# Operations Descriptions and Examples

This section provides in-depth descriptions of each operation, empowering you to harness the full potential of IAM in effectively managing access and permissions within your system.

## Users and Groups management

### Users management

* create-user: Create a new user in IAM with the specified parameters.
* create-login-profile: Create a password for an IAM user.
* delete-user: Delete an existing user from IAM.
* list-users: Retrieve a list of all users in IAM.

{% tabs %}
{% tab title="create-user" %}
aws iam create-user --user-name "<youruser@yourdomain.com>" --endpoint-url <https://iam.impossibleapi.net/> --profile aws
{% endtab %}

{% tab title="create-login-profile" %}
aws iam create-login-profile --user-name "<youruser@yourdomain.com>" --password 'Y0urP\@Ssw0rd!' --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}

{% tab title="delete-user" %}
aws iam delete-user --user-name "<youruser@yourdomain.com>" --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}

{% tab title="list-users" %}
aws iam list-users --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}
{% endtabs %}

### Groups management

* create-group: Create a new group in IAM with the given attributes.
* delete-group: Delete an existing group from IAM.
* list-groups: Retrieve a list of all groups in IAM.
* get-group: Retrieve detailed information about a specific group in IAM.

{% tabs %}
{% tab title="create-group" %}
aws iam create-group --group-name your\_group\_name --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}

{% tab title="delete-group" %}
aws iam delete-group --group-name your\_group\_name --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}

{% tab title="list-groups" %}
aws iam list-groups --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}

{% tab title="get-group" %}
aws iam get-group --group-name your\_group\_name --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}
{% endtabs %}

### Users and groups advanced operations

* add-user-to-group: Add a user to a specific group in IAM.
* remove-user-from-group: Remove a user from a specific group in IAM.
* list-groups-for-user: Retrieve a list of groups associated with a particular user.

{% tabs %}
{% tab title="add-user-to-group" %}
aws iam add-user-to-group --user-name "<youruser@yourdomain.com>" --group-name your\_group\_name --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}

{% tab title="remove-user-from-group" %}
aws iam remove-user-from-group --user-name "<youruser@yourdomain.com>" --group-name your\_group\_name --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}

{% tab title="list-groups-for-user" %}
aws iam list-groups-for-user --user-name "<youruser@yourdomain.com>" --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}
{% endtabs %}

## Access keys management

* create-access-key: Generate a new access key for an IAM user.
* list-access-keys: Retrieve a list of access keys associated with an IAM user.

{% tabs %}
{% tab title="create-access-key" %}
aws iam create-access-key --user-name "<youruser@yourdomain.com>" --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}

{% tab title="list-access-keys" %}
aws iam list-access-keys --user-name "<youruser@yourdomain.com>" --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}

{% tab title="delete-access-key" %}
aws iam delete-access-key --user-name "<youruser@yourdomain.com>" --access-key-id "your access key id" --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}
{% endtabs %}

## Policies management

### Policies: basic operations

* Create a new policy in IAM with the specified permissions.

{% hint style="warning" %}
When creating a policy, you have two options for specifying the policy document. You can either include the policy directly in the command using the "**--policy-document**" parameter, or you can create a separate JSON file (e.g., policy.json) containing the policy and use the "**--policy-document file://policy.json**" format where **file://policy.json** is the local path to your **policy.json** file.

Policies versions are not supported. Please use "--version-id 1" for the **get-policy-version** subcommand.

Please also beware of the [limitations](https://docs.impossiblecloud.com/impossible-cloud-help/impossible-cloud-storage-guide/cli-user-guide/aws-cli-iam/broken-reference).
{% endhint %}

* delete-policy: Delete an existing policy from IAM.
* get-policy-version: Retrieve full information about a specific version of a policy in IAM.
* Retrieve a list of all policies in IAM.

{% tabs %}
{% tab title="create-policy: command" %}
aws iam create-policy --policy-name your\_policy\_name --policy-document '{"Version": "2012-10-17", "Statement": \[{"Effect": "Allow", "Action": \["s3:GetObject", "s3:GetObjectVersion", "s3:PutObject"], "Resource": \["arn:aws:s3:::**bucket\_name**/\*"]}]}' --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}

{% tab title="create-policy: json file" %}
aws iam create-policy --policy-name your\_policy\_name --policy-document file://policy.json --endpoint-url <https://iam.impossibleapi.net>  --profile aws
{% endtab %}

{% tab title="delete-policy" %}
aws iam delete-policy --policy-arn arn:ipcld:iam::**YourCanonicalID**:policy/your\_policy\_name --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}

{% tab title="get-policy-version" %}
aws iam get-policy-version --policy-arn="arn:ipcld:iam::**YourCanonicalID**:policy/your\_policy\_name" --version-id 1 --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}

{% tab title="list-policies" %}
aws iam list-policies --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}

{% tab title="gey-policy" %}
aws iam get-policy --policy-arn="arn:ipcld:iam::**YourCanonicalID**:policy/your\_policy\_name" --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}
{% endtabs %}

{% hint style="info" %}
[How to retrieve your CanonicalID.](https://docs.impossiblecloud.com/impossible-cloud-help/impossible-cloud-storage-guide/cli-user-guide/aws-cli-iam/broken-reference)
{% endhint %}

### Policies: advanced operations

* attach-group-policy: Attach a policy to a specific group in IAM.
* detach-group-policy: Detach a policy from a specific group in IAM.
* list-attached-group-policies: Retrieve a list of policies attached to a specific group in IAM.

{% tabs %}
{% tab title="attach-group-policy" %}
aws iam attach-group-policy --group-name your\_group\_name --policy-arn arn:ipcld:iam::**YourCanonicalID**:policy/your\_policy\_name --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}

{% tab title="detach-group-policy" %}
aws iam detach-group-policy --group-name your\_group\_name --policy-arn arn:ipcld:iam::**YourCanonicalID**:policy/your\_policy\_name --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}

{% tab title="list-attached-group-policies" %}
aws iam list-attached-group-policies --group-name your\_group\_name --endpoint-url <https://iam.impossibleapi.net> --profile aws
{% endtab %}
{% endtabs %}