In AWS IAM, What is the Purpose/Use of the "Path" Variable?

Question

In IAM, what is the purpose/use of the "Path" variable when creating an IAM User via the CLI or API?

Answer 1

The path variable in IAM is used for grouping related users and groups in a unique namespace, usually for organizational purposes.

From Friendly Names and Paths:

If you are using the IAM API or AWS Command Line Interface (AWS CLI) to create IAM entities, you can also give the entity an optional path. You can use a single path, or nest multiple paths as if they were a folder structure. For example, you could use the nested path /division_abc/subdivision_xyz/product_1234/engineering/ to match your company's organizational structure. You could then create a policy to allow all users in that path to access the policy simulator API. To view this policy, see IAM: Access the Policy Simulator API Based on User Path. For additional examples of how you might use paths, see IAM ARNs.

For example, a large organization may have users in paths /WestRegion/AZ and /EastRegion/NY. This would correspond to internal divisions of the organization.

Here are some examples from the above document:

An IAM user called Bob in a given account:

arn:aws:iam::123456789012:user/Bob 

Another different user Bob with a path reflecting an organization chart:

arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob 

An IAM group:

arn:aws:iam::123456789012:group/Developers 

An IAM group with a path:

arn:aws:iam::123456789012:group/division_abc/subdivision_xyz/product_A/Developer

Note that this metadata is not exposed in the Console. My guess is that usage of a user path is more suited for large organizations, or advanced users, that would normally rely on CloudFormation and/or the AWS CLI for managing their AWS resources. For example, the --path-prefix is a parameter to aws iam list-users.

See http://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html