Skip to main content
User management commands — Create, delete, and manage user access in AWS IAM Identity Center.

Overview

The fjall user command manages users in AWS IAM Identity Center (formerly AWS SSO), allowing you to create users, delete users, and manage their group memberships.

Usage

fjall user [subcommand] [arguments]

Subcommands

Create User

Create a new user in IAM Identity Center: 
fjall user create
Interactive prompts: 
? Email address: sarah@example.com
? First name: Sarah
? Last name: Chen
? Display name: Sarah Chen

 User created successfully

Delete User

Remove a user from IAM Identity Center: 
fjall user delete <username>
Example: 
fjall user delete john@example.com

⚠️  This will permanently delete the user 'john@example.com'
? Are you sure? (y/N) y

 User deleted successfully

List Users

Display all users in IAM Identity Center: 
fjall user list
Output: 
AWS IAM Identity Center Users
════════════════════════════

john@example.com    (John Smith)      Groups: AdministratorAccess
sarah@example.com   (Sarah Chen)      Groups: AdministratorAccess, Billing
mike@example.com    (Mike Johnson)    Groups: ReadOnly
lisa@example.com    (Lisa Wang)       Groups: AdministratorAccess
david@example.com   (David Brown)     Groups: ReadOnly, Billing

Total: 5 users

Associate User with Group

Add a user to a group: 
fjall user associate <username> <groupname>
Example: 
fjall user associate sarah@example.com Billing

 User 'sarah@example.com' added to group 'Billing'

Dissociate User from Group

Remove a user from a group: 
fjall user dissociate <username> <groupname>
Example: 
fjall user dissociate mike@example.com AdministratorAccess

 User 'mike@example.com' removed from group 'AdministratorAccess'

Default Groups

Fjall creates standard permission groups in IAM Identity Center:
GroupDescriptionAWS Permissions
AdministratorAccessFull administrative accessAll AWS services
ReadOnlyView-only accessRead all resources
BillingBilling and cost managementCost Explorer, Budgets

Common Workflows

Add New Administrator

# Create user
fjall user create

# Add to admin group
fjall user associate newadmin@example.com AdministratorAccess

Grant Billing Access

# Add user to billing group
fjall user associate finance@example.com Billing

Remove All Access

# Remove from all groups first
fjall user dissociate user@example.com AdministratorAccess
fjall user dissociate user@example.com Billing

# Then delete user
fjall user delete user@example.com

Audit User Access

# List all users and their groups
fjall user list

Prerequisites

To use these commands, you need:
  1. AWS IAM Identity Center enabled in your organisation
  2. Platform account deployed with fjall deploy platform
  3. Administrator permissions in the Identity Center account
  4. Valid AWS credentials via fjall profile set

How It Works

The user commands interact with AWS IAM Identity Center API to:
  1. Create users - Adds user to identity store
  2. Manage groups - Controls permission assignments
  3. Delete users - Removes access completely
  4. List users - Queries current user state
All changes take effect immediately across all AWS accounts in your organisation.

Error Handling

User Already Exists

 User 'john@example.com' already exists
Solution: Use a different email or delete existing user first

Group Not Found

 Group 'CustomGroup' not found
Solution: Use one of the default groups or create the group in AWS Console

Permission Denied

 Access denied: Insufficient permissions
Solution: Ensure you’re using administrator credentials

Best Practices

  1. Use groups for permissions - Don’t assign permissions directly to users
  2. Follow least privilege - Only grant necessary access
  3. Regular audits - Review user list monthly
  4. Remove promptly - Delete users immediately when access no longer needed
  5. Document access - Keep records of who has what access

Integration with SSO

After creating users:
  1. Users receive an invitation email from AWS
  2. They must set up MFA on first login
  3. Access the SSO portal at your organisation’s URL
  4. Select accounts they have permission to access

Limitations

Current limitations of the user commands:
  • Cannot create custom groups (use AWS Console)
  • Cannot modify user details after creation
  • Cannot resend invitation emails
  • Cannot set temporary passwords
For these operations, use the AWS IAM Identity Center console.
Users must accept their invitation email and configure MFA before they can access AWS accounts through SSO.