Allow power users on AWS to manage their passwords and keys

2
votes

I created users with poweruser policy on AWS. The policy is

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "NotAction": "iam:*",
      "Resource": "*"
    }
  ]
}

Now, following documentation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_delegate-permissions_examples.html#creds-policies-credentials) I have create custom policy that should allow user to manage their own passwords and keys:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:*LoginProfile",
                "iam:*AccessKey *",
                "iam:ChangePassword",
                "iam:*SSHPublicKey *"
            ],
            "Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListAccount*",
                "iam:GetAccountSummary",
                "iam:GetAccountPasswordPolicy",
                "iam:ListUsers"
            ],
            "Resource": "*"
        }
    ]
}

I am still getting and error

User: arn:aws:iam::1234567890:user/student is not authorized to perform: iam:CreateLoginProfile on resource: user student. Simulation gives explicit deny error, which is not the case according to these policies.

1
amazon-web-servicesamazon-iam
Did you attach the new policy to User "Student" in console?error2007s
Yes, I did. @error2007sViktor
And did you verify if the student is power user?error2007s
Yes, I did. Student is part of the group called students. That group has two policies attached: 1.Custom policy that allows some IAM permissions. 2. PowerUserAccess (both policies attached in the question). Policies listed in that particular order. I have also tried to attach custom policy to the user directly but it has same problem. @error2007sViktor
I replicated the same exact steps as above me too getting error I will dig deep and get back if I find any solution to this issue.error2007s

1 Answers

1
votes

See below in the code where it says account-id-without-hyphens replace that with your account number and it will work.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:*LoginProfile",
                "iam:*AccessKey *",
                "iam:ChangePassword",
                "iam:*SSHPublicKey *"
            ],
            "Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListAccount*",
                "iam:GetAccountSummary",
                "iam:GetAccountPasswordPolicy",
                "iam:ListUsers"
            ],
            "Resource": "*"
        }
    ]
}