-key": pulumi.String("tag-value"),
},
})
if err != nil {
return err
}
_, err = iam.NewAccessKey(ctx, "lb", &iam.AccessKeyArgs{
User: lb.Name,
})
if err != nil {
return err
}
lbRo, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"ec2:Describe*",
},
Resources: []string{
"*",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = iam.NewUserPolicy(ctx, "lb_ro", &iam.UserPolicyArgs{
Name: pulumi.String("test"),
User: lb.Name,
Policy: pulumi.String(lbRo.Json),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var lb = new Aws.Iam.User("lb", new()
{
Name = "loadbalancer",
Path = "/system/",
Tags =
{
{ "tag-key", "tag-value" },
},
});
var lbAccessKey = new Aws.Iam.AccessKey("lb", new()
{
User = lb.Name,
});
var lbRo = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"ec2:Describe*",
},
Resources = new[]
{
"*",
},
},
},
});
var lbRoUserPolicy = new Aws.Iam.UserPolicy("lb_ro", new()
{
Name = "test",
User = lb.Name,
Policy = lbRo.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.User;
import com.pulumi.aws.iam.UserArgs;
import com.pulumi.aws.iam.AccessKey;
import com.pulumi.aws.iam.AccessKeyArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.UserPolicy;
import com.pulumi.aws.iam.UserPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var lb = new User("lb", UserArgs.builder()
.name("loadbalancer")
.path("/system/")
.tags(Map.of("tag-key", "tag-value"))
.build());
var lbAccessKey = new AccessKey("lbAccessKey", AccessKeyArgs.builder()
.user(lb.name())
.build());
final var lbRo = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("ec2:Describe*")
.resources("*")
.build())
.build());
var lbRoUserPolicy = new UserPolicy("lbRoUserPolicy", UserPolicyArgs.builder()
.name("test")
.user(lb.name())
.policy(lbRo.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
}
}
resources:
lb:
type: aws:iam:User
properties:
name: loadbalancer
path: /system/
tags:
tag-key: tag-value
lbAccessKey:
type: aws:iam:AccessKey
name: lb
properties:
user: ${lb.name}
lbRoUserPolicy:
type: aws:iam:UserPolicy
name: lb_ro
properties:
name: test
user: ${lb.name}
policy: ${lbRo.json}
variables:
lbRo:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
actions:
- ec2:Describe*
resources:
- '*'
Create User Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new User(name: string, args?: UserArgs, opts?: CustomResourceOptions);@overload
def User(resource_name: str,
args: Optional[UserArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def User(resource_name: str,
opts: Optional[ResourceOptions] = None,
force_destroy: Optional[bool] = None,
name: Optional[str] = None,
path: Optional[str] = None,
permissions_boundary: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None)func NewUser(ctx *Context, name string, args *UserArgs, opts ...ResourceOption) (*User, error)public User(string name, UserArgs? args = null, CustomResourceOptions? opts = null)type: aws:iam:User
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args UserArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args UserArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args UserArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args UserArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args UserArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var exampleuserResourceResourceFromIamuser = new Aws.Iam.User("exampleuserResourceResourceFromIamuser", new()
{
ForceDestroy = false,
Name = "string",
Path = "string",
PermissionsBoundary = "string",
Tags =
{
{ "string", "string" },
},
});
example, err := iam.NewUser(ctx, "exampleuserResourceResourceFromIamuser", &iam.UserArgs{
ForceDestroy: pulumi.Bool(false),
Name: pulumi.String("string"),
Path: pulumi.String("string"),
PermissionsBoundary: pulumi.String("string"),
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
})
var exampleuserResourceResourceFromIamuser = new User("exampleuserResourceResourceFromIamuser", UserArgs.builder()
.forceDestroy(false)
.name("string")
.path("string")
.permissionsBoundary("string")
.tags(Map.of("string", "string"))
.build());
exampleuser_resource_resource_from_iamuser = aws.iam.User("exampleuserResourceResourceFromIamuser",
force_destroy=False,
name="string",
path="string",
permissions_boundary="string",
tags={
"string": "string",
})
const exampleuserResourceResourceFromIamuser = new aws.iam.User("exampleuserResourceResourceFromIamuser", {
forceDestroy: false,
name: "string",
path: "string",
permissionsBoundary: "string",
tags: {
string: "string",
},
});
type: aws:iam:User
properties:
forceDestroy: false
name: string
path: string
permissionsBoundary: string
tags:
string: string
User Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The User resource accepts the following input properties:
- Force
Destroy bool - When destroying this user, destroy even if it
has non-provider-managed IAM access keys, login profile or MFA devices. Without
force_destroya user with non-provider-managed access keys and login profile will fail to be destroyed. - Name string
- The user's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters:
=,.@-_.. User names are not distinguished by case. For example, you cannot create users named both "TESTUSER" and "testuser". - Path string
- Path in which to create the user.
- Permissions
Boundary string - The ARN of the policy that is used to set the permissions boundary for the user.
- Dictionary<string, string>
- Key-value mapping of tags for the IAM user. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- Force
Destroy bool - When destroying this user, destroy even if it
has non-provider-managed IAM access keys, login profile or MFA devices. Without
force_destroya user with non-provider-managed access keys and login profile will fail to be destroyed. - Name string
- The user's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters:
=,.@-_.. User names are not distinguished by case. For example, you cannot create users named both "TESTUSER" and "testuser". - Path string
- Path in which to create the user.
- Permissions
Boundary string - The ARN of the policy that is used to set the permissions boundary for the user.
- map[string]string
- Key-value mapping of tags for the IAM user. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- force
Destroy Boolean - When destroying this user, destroy even if it
has non-provider-managed IAM access keys, login profile or MFA devices. Without
force_destroya user with non-provider-managed access keys and login profile will fail to be destroyed. - name String
- The user's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters:
=,.@-_.. User names are not distinguished by case. For example, you cannot create users named both "TESTUSER" and "testuser". - path String
- Path in which to create the user.
- permissions
Boundary String - The ARN of the policy that is used to set the permissions boundary for the user.
- Map<String,String>
- Key-value mapping of tags for the IAM user. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- force
Destroy boolean - When destroying this user, destroy even if it
has non-provider-managed IAM access keys, login profile or MFA devices. Without
force_destroya user with non-provider-managed access keys and login profile will fail to be destroyed. - name string
- The user's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters:
=,.@-_.. User names are not distinguished by case. For example, you cannot create users named both "TESTUSER" and "testuser". - path string
- Path in which to create the user.
- permissions
Boundary string - The ARN of the policy that is used to set the permissions boundary for the user.
- {[key: string]: string}
- Key-value mapping of tags for the IAM user. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- force_
destroy bool - When destroying this user, destroy even if it
has non-provider-managed IAM access keys, login profile or MFA devices. Without
force_destroya user with non-provider-managed access keys and login profile will fail to be destroyed. - name str
- The user's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters:
=,.@-_.. User names are not distinguished by case. For example, you cannot create users named both "TESTUSER" and "testuser". - path str
- Path in which to create the user.
- permissions_
boundary str - The ARN of the policy that is used to set the permissions boundary for the user.
- Mapping[str, str]
- Key-value mapping of tags for the IAM user. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- force
Destroy Boolean - When destroying this user, destroy even if it
has non-provider-managed IAM access keys, login profile or MFA devices. Without
force_destroya user with non-provider-managed access keys and login profile will fail to be destroyed. - name String
- The user's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters:
=,.@-_.. User names are not distinguished by case. For example, you cannot create users named both "TESTUSER" and "testuser". - path String
- Path in which to create the user.
- permissions
Boundary String - The ARN of the policy that is used to set the permissions boundary for the user.
- Map<String>
- Key-value mapping of tags for the IAM user. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
Outputs
All input properties are implicitly available as output properties. Additionally, the User resource produces the following output properties:
- Arn string
- The ARN assigned by AWS for this user.
- Id string
- The provider-assigned unique ID for this managed resource.
- Dictionary<string, string>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - Unique
Id string - The [unique ID][1] assigned by AWS.
- Arn string
- The ARN assigned by AWS for this user.
- Id string
- The provider-assigned unique ID for this managed resource.
- map[string]string
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - Unique
Id string - The [unique ID][1] assigned by AWS.
- arn String
- The ARN assigned by AWS for this user.
- id String
- The provider-assigned unique ID for this managed resource.
- Map<String,String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - unique
Id String - The [unique ID][1] assigned by AWS.
- arn string
- The ARN assigned by AWS for this user.
- id string
- The provider-assigned unique ID for this managed resource.
- {[key: string]: string}
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - unique
Id string - The [unique ID][1] assigned by AWS.
Look up Existing User Resource
Get an existing User resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: UserState, opts?: CustomResourceOptions): User@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
arn: Optional[str] = None,
force_destroy: Optional[bool] = None,
name: Optional[str] = None,
path: Optional[str] = None,
permissions_boundary: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None,
tags_all: Optional[Mapping[str, str]] = None,
unique_id: Optional[str] = None) -> Userfunc GetUser(ctx *Context, name string, id IDInput, state *UserState, opts ...ResourceOption) (*User, error)public static User Get(string name, Input<string> id, UserState? state, CustomResourceOptions? opts = null)public static User get(String name, Output<String> id, UserState state, CustomResourceOptions options)resources: _: type: aws:iam:User get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Arn string
- The ARN assigned by AWS for this user.
- Force
Destroy bool - When destroying this user, destroy even if it
has non-provider-managed IAM access keys, login profile or MFA devices. Without
force_destroya user with non-provider-managed access keys and login profile will fail to be destroyed. - Name string
- The user's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters:
=,.@-_.. User names are not distinguished by case. For example, you cannot create users named both "TESTUSER" and "testuser". - Path string
- Path in which to create the user.
- Permissions
Boundary string - The ARN of the policy that is used to set the permissions boundary for the user.
- Dictionary<string, string>
- Key-value mapping of tags for the IAM user. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Dictionary<string, string>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - Unique
Id string - The [unique ID][1] assigned by AWS.
- Arn string
- The ARN assigned by AWS for this user.
- Force
Destroy bool - When destroying this user, destroy even if it
has non-provider-managed IAM access keys, login profile or MFA devices. Without
force_destroya user with non-provider-managed access keys and login profile will fail to be destroyed. - Name string
- The user's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters:
=,.@-_.. User names are not distinguished by case. For example, you cannot create users named both "TESTUSER" and "testuser". - Path string
- Path in which to create the user.
- Permissions
Boundary string - The ARN of the policy that is used to set the permissions boundary for the user.
- map[string]string
- Key-value mapping of tags for the IAM user. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - map[string]string
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - Unique
Id string - The [unique ID][1] assigned by AWS.
- arn String
- The ARN assigned by AWS for this user.
- force
Destroy Boolean - When destroying this user, destroy even if it
has non-provider-managed IAM access keys, login profile or MFA devices. Without
force_destroya user with non-provider-managed access keys and login profile will fail to be destroyed. - name String
- The user's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters:
=,.@-_.. User names are not distinguished by case. For example, you cannot create users named both "TESTUSER" and "testuser". - path String
- Path in which to create the user.
- permissions
Boundary String - The ARN of the policy that is used to set the permissions boundary for the user.
- Map<String,String>
- Key-value mapping of tags for the IAM user. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String,String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - unique
Id String - The [unique ID][1] assigned by AWS.
- arn string
- The ARN assigned by AWS for this user.
- force
Destroy boolean - When destroying this user, destroy even if it
has non-provider-managed IAM access keys, login profile or MFA devices. Without
force_destroya user with non-provider-managed access keys and login profile will fail to be destroyed. - name string
- The user's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters:
=,.@-_.. User names are not distinguished by case. For example, you cannot create users named both "TESTUSER" and "testuser". - path string
- Path in which to create the user.
- permissions
Boundary string - The ARN of the policy that is used to set the permissions boundary for the user.
- {[key: string]: string}
- Key-value mapping of tags for the IAM user. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - {[key: string]: string}
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - unique
Id string - The [unique ID][1] assigned by AWS.
- arn str
- The ARN assigned by AWS for this user.
- force_
destroy bool - When destroying this user, destroy even if it
has non-provider-managed IAM access keys, login profile or MFA devices. Without
force_destroya user with non-provider-managed access keys and login profile will fail to be destroyed. - name str
- The user's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters:
=,.@-_.. User names are not distinguished by case. For example, you cannot create users named both "TESTUSER" and "testuser". - path str
- Path in which to create the user.
- permissions_
boundary str - The ARN of the policy that is used to set the permissions boundary for the user.
- Mapping[str, str]
- Key-value mapping of tags for the IAM user. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Mapping[str, str]
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - unique_
id str - The [unique ID][1] assigned by AWS.
- arn String
- The ARN assigned by AWS for this user.
- force
Destroy Boolean - When destroying this user, destroy even if it
has non-provider-managed IAM access keys, login profile or MFA devices. Without
force_destroya user with non-provider-managed access keys and login profile will fail to be destroyed. - name String
- The user's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters:
=,.@-_.. User names are not distinguished by case. For example, you cannot create users named both "TESTUSER" and "testuser". - path String
- Path in which to create the user.
- permissions
Boundary String - The ARN of the policy that is used to set the permissions boundary for the user.
- Map<String>
- Key-value mapping of tags for the IAM user. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - unique
Id String - The [unique ID][1] assigned by AWS.
Import
Using pulumi import, import IAM Users using the name. For example:
$ pulumi import aws:iam/user:User lb loadbalancer
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.