← All posts
2 min read

Add an IAM user to a group

#aws#cli#iam#security#identity
📑 On this page

Part 88 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

Group membership lets the user inherit policies attached to that group.

Before you run it

aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"

IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.

The command

aws iam add-user-to-group \
  --user-name "$USER_NAME" \
  --group-name "$GROUP_NAME"

IAM writes can take a short time to propagate. Inspect the resource after every change.

Inspect the result

aws iam get-group \
  --group-name "$GROUP_NAME" \
  --query "Users[].{Name:UserName,Arn:Arn}" \
  --output table

Read the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.

One tiny variation

aws iam list-groups-for-user \
  --user-name "$USER_NAME" \
  --query "Groups[].GroupName" \
  --output text

The first query starts at the group; the variation starts at the user.

Common mistake

Membership does not prove a particular permission. You must also inspect group policies, permission boundaries, organization controls, and resource policies.

Cleanup

aws iam list-groups-for-user --user-name "$USER_NAME"

Keep the membership for the policy lessons and verify it remains intentional.

Next, we will learn List every group for an IAM user.

Official AWS CLI reference