AWS IAM won't let my users change their passwords

amazon-web-services amazon-iam

My password policy is configured to allow users to change their passwords, but when I create a new user with the "must change password" option, the user gets told they need "iam:ChangePassword" permission.

They get a similar message when they try to change it using the CLI.

Any idea how to diagnose and fix this?


Solution 1:

I was having the same problem. New users were getting the following error message:

Either user is not authorized to perform iam:ChangePassword or entered password does not comply with account password policy set by administrator

This despite the "Allow users to change their own password" option being set. Explicitly adding the iam:ChangePassword permission also didn't help.

What turned out to be the issue in my case was that we had a policy to force MFA authentication, but when the user has just signed in for the first time they obviously have no MFA set up yet.

Removing the MFA policy fixed the issue for me.

Solution 2:

You didn't include the policies you put in place but from the error message it's clear the user does not have ChangePassword permissions.

The reference below gives all the details but in general, you need to ensure there is a policy attached to your uses that matches the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:GetAccountPasswordPolicy",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iam:ChangePassword",
      "Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
    }
  ]
}

Reference

Enable Users to Change Passwords

Solution 3:

I had the same issue, I found out you can exempt actions from having to have mfa:

{
  "Sid": "DenyAllExceptListedIfNoMFA",
  "Effect": "Deny",
  "NotAction": [
    "iam:CreateVirtualMFADevice",
    "iam:EnableMFADevice",
    "iam:GetUser",
    "iam:ListMFADevices",
    "iam:ListVirtualMFADevices",
    "iam:ResyncMFADevice",
    "sts:GetSessionToken",
    "iam:ChangePassword"
  ],
  "Resource": "*",
  "Condition": {
    "BoolIfExists": {
      "aws:MultiFactorAuthPresent": "false"
    }
  }
}

This is a generated policy that does not have the changepassword in the exception list. The policy disallows any access without mfa except the actions in the NotAction list. You need to add the "iam:ChangePassword" to the list

Related

Can anyone recommend a perimeter SPAM filtering service? [closed]
What is the most effective load balancing solution for Windows?
What blogs or RSS sites do you subscribe to, to keep up with current technology?
Hard drive throttling?
Preventing specific packages from getting installed in Debian
"Tell and sell" idiom
Abbreviation for "so-called"
usage of ‘indefinite article + proper name’?
Verb "telescope" in mathematical formal use
What do we call the relationship between something (the design) and another thing (the reference)
Antonym to word brother
When whores talk about honor [duplicate]