AWS-IAM policy on access key giving error message

1
votes

Policy used :

{
   "Version": "2012-10-17",

    "Statement": [
        {
            "Action": [
                "iam:*AccessKey*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::account#:user/user1"
            ]
        }
    ]
}

What does the policy do : Allows user to change to manage his own access keys .

What have I tried till now

  1. Attached the above policy to the user
  2. Tried logging with the user name and clicked on IAM and clicked on rotate your access keys and manage your access keys .
  3. The error message comes up and doesnt allow the user to change the access keys
  4. Error message is as follows:

You need permissions You do not have the permission required to perform this operation. Ask your administrator to add permissions. Learn more

User: arn:aws:iam::account#:user/user1 is not authorized to perform: iam:ListUsers on resource: arn:aws:iam::account#:user/

1
amazon-web-servicesamazon-iam
The error message suggests that the AWS Management Console also requires users to have the iam:ListUsers permission to use the interface. They could rotate keys via the AWS Command-Line Interface (CLI) without that permission. Also, question mentions policy variables, but your policy doesn't show any variable. I presume you are referring to: IAM Policy Variables Overview - John Rotenstein
That's a nice catch, I agree, Initially, when I wrote the policy, I wrote it with a policy variable. I used user/${aws:username} instead of user/user1. Still, no luck then I tried it with a single user and had the same issue. - Rangesh Prasanna Venkatesan

1 Answers

2
votes

You need to allow IAM iam:ListUsers actions on the * resource. The error message indicates missing permission for that action.

See: Allow a User to List the Account's Groups, Users, Policies, and More for Reporting Purposes

There it provides a sample policy to: "Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys".

The following policy allows users to perform these actions in the AWS Management Console:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:*LoginProfile",
        "iam:*AccessKey*",
        "iam:*SSHPublicKey*"
      ],
      "Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListAccount*",
        "iam:GetAccountSummary",
        "iam:GetAccountPasswordPolicy",
        "iam:ListUsers"
      ],
      "Resource": "*"
    }
  ]
}