Skip to content

Resource: awsIamUser

Provides an IAM user.

\~> NOTE: If policies are attached to the user via the awsIamPolicyAttachment resource and you are modifying the user name or path, the forceDestroy argument must be set to true and applied before attempting the operation otherwise you will encounter a deleteConflict error. The awsIamUserPolicyAttachment resource (recommended) does not have this requirement.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsIamUserLb = new aws.iamUser.IamUser(this, "lb", {
  name: "loadbalancer",
  path: "/system/",
  tags: {
    "tag-key": "tag-value",
  },
});
const dataAwsIamPolicyDocumentLbRo =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "lb_ro", {
    statement: [
      {
        actions: ["ec2:Describe*"],
        effect: "Allow",
        resources: ["*"],
      },
    ],
  });
const awsIamAccessKeyLb = new aws.iamAccessKey.IamAccessKey(this, "lb_2", {
  user: awsIamUserLb.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamAccessKeyLb.overrideLogicalId("lb");
const awsIamUserPolicyLbRo = new aws.iamUserPolicy.IamUserPolicy(
  this,
  "lb_ro_3",
  {
    name: "test",
    policy: dataAwsIamPolicyDocumentLbRo.json,
    user: awsIamUserLb.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamUserPolicyLbRo.overrideLogicalId("lb_ro");

Argument Reference

The following arguments are supported:

  • name - (Required) The user's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-_.. User names are not distinguished by case. For example, you cannot create users named both "TESTUSER" and "testuser".
  • path - (Optional, default "/") Path in which to create the user.
  • permissionsBoundary - (Optional) The ARN of the policy that is used to set the permissions boundary for the user.
  • forceDestroy - (Optional, default false) When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without forceDestroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed.
  • tags - Key-value map of tags for the IAM user. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - The ARN assigned by AWS for this user.
  • name - The user's name.
  • tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

  • uniqueId - The unique ID assigned by AWS.

Import

IAM Users can be imported using the name, e.g.,

$ terraform import aws_iam_user.lb loadbalancer