Inspect one IAM user
📑 On this page
Part 83 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.
What we are learning
get-user returns the identity record, not its complete permissions or credentials.
Before you run it
aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.
The command
aws iam get-user --user-name "$USER_NAME"IAM writes can take a short time to propagate. Inspect the resource after every change.
Inspect the result
aws iam get-user \
--user-name "$USER_NAME" \
--query "User.{Name:UserName,UserId:UserId,Arn:Arn,Path:Path,Created:CreateDate,PasswordLastUsed:PasswordLastUsed}" \
--output tableRead the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.
One tiny variation
aws iam list-user-tags \
--user-name "$USER_NAME" \
--output tableTags provide ownership and lifecycle context that the base user record does not.
Common mistake
PasswordLastUsed concerns console password use and can be absent. It says nothing about access-key activity.
Cleanup
# This lesson is read-only or reuses a named demo identity.
aws sts get-caller-identityKeep shared demo identities only while following the IAM sequence. Part 125 removes them in dependency order.
Next, we will learn Create an IAM user without credentials.