For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS Command Line Interface
• AWS SDK for .NET
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for JavaScript
• AWS SDK for PHP V3
• AWS SDK for Python
• AWS SDK for Ruby V3
AddRoleToInstanceProfile
AddRoleToInstanceProfile
Adds the specified IAM role to the specified instance profile. An instance profile can contain only one role, and this quota cannot be increased. You can remove the existing role and then add a different role to an instance profile. You must then wait for the change to appear across all of AWS because of eventual consistency. To force the change, you must disassociate the instance profile and then associate the instance profile, or you can stop your instance and then restart it.
NoteThe caller of this operation must be granted the PassRole permission on the IAM role by a permissions policy.
For more information about roles, see Working with roles. For more information about instance profiles, see About instance profiles.
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters (p. 563).
InstanceProfileName
The name of the instance profile to update.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters:
_+=,.@-Type: String
Length Constraints: Minimum length of 1. Maximum length of 128.
Pattern: [\w+=,.@-]+
Required: Yes RoleName
The name of the role to add.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters:
_+=,.@-Type: String
Length Constraints: Minimum length of 1. Maximum length of 64.
Pattern: [\w+=,.@-]+
Required: Yes
Errors
For information about the errors that are common to all actions, see Common Errors (p. 565).
EntityAlreadyExists
The request was rejected because it attempted to create a resource that already exists.
Examples
HTTP Status Code: 409 LimitExceeded
The request was rejected because it attempted to create resources beyond the current AWS account limits. The error message describes the limit exceeded.
HTTP Status Code: 409 NoSuchEntity
The request was rejected because it referenced a resource entity that does not exist. The error message describes the resource.
HTTP Status Code: 404 ServiceFailure
The request processing has failed because of an unknown error, exception or failure.
HTTP Status Code: 500 UnmodifiableEntity
The request was rejected because only the service that depends on the service-linked role can modify or delete the role on your behalf. The error message includes the name of the service that depends on this service-linked role. You must request the change through that service.
HTTP Status Code: 400
Examples
Example
This example illustrates one usage of AddRoleToInstanceProfile.
Sample Request
https://iam.amazonaws.com/?Action=AddRoleToInstanceProfile
&InstanceProfileName=Webserver
&RoleName=S3Access
&Version=2010-05-08
&AUTHPARAMS
Sample Response
<AddRoleToInstanceProfileResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
<ResponseMetadata>
<RequestId>12657608-99f2-11e1-a4c3-27EXAMPLE804</RequestId>
</ResponseMetadata>
</AddRoleToInstanceProfileResponse>
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS Command Line Interface
• AWS SDK for .NET
See Also
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for JavaScript
• AWS SDK for PHP V3
• AWS SDK for Python
• AWS SDK for Ruby V3
AddUserToGroup
AddUserToGroup
Adds the specified user to the specified group.
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters (p. 563).
GroupName
The name of the group to update.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters:
_+=,.@-Type: String
Length Constraints: Minimum length of 1. Maximum length of 128.
Pattern: [\w+=,.@-]+
Required: Yes UserName
The name of the user to add.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters:
_+=,.@-Type: String
Length Constraints: Minimum length of 1. Maximum length of 128.
Pattern: [\w+=,.@-]+
Required: Yes
Errors
For information about the errors that are common to all actions, see Common Errors (p. 565).
LimitExceeded
The request was rejected because it attempted to create resources beyond the current AWS account limits. The error message describes the limit exceeded.
HTTP Status Code: 409 NoSuchEntity
The request was rejected because it referenced a resource entity that does not exist. The error message describes the resource.
HTTP Status Code: 404
Examples
ServiceFailure
The request processing has failed because of an unknown error, exception or failure.
HTTP Status Code: 500
Examples
Example
This example illustrates one usage of AddUserToGroup.
Sample Request
https://iam.amazonaws.com/?Action=AddUserToGroup
&GroupName=Managers
&UserName=Bob
&Version=2010-05-08
&AUTHPARAMS
Sample Response
<AddUserToGroupResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
<ResponseMetadata>
<RequestId>7a62c49f-347e-4fc4-9331-6e8eEXAMPLE</RequestId>
</ResponseMetadata>
</AddUserToGroupResponse>
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS Command Line Interface
• AWS SDK for .NET
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for JavaScript
• AWS SDK for PHP V3
• AWS SDK for Python
• AWS SDK for Ruby V3
AttachGroupPolicy
AttachGroupPolicy
Attaches the specified managed policy to the specified IAM group.
You use this operation to attach a managed policy to a group. To embed an inline policy in a group, use PutGroupPolicy (p. 326).
As a best practice, you can validate your IAM policies. To learn more, see Validating IAM policies in the IAM User Guide.
For more information about policies, see Managed policies and inline policies in the IAM User Guide.
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters (p. 563).
GroupName
The name (friendly name, not ARN) of the group to attach the policy to.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters:
_+=,.@-Type: String
Length Constraints: Minimum length of 1. Maximum length of 128.
Pattern: [\w+=,.@-]+
Required: Yes PolicyArn
The Amazon Resource Name (ARN) of the IAM policy you want to attach.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
Type: String
Length Constraints: Minimum length of 20. Maximum length of 2048.
Required: Yes
Errors
For information about the errors that are common to all actions, see Common Errors (p. 565).
InvalidInput
The request was rejected because an invalid or out-of-range value was supplied for an input parameter.
HTTP Status Code: 400
Examples
LimitExceeded
The request was rejected because it attempted to create resources beyond the current AWS account limits. The error message describes the limit exceeded.
HTTP Status Code: 409 NoSuchEntity
The request was rejected because it referenced a resource entity that does not exist. The error message describes the resource.
HTTP Status Code: 404 PolicyNotAttachable
The request failed because AWS service role policies can only be attached to the service-linked role for that service.
HTTP Status Code: 400 ServiceFailure
The request processing has failed because of an unknown error, exception or failure.
HTTP Status Code: 500
Examples
Example
This example illustrates one usage of AttachGroupPolicy.
Sample Request
https://iam.amazonaws.com/?Action=AttachGroupPolicy
&GroupName=Finance
&PolicyArn=arn:aws:iam::aws:policy/ReadOnlyAccess
&Version=2010-05-08
&AUTHPARAMS
Sample Response
<AttachGroupPolicyResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
<ResponseMetadata>
<RequestId>f8a7b7b9-3d01-11e4-bfad-8d1c6EXAMPLE</RequestId>
</ResponseMetadata>
</AttachGroupPolicyResponse>
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS Command Line Interface
• AWS SDK for .NET
• AWS SDK for C++
• AWS SDK for Go
See Also
• AWS SDK for Java V2
• AWS SDK for JavaScript
• AWS SDK for PHP V3
• AWS SDK for Python
• AWS SDK for Ruby V3
AttachRolePolicy
AttachRolePolicy
Attaches the specified managed policy to the specified IAM role. When you attach a managed policy to a role, the managed policy becomes part of the role's permission (access) policy.
NoteYou cannot use a managed policy as the role's trust policy. The role's trust policy is created at the same time as the role, using CreateRole (p. 50). You can update a role's trust policy using UpdateAssumeRolePolicy (p. 431).
Use this operation to attach a managed policy to a role. To embed an inline policy in a role, use PutRolePolicy (p. 331). For more information about policies, see Managed policies and inline policies in the IAM User Guide.
As a best practice, you can validate your IAM policies. To learn more, see Validating IAM policies in the IAM User Guide.
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters (p. 563).
PolicyArn
The Amazon Resource Name (ARN) of the IAM policy you want to attach.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
Type: String
Length Constraints: Minimum length of 20. Maximum length of 2048.
Required: Yes RoleName
The name (friendly name, not ARN) of the role to attach the policy to.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters:
_+=,.@-Type: String
Length Constraints: Minimum length of 1. Maximum length of 64.
Pattern: [\w+=,.@-]+
Required: Yes
Errors
For information about the errors that are common to all actions, see Common Errors (p. 565).
InvalidInput
The request was rejected because an invalid or out-of-range value was supplied for an input parameter.
Examples
HTTP Status Code: 400 LimitExceeded
The request was rejected because it attempted to create resources beyond the current AWS account limits. The error message describes the limit exceeded.
HTTP Status Code: 409 NoSuchEntity
The request was rejected because it referenced a resource entity that does not exist. The error message describes the resource.
HTTP Status Code: 404 PolicyNotAttachable
The request failed because AWS service role policies can only be attached to the service-linked role for that service.
HTTP Status Code: 400 ServiceFailure
The request processing has failed because of an unknown error, exception or failure.
HTTP Status Code: 500 UnmodifiableEntity
The request was rejected because only the service that depends on the service-linked role can modify or delete the role on your behalf. The error message includes the name of the service that depends on this service-linked role. You must request the change through that service.
HTTP Status Code: 400
Examples
Example
This example illustrates one usage of AttachRolePolicy.
Sample Request
https://iam.amazonaws.com/?Action=AttachRolePolicy
&PolicyArn=arn:aws:iam::aws:policy/ReadOnlyAccess
&RoleName=ReadOnlyRole
&Version=2010-05-08
&AUTHPARAMS
Sample Response
<AttachRolePolicyResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
<ResponseMetadata>
<RequestId>37a87673-3d07-11e4-bfad-8d1c6EXAMPLE</RequestId>
</ResponseMetadata>
</AttachRolePolicyResponse>
See Also
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS Command Line Interface
• AWS SDK for .NET
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for JavaScript
• AWS SDK for PHP V3
• AWS SDK for Python
• AWS SDK for Ruby V3
AttachUserPolicy
AttachUserPolicy
Attaches the specified managed policy to the specified user.
You use this operation to attach a managed policy to a user. To embed an inline policy in a user, use PutUserPolicy (p. 336).
As a best practice, you can validate your IAM policies. To learn more, see Validating IAM policies in the IAM User Guide.
For more information about policies, see Managed policies and inline policies in the IAM User Guide.
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters (p. 563).
PolicyArn
The Amazon Resource Name (ARN) of the IAM policy you want to attach.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
Type: String
Length Constraints: Minimum length of 20. Maximum length of 2048.
Required: Yes UserName
The name (friendly name, not ARN) of the IAM user to attach the policy to.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters:
_+=,.@-Type: String
Length Constraints: Minimum length of 1. Maximum length of 64.
Pattern: [\w+=,.@-]+
Required: Yes
Errors
For information about the errors that are common to all actions, see Common Errors (p. 565).
InvalidInput
The request was rejected because an invalid or out-of-range value was supplied for an input parameter.
HTTP Status Code: 400
Examples
LimitExceeded
The request was rejected because it attempted to create resources beyond the current AWS account limits. The error message describes the limit exceeded.
HTTP Status Code: 409 NoSuchEntity
The request was rejected because it referenced a resource entity that does not exist. The error message describes the resource.
HTTP Status Code: 404 PolicyNotAttachable
The request failed because AWS service role policies can only be attached to the service-linked role for that service.
HTTP Status Code: 400 ServiceFailure
The request processing has failed because of an unknown error, exception or failure.
HTTP Status Code: 500
Examples
Example
This example illustrates one usage of AttachUserPolicy.
Sample Request
https://iam.amazonaws.com/?Action=AttachUserPolicy
&PolicyArn=arn:aws:iam::aws:policy/AdministratorAccess
&UserName=Alice
&Version=2010-05-08
&AUTHPARAMS
Sample Response
<AttachUserPolicyResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
<ResponseMetadata>
<RequestId>ed7e72d3-3d07-11e4-bfad-8d1c6EXAMPLE</RequestId>
</ResponseMetadata>
</AttachUserPolicyResponse>
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS Command Line Interface
• AWS SDK for .NET
• AWS SDK for C++
• AWS SDK for Go
See Also
• AWS SDK for Java V2
• AWS SDK for JavaScript
• AWS SDK for PHP V3
• AWS SDK for Python
• AWS SDK for Ruby V3
ChangePassword
ChangePassword
Changes the password of the IAM user who is calling this operation. This operation can be performed using the AWS CLI, the AWS API, or the My Security Credentials page in the AWS Management Console.
The AWS account root user password is not affected by this operation.
Use UpdateLoginProfile (p. 437) to use the AWS CLI, the AWS API, or the Users page in the IAM
console to change the password for any IAM user. For more information about modifying passwords, see Managing passwords in the IAM User Guide.
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters (p. 563).
NewPassword
The new password. The new password must conform to the AWS account's password policy, if one exists.
The regex pattern that is used to validate this parameter is a string of characters. That string can include almost any printable ASCII character from the space (\u0020) through the end of the ASCII character range (\u00FF). You can also include the tab (\u0009), line feed (\u000A), and carriage return (\u000D) characters. Any of these characters are valid in a password. However, many tools, such as the AWS Management Console, might restrict the ability to type certain characters because they have special meaning within that tool.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 128.
Pattern: [\u0009\u000A\u000D\u0020-\u00FF]+
Required: Yes OldPassword
The IAM user's current password.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 128.
Pattern: [\u0009\u000A\u000D\u0020-\u00FF]+
Required: Yes
Errors
For information about the errors that are common to all actions, see Common Errors (p. 565).
EntityTemporarilyUnmodifiable
The request was rejected because it referenced an entity that is temporarily unmodifiable, such as a user name that was deleted and then recreated. The error indicates that the request is likely to succeed if you try again after waiting several minutes. The error message describes the entity.
HTTP Status Code: 409
Examples
InvalidUserType
The request was rejected because the type of user for the transaction was incorrect.
HTTP Status Code: 400 LimitExceeded
The request was rejected because it attempted to create resources beyond the current AWS account limits. The error message describes the limit exceeded.
HTTP Status Code: 409 NoSuchEntity
The request was rejected because it referenced a resource entity that does not exist. The error message describes the resource.
HTTP Status Code: 404 PasswordPolicyViolation
The request was rejected because the provided password did not meet the requirements imposed by the account password policy.
HTTP Status Code: 400 ServiceFailure
The request processing has failed because of an unknown error, exception or failure.
HTTP Status Code: 500
Examples
Example
This example illustrates one usage of ChangePassword.
Sample Request
https://iam.amazonaws.com/?Action=ChangePassword
&OldPassword=U79}kgds4?
&NewPassword=Lb0*1(9xpN
&Version=2010-05-08
&AUTHPARAMS
Sample Response
<ChangePasswordResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
<ResponseMetadata>
<RequestId>7a62c49f-347e-4fc4-9331-6e8eEXAMPLE</RequestId>
</ResponseMetadata>
</ChangePasswordResponse>
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
See Also
• AWS Command Line Interface
• AWS SDK for .NET
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for JavaScript
• AWS SDK for PHP V3
• AWS SDK for Python
• AWS SDK for Ruby V3
CreateAccessKey
CreateAccessKey
Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.
If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request. This operation works for access keys under the AWS account. Consequently, you can use this operation to manage AWS account root user credentials. This is true even if the AWS account has no associated users.
For information about quotas on the number of keys you can create, see IAM and AWS STS quotas in the IAM User Guide.
Important
To ensure the security of your AWS account, the secret access key is accessible only during key and user creation. You must save the key (for example, in a text file) if you want to be able to access it again. If a secret key is lost, you can delete the access keys for the associated user and then create new keys.
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters (p. 563).
UserName
The name of the IAM user that the new key will belong to.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters:
_+=,.@-Type: String
Length Constraints: Minimum length of 1. Maximum length of 128.
Pattern: [\w+=,.@-]+
Required: No