← All posts
2 min read

Create and remove an inline IAM user policy

#aws#cli#iam#security#identity
📑 On this page

Part 103 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

An inline policy has no standalone ARN or version history. It belongs only to its parent identity.

Before you run it

aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"

IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.

The command

cat > inline-policy.json <<'EOF'
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "s3:ListAllMyBuckets",
    "Resource": "*"
  }]
}
EOF
 
aws iam put-user-policy \
  --user-name "$USER_NAME" \
  --policy-name AwsZeroInlineListBuckets \
  --policy-document file://inline-policy.json

IAM writes can take a short time to propagate. Inspect the resource after every change.

Inspect the result

aws iam get-user-policy \
  --user-name "$USER_NAME" \
  --policy-name AwsZeroInlineListBuckets

Read the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.

One tiny variation

aws iam delete-user-policy \
  --user-name "$USER_NAME" \
  --policy-name AwsZeroInlineListBuckets

Deleting the inline policy removes that permission document entirely.

Common mistake

Do not choose inline policies simply because they are quick. Managed policies are easier to reuse, version, inventory, and review.

Cleanup

aws iam delete-user-policy \
  --user-name "$USER_NAME" \
  --policy-name AwsZeroInlineListBuckets 2>/dev/null || true
rm inline-policy.json

Confirm the inline policy name no longer appears.

Next, we will learn Write a least-privilege S3 read policy.

Official AWS CLI reference