Skip to main content
User management commands — Create, delete, and manage user access in AWS IAM Identity Center.

Overview

The fjall user command manages users in AWS IAM Identity Center (formerly AWS SSO), allowing you to create users, delete users, and manage their group memberships.

Usage

fjall user [subcommand] [arguments]

Subcommands

Create User

Create a new user in IAM Identity Center: 
fjall user create
Interactive prompts: 
? Email address: [email protected]
? First name: Sarah
? Last name: Chen
? Display name: Sarah Chen

 User created successfully

Delete User

Remove a user from IAM Identity Center: 
fjall user delete <username>
Example: 
fjall user delete [email protected]

⚠️  This will permanently delete the user '[email protected]'
? Are you sure? (y/N) y

 User deleted successfully

List Users

Display all users in IAM Identity Center: 
fjall user list
Output: 
AWS IAM Identity Center Users
════════════════════════════

[email protected]    (John Smith)      Groups: AdministratorAccess
[email protected]   (Sarah Chen)      Groups: AdministratorAccess, Billing
[email protected]    (Mike Johnson)    Groups: ReadOnly
[email protected]    (Lisa Wang)       Groups: AdministratorAccess
[email protected]   (David Brown)     Groups: ReadOnly, Billing

Total: 5 users

Associate User with Group

Add a user to a group: 
fjall user associate <username> <groupname>
Example: 
fjall user associate [email protected] Billing

 User '[email protected]' added to group 'Billing'

Dissociate User from Group

Remove a user from a group: 
fjall user dissociate <username> <groupname>
Example: 
fjall user dissociate [email protected] AdministratorAccess

 User '[email protected]' removed from group 'AdministratorAccess'

Default Groups

Fjall creates standard permission groups in IAM Identity Center:
GroupDescriptionAWS Permissions
AdministratorAccessFull administrative accessAll AWS services
ReadOnlyView-only accessRead all resources
BillingBilling and cost managementCost Explorer, Budgets

Common Workflows

Add New Administrator

# Create user
fjall user create

# Add to admin group
fjall user associate [email protected] AdministratorAccess

Grant Billing Access

# Add user to billing group
fjall user associate [email protected] Billing

Remove All Access

# Remove from all groups first
fjall user dissociate [email protected] AdministratorAccess
fjall user dissociate [email protected] Billing

# Then delete user
fjall user delete [email protected]

Audit User Access

# List all users and their groups
fjall user list

Prerequisites

To use these commands, you need:
  1. AWS IAM Identity Center enabled in your organisation
  2. Platform account deployed with fjall deploy platform
  3. Administrator permissions in the Identity Center account
  4. Valid AWS credentials via fjall profile set

How It Works

The user commands interact with AWS IAM Identity Center API to:
  1. Create users - Adds user to identity store
  2. Manage groups - Controls permission assignments
  3. Delete users - Removes access completely
  4. List users - Queries current user state
All changes take effect immediately across all AWS accounts in your organisation.

Error Handling

User Already Exists

 User '[email protected]' already exists
Solution: Use a different email or delete existing user first

Group Not Found

 Group 'CustomGroup' not found
Solution: Use one of the default groups or create the group in AWS Console

Permission Denied

 Access denied: Insufficient permissions
Solution: Ensure you’re using administrator credentials

Best Practices

  1. Use groups for permissions - Don’t assign permissions directly to users
  2. Follow least privilege - Only grant necessary access
  3. Regular audits - Review user list monthly
  4. Remove promptly - Delete users immediately when access no longer needed
  5. Document access - Keep records of who has what access

Integration with SSO

After creating users:
  1. Users receive an invitation email from AWS
  2. They must set up MFA on first login
  3. Access the SSO portal at your organisation’s URL
  4. Select accounts they have permission to access

Limitations

Current limitations of the user commands:
  • Cannot create custom groups (use AWS Console)
  • Cannot modify user details after creation
  • Cannot resend invitation emails
  • Cannot set temporary passwords
For these operations, use the AWS IAM Identity Center console.
Users must accept their invitation email and configure MFA before they can access AWS accounts through SSO.