← All posts
2 min read

Create an IAM user group

#aws#cli#iam#security#identity
📑 On this page

Part 87 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

IAM groups collect users for shared permissions. Groups cannot contain other groups and cannot be assumed like roles.

Before you run it

aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"

IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.

The command

aws iam create-group \
  --group-name "$GROUP_NAME"

IAM writes can take a short time to propagate. Inspect the resource after every change.

Inspect the result

aws iam get-group \
  --group-name "$GROUP_NAME" \
  --query "Group.{Name:GroupName,Arn:Arn,Created:CreateDate}" \
  --output table

Read the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.

One tiny variation

aws iam create-group \
  --group-name aws-zero-operators \
  --path /teams/

A path can group related IAM resources but does not establish hierarchy or inherited permissions.

Common mistake

Do not put applications into groups by creating long-term IAM users for them. Workloads should normally assume roles.

Cleanup

aws iam delete-group --group-name aws-zero-operators 2>/dev/null || true
aws iam get-group --group-name "$GROUP_NAME"

Keep the main group for the following membership lessons.

Next, we will learn Add an IAM user to a group.

Official AWS CLI reference