Create and remove an inline IAM user policy
📑 On this page
Part 103 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.
What we are learning
An inline policy has no standalone ARN or version history. It belongs only to its parent identity.
Before you run it
aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.
The command
cat > inline-policy.json <<'EOF'
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}]
}
EOF
aws iam put-user-policy \
--user-name "$USER_NAME" \
--policy-name AwsZeroInlineListBuckets \
--policy-document file://inline-policy.jsonIAM writes can take a short time to propagate. Inspect the resource after every change.
Inspect the result
aws iam get-user-policy \
--user-name "$USER_NAME" \
--policy-name AwsZeroInlineListBucketsRead the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.
One tiny variation
aws iam delete-user-policy \
--user-name "$USER_NAME" \
--policy-name AwsZeroInlineListBucketsDeleting the inline policy removes that permission document entirely.
Common mistake
Do not choose inline policies simply because they are quick. Managed policies are easier to reuse, version, inventory, and review.
Cleanup
aws iam delete-user-policy \
--user-name "$USER_NAME" \
--policy-name AwsZeroInlineListBuckets 2>/dev/null || true
rm inline-policy.jsonConfirm the inline policy name no longer appears.
Next, we will learn Write a least-privilege S3 read policy.