AWS IAM's User path variable

In AWS Identity and Access Management (IAM), a User has an optional path argument. For instance, here’s an example lifted from the terraform docs:

resource "aws_iam_user" "lb" {
  name = "loadbalancer"
  path = "/system/"

  tags = {
    tag-key = "tag-value"
  }
}

I didn’t automatically see the value with path = "/system/" at first:

  • It doesn’t mean you can have 2 users with name = "bob" provided their path values are distinct. You can still only have one bob.

  • Its great strength is that it facilitates writing access control policies for a group of users, in this case granting access to the whole dev-team:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:iam::XXXXXXXXXXXX:user/dev-team/*"
    }
  ]
}
EOF
}

This StackOverflow discusses it well.

aws aws-iam tidbits