AgentSkillsCN

aws-cli-iam

在使用AWS IAM命令时——用户、组、角色、策略、实例配置文件、访问密钥、MFA、服务关联角色、OIDC/SAML提供商。在创建IAM用户/组/角色、编写并附加IAM策略(托管与内联)、为EC2实例创建实例配置文件、为ECS任务执行角色与任务角色创建角色、管理访问密钥与签名证书、配置MFA设备、设置OIDC或SAML身份提供商、管理服务关联角色,或生成凭证报告时使用此技能。

SKILL.md
--- frontmatter
name: aws-cli-iam
description: Use when working with AWS IAM commands — users, groups, roles, policies, instance profiles, access keys, MFA, service-linked roles, OIDC/SAML providers. Use this skill when creating IAM users/groups/roles, writing and attaching IAM policies (managed and inline), creating instance profiles for EC2 instances, creating ECS task execution roles and task roles, managing access keys and signing certificates, configuring MFA devices, setting up OIDC or SAML identity providers, managing service-linked roles, or generating credential reports.

AWS CLI v2 — IAM (Identity and Access Management)

Overview

Complete reference for all aws iam subcommands in AWS CLI v2. Covers user and group management, role creation and assumption, policy authoring and attachment, instance profiles for EC2/ECS, access key rotation, MFA configuration, and identity providers (OIDC, SAML).

Quick Reference — Common Workflows

Create a role for ECS tasks

bash
aws iam create-role --role-name ecsTaskRole \
  --assume-role-policy-document '{
    "Version":"2012-10-17",
    "Statement":[{"Effect":"Allow","Principal":{"Service":"ecs-tasks.amazonaws.com"},"Action":"sts:AssumeRole"}]
  }'
aws iam attach-role-policy --role-name ecsTaskRole \
  --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy

Create instance profile for ECS EC2 instances

bash
aws iam create-instance-profile --instance-profile-name ecsInstanceProfile
aws iam add-role-to-instance-profile --instance-profile-name ecsInstanceProfile --role-name ecsInstanceRole

Create a policy and attach to role

bash
aws iam create-policy --policy-name my-policy --policy-document file://policy.json
aws iam attach-role-policy --role-name my-role --policy-arn arn:aws:iam::123456789012:policy/my-policy

List and rotate access keys

bash
aws iam list-access-keys --user-name my-user
aws iam create-access-key --user-name my-user
aws iam delete-access-key --user-name my-user --access-key-id AKIA...

Get account authorization details

bash
aws iam get-account-authorization-details --filter Role --query 'RoleDetailList[].{Name:RoleName,Arn:Arn}'

Covered Command Groups

GroupCommandsDescription
Userscreate, delete, get, list, update, tag/untagUser lifecycle
Groupscreate, delete, get, list, add/remove userGroup membership
Rolescreate, delete, get, list, update, tag/untagRole management
Policiescreate, delete, get, list, create-version, set-default-versionManaged policies
Policy Attachmentattach/detach role/user/group policy, list attached/entitiesBinding policies
Inline Policiesput/get/delete role/user/group policy, list role/user/group policiesEmbedded policies
Instance Profilescreate, delete, get, list, add/remove roleEC2/ECS instance profiles
Access Keyscreate, delete, list, update, get-last-usedCredential management
MFAcreate/delete/deactivate/enable/list virtual MFA, resyncMulti-factor auth
Identity Providerscreate/delete/get/list/update OIDC and SAML providersFederation
Service-Linked Rolescreate, delete, get-deletion-statusAWS-managed roles
Accountget-account-summary, get-account-authorization-details, generate-credential-report, get-credential-reportAccount audit

Command Reference

See references/index.md for the quick reference table and global options.

GroupFileCommands
Usersusers.mdcreate-user, get-user, list-users, update-user, delete-user
Groupsgroups.mdcreate-group, get-group, list-groups, update-group, delete-group, add-user-to-group, remove-user-from-group, list-groups-for-user
Rolesroles.mdcreate-role, get-role, list-roles, update-role, update-role-description, update-assume-role-policy, delete-role
Managed Policiesmanaged-policies.mdcreate-policy, get-policy, list-policies, create-policy-version, get-policy-version, list-policy-versions, set-default-policy-version, delete-policy-version, delete-policy
Policy Attachmentpolicy-attachment.mdattach-role-policy, detach-role-policy, attach-user-policy, detach-user-policy, attach-group-policy, detach-group-policy, list-attached-role-policies, list-attached-user-policies, list-attached-group-policies, list-entities-for-policy
Inline Policiesinline-policies.mdput-role-policy, get-role-policy, delete-role-policy, list-role-policies, put-user-policy, get-user-policy, delete-user-policy, list-user-policies, put-group-policy, get-group-policy, delete-group-policy, list-group-policies
Instance Profilesinstance-profiles.mdcreate-instance-profile, get-instance-profile, list-instance-profiles, list-instance-profiles-for-role, add-role-to-instance-profile, remove-role-from-instance-profile, delete-instance-profile
Access Keysaccess-keys.mdcreate-access-key, list-access-keys, get-access-key-last-used, update-access-key, delete-access-key
Login Profileslogin-profiles.mdcreate-login-profile, get-login-profile, update-login-profile, delete-login-profile
MFA Devicesmfa-devices.mdcreate-virtual-mfa-device, enable-mfa-device, deactivate-mfa-device, delete-virtual-mfa-device, list-mfa-devices, list-virtual-mfa-devices, resync-mfa-device, get-mfa-device
Signing Certificatessigning-certificates.mdupload-signing-certificate, list-signing-certificates, update-signing-certificate, delete-signing-certificate
SSH Public Keysssh-public-keys.mdupload-ssh-public-key, get-ssh-public-key, list-ssh-public-keys, update-ssh-public-key, delete-ssh-public-key
Server Certificatesserver-certificates.mdupload-server-certificate, get-server-certificate, list-server-certificates, update-server-certificate, delete-server-certificate
OIDC Providersoidc-providers.mdcreate-open-id-connect-provider, get-open-id-connect-provider, list-open-id-connect-providers, add-client-id-to-open-id-connect-provider, remove-client-id-from-open-id-connect-provider, update-open-id-connect-provider-thumbprint, delete-open-id-connect-provider
SAML Providerssaml-providers.mdcreate-saml-provider, get-saml-provider, list-saml-providers, update-saml-provider, delete-saml-provider
Service-Linked Rolesservice-linked-roles.mdcreate-service-linked-role, delete-service-linked-role, get-service-linked-role-deletion-status
Service-Specific Credentialsservice-specific-credentials.mdcreate-service-specific-credential, list-service-specific-credentials, update-service-specific-credential, reset-service-specific-credential, delete-service-specific-credential
Permissions Boundariespermissions-boundaries.mdput-role-permissions-boundary, delete-role-permissions-boundary, put-user-permissions-boundary, delete-user-permissions-boundary
Account & Reportingaccount-reporting.mdget-account-summary, get-account-authorization-details, generate-credential-report, get-credential-report, get-account-password-policy, update-account-password-policy, delete-account-password-policy, create-account-alias, list-account-aliases, delete-account-alias, generate-service-last-accessed-details, get-service-last-accessed-details, get-service-last-accessed-details-with-entities, set-security-token-service-preferences, list-policies-granting-service-access
Policy Simulationpolicy-simulation.mdsimulate-principal-policy, simulate-custom-policy, get-context-keys-for-principal-policy, get-context-keys-for-custom-policy
Tagstags.mdtag-user, tag-role, tag-policy, tag-instance-profile, tag-mfa-device, tag-open-id-connect-provider, tag-saml-provider, tag-server-certificate, untag-user, untag-role, untag-policy, untag-instance-profile, untag-mfa-device, untag-open-id-connect-provider, untag-saml-provider, untag-server-certificate, list-user-tags, list-role-tags, list-policy-tags, list-instance-profile-tags, list-mfa-device-tags, list-open-id-connect-provider-tags, list-saml-provider-tags, list-server-certificate-tags