Creating Users and Roles in AWS: 5 min read

Clearing the Confusion: A Comprehensive Guide to Creating AWS Users, Assigning Roles, and Permissions for New AWS Users.

Orkhan Huseynli
4 min readMay 8, 2023


When you first create an Amazon Web Services account, you begin with root user, a single sign-in identity that has complete access to all AWS services and resources in the account. Amazon team strongly recommends to create another user for your everyday tasks. As for new starters it can be confusing to understand all nuances at once, so I decided to create a step-by-step guide.

  1. Create and AWS account.
  2. Login to your account
  3. Create IAM user

First of all, what is an IAM? IAM stands for Identity and Access Management. It is a web service that helps you securely control access to AWS resources: creating users, roles and permissions and control authenticated logins.

If you type IAM in AWS search, IAM service button will immediately pop-up on top of the results.

Click on that service and look at the left panel. Click on Users, so we can Add a new user.

Once you click add users, you can intuitively follow all the steps for creating a new user. In this tutorial, I name it “test_user”.

4. Create a role for a new user

Creating a new user is not enough. We must give it a set of permissions to access AWS services and resources. Although we can give permissions directly, I will suggest creating a role with necessary permissions and assuming that role by our test_user. Thus, in the future the same role can be assumed by other users without doing a tedious work of selecting a list permissions for each of them separately.

So, lets create a role. In the same IAM service page, you look at the left panel and click on Roles option.

Click on “Create role” and follow all the steps. Once you have created the role, you must add necessary permissions. Here I attach the image of all permissions I have added to the newly created “test_user_role”, which is going to be later assumed by previously created “test_user”.

It is necessary to indicate which entities can assume the newly created under Trust relationships tab in the role’s page. In this screenshot we provide our “test_user”, which was created in the steps earlier, as a “trusted entity”.

Here is the code snippet from the image:

"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<your account number>:user/test_user"
"Action": "sts:AssumeRole"

5. Create ACCESS TOKENS for the test_user

We will need access tokens when using our “test_user” for any actions perform through cli, namely when we use Infrastructure as Code tools like Terraform to build our services.

Go to Users page and select “test_user”, then scroll down until you see “Access keys” tab. Click Create access keys and follow steps.

6. Assume the role by the test_user

Once you finalise this step 5, our “test_user” is ready to assume “test_user_role” which has enough permissions for our next tutorial. Here is snipper of the code from Terraform exactly showing that:

provider "aws" {

assume_role {
#The role ARN within Account <your account number> to AssumeRole into.
role_arn = "arn:aws:iam::<your account number>:role/test_user_role"

If you have successfully gone through all steps, then you are ready for my next tutorial Widen Your Expertise with Infrastructure as Code: Short Tutorial

Read also:

  1. Widen Your Expertise with Infrastructure as Code: Short Tutorial
  2. When DataViz embraces Game Development
  3. Write Better Code Faster: 5 min read
  4. Software Architecture Patterns: 5 minute read
  5. How to Scale Your Applications: 5 min read
  6. Caching as a part Software Architecture: 5 min read
  7. RPC chains: 5 min read