← All posts
2 min read

Generate an IAM credential report

#aws#cli#iam#security#identity#audit
📑 On this page

Part 123 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

The credential report summarizes password, access-key, certificate, and MFA metadata for IAM users and the root account.

Before you run it

aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"

IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.

The command

aws iam generate-credential-report

IAM writes can take a short time to propagate. Inspect the resource after every change.

Inspect the result

aws iam generate-credential-report \
  --query State \
  --output text

Wait for COMPLETE. IAM may return STARTED or INPROGRESS while generating.

One tiny variation

until [ "$(aws iam generate-credential-report --query State --output text)" = "COMPLETE" ]; do
  echo "Credential report is still generating"
  sleep 2
done

Use a bounded retry loop in production automation rather than waiting forever.

Common mistake

The report contains sensitive security posture information. Store and share it as an audit artifact, not as casual terminal output.

Cleanup

aws sts get-caller-identity

The generated report is retained by IAM for a limited period and can be regenerated later.

Next, we will learn Download and inspect the IAM credential report.

Official AWS CLI reference