This Terraform configuration creates an IAM user and attaches both a custom policy (for S3 access) and an AWS-managed policy (AmazonEC2FullAccess). It also generates AWS access keys for the user.
Terraform IAM Management #
Terraform Configuration Files #
Project Folder & Terraform Provider #
# Create Terraform project folder
TF_PROJECT_NAME=aws-iam-user-permissions
mkdir $TF_PROJECT_NAME && cd $TF_PROJECT_NAME
- terraform.tf
# Terraform Provider
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
# Provider AWS Region
provider "aws" {
}
Variables #
- variables.tf
# IAM User
variable "iam_user_name" {
description = "IAM user"
type = string
default = "example-user"
}
# IAM Custom Policy
variable "iam_custom_policy_name" {
description = "IAM policy"
type = string
default = "example-policy"
}
IAM User & Policy #
- iam.tf
# Create IAM user
resource "aws_iam_user" "iam_user" {
name = var.iam_user_name
}
# Create custom IAM policy
resource "aws_iam_policy" "iam_policy" {
name = var.iam_custom_policy_name
description = "Custom IAM policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = ["s3:ListBucket"]
Resource = "arn:aws:s3:::jkw-example-bucket"
},
{
Effect = "Allow"
Action = [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
]
Resource = "arn:aws:s3:::jkw-example-bucket/*"
},
]
})
}
# Attach custom policy to the IAM user
resource "aws_iam_user_policy_attachment" "attach_custom_policy" {
user = aws_iam_user.iam_user.name
policy_arn = aws_iam_policy.iam_policy.arn
}
# Attach managed policy to the IAM user: "AmazonEC2FullAccess"
resource "aws_iam_user_policy_attachment" "attach_ec2_full_access" {
user = aws_iam_user.iam_user.name
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
}
# Create IAM access key for the user
resource "aws_iam_access_key" "access_key" {
user = aws_iam_user.iam_user.name
}
Outputs #
- outputs.tf
# Output Access Key
output "access_key_id" {
value = aws_iam_access_key.access_key.id
sensitive = true
}
# Output Secret Access Key
output "secret_access_key" {
value = aws_iam_access_key.access_key.secret
sensitive = true
}
Apply Configuration #
# Initialize the Terraform project
terraform init
# Validates the syntax and structure of Terraform configuration files
terraform validate
# Dry run / preview changes before applying them
terraform plan
# Create Terraform stack: Auto approve
terraform apply -auto-approve
# Shell output:
Apply complete! Resources: 5 added, 0 changed, 0 destroyed.
Outputs:
access_key_id = <sensitive>
secret_access_key = <sensitive>
Output Access Keys #
# Output the access keys for the IAM user
echo $(terraform output -raw access_key_id)
echo $(terraform output -raw secret_access_key)
# Shell output:
AKIARCHUALIN6BDD6LRX
bRFQNSpuILRvxpId4ajvlUzX53aVlmSADbStMit3
Verify IAM user #
# List policies that are attached to the IAM user
aws iam list-attached-user-policies --user-name example-user
# Shell output:
{
"AttachedPolicies": [
{
"PolicyName": "example-policy",
"PolicyArn": "arn:aws:iam::012345678912:policy/example-policy"
},
{
"PolicyName": "AmazonEC2FullAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
}
]
}