It's somewhat straightforward to add a user to an AWS security group and then create an AWS instance that the new user can access. It's more difficult to grant a new user access to existing instances. I don't want to waste time trying to find an answer again (Amazon, your AWS documentation could use some work!), so I'm posting my solution here, where future me and other confused individuals can find it. Here are the steps:
- Create a new user in IAM.
- Go to 'users' in IAM and add the new user to the appropriate security group.
- Go to 'users' in OpsWorks and 'import IAM users' (at the bottom of the page).
- Choose the user(s) you'd like to add and click on 'import to OpsWorks'.
- Click on the user you just imported and copy the public key into the provided box. Also enable SSH access (a checkbox below) so the user can SSH into the instance.
OpsWorks executes a recipe automatically that pushed the new user's permissions to the instances, which takes a minute or two. The new user can now log in.
To remove the user's permissions, go to OpsWorks -> users -> [user's account] -> 'deny permission'