50

In IAM, what is the purpose/use of the "Path" variable when creating an IAM User via the CLI or API?

d4nyll
  • 11,811
  • 6
  • 54
  • 68
Plane Wryter
  • 1,299
  • 1
  • 11
  • 14

1 Answers1

45

The path variable in IAM is used for grouping related users and groups in a unique namespace, usually for organizational purposes.

From Friendly Names and Paths:

If you are using the IAM API or AWS Command Line Interface (AWS CLI) to create IAM entities, you can also give the entity an optional path. You can use a single path, or nest multiple paths as if they were a folder structure. For example, you could use the nested path /division_abc/subdivision_xyz/product_1234/engineering/ to match your company's organizational structure. You could then create a policy to allow all users in that path to access the policy simulator API. To view this policy, see IAM: Access the Policy Simulator API Based on User Path. For additional examples of how you might use paths, see IAM ARNs.

For example, a large organization may have users in paths /WestRegion/AZ and /EastRegion/NY. This would correspond to internal divisions of the organization.

Here are some examples from the above document:

An IAM user called Bob in a given account:

arn:aws:iam::123456789012:user/Bob

Another different user Bob with a path reflecting an organization chart:

arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob

An IAM group:

arn:aws:iam::123456789012:group/Developers

An IAM group with a path:

arn:aws:iam::123456789012:group/division_abc/subdivision_xyz/product_A/Developer

Note that this metadata is not exposed in the Console. My guess is that usage of a user path is more suited for large organizations, or advanced users, that would normally rely on CloudFormation and/or the AWS CLI for managing their AWS resources. For example, the --path-prefix is a parameter to aws iam list-users.

See http://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html

Rodrigo Murillo
  • 13,080
  • 2
  • 29
  • 50
  • Rodrigo, thanks for the note (and, please be assured, I was familiar with the part of the IAM Manual you cited). Given the way you describe IAM paths, they are similar to "tags" used elsewhere in AWS--with the potential for [optional] addition of a hierarchy (e.g., organization)...is this your interpretation. Any idea(s) as to why Paths cannot be provisioned/manipulated via the Console? – Plane Wryter Sep 20 '17 at 18:21
  • Yes they somewhat like tags, but really are more like paths/folders. As to why they they are not exposed in the Console, my only guess is they are suited more for large organizations that would normally rely on CloudFormation and the CLI - they are used in both. The `--path-prefix` is a parameter to `aws iam list-users`. See http://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html – Rodrigo Murillo Sep 21 '17 at 16:00
  • 1
    So it has it's logical organization benefit, but the real benefit is limiting and delegating access to IAM actions. You can make IAM policies that say "let users assign themselves groups `arn:aws:iam::123456789012:group/division_abc/subdivision_xyz/* `. Or you can protect certain roles/users by placing them in an `/admin/` path. Then, put a Deny rule on everyone not on the path so they cannot delete a user or mess with a policy on that /admin/ prefix. – djcrabhat Aug 21 '19 at 04:22
  • 3
    You can't have a user named `Bob` on 2 different paths. When you try to create a second user you will get `An error occurred (EntityAlreadyExists) when calling the CreateUser operation: User with name Bob already exists.`. Same is true for other IAM resources that have a path. – Alexander Pogrebnyak Aug 10 '21 at 16:14