AWS IAM won't let my users change their passwords
My password policy is configured to allow users to change their passwords, but when I create a new user with the "must change password" option, the user gets told they need "iam:ChangePassword" permission.
They get a similar message when they try to change it using the CLI.
Any idea how to diagnose and fix this?
Solution 1:
I was having the same problem. New users were getting the following error message:
Either user is not authorized to perform iam:ChangePassword or entered password does not comply with account password policy set by administrator
This despite the "Allow users to change their own password" option being set. Explicitly adding the iam:ChangePassword
permission also didn't help.
What turned out to be the issue in my case was that we had a policy to force MFA authentication, but when the user has just signed in for the first time they obviously have no MFA set up yet.
Removing the MFA policy fixed the issue for me.
Solution 2:
You didn't include the policies you put in place but from the error message it's clear the user does not have ChangePassword
permissions.
The reference below gives all the details but in general, you need to ensure there is a policy attached to your uses that matches the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:GetAccountPasswordPolicy",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:ChangePassword",
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
}
]
}
Reference
Enable Users to Change Passwords
Solution 3:
I had the same issue, I found out you can exempt actions from having to have mfa:
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ChangePassword"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
This is a generated policy that does not have the changepassword in the exception list. The policy disallows any access without mfa except the actions in the NotAction list. You need to add the "iam:ChangePassword" to the list