AWS IAM won't let my users change their passwords
Solution 1
I was having the same problem. New users were getting the following error message:
Either user is not authorized to perform iam:ChangePassword or entered password does not comply with account password policy set by administrator
This despite the "Allow users to change their own password" option being set. Explicitly adding the iam:ChangePassword
permission also didn't help.
What turned out to be the issue in my case was that we had a policy to force MFA authentication, but when the user has just signed in for the first time they obviously have no MFA set up yet.
Removing the MFA policy fixed the issue for me.
Solution 2
I had the same issue, I found out you can exempt actions from having to have mfa:
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ChangePassword"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
This is a generated policy that does not have the changepassword in the exception list. The policy disallows any access without mfa except the actions in the NotAction list. You need to add the "iam:ChangePassword" to the list
scottb
Updated on September 18, 2022Comments
-
scottb about 1 year
My password policy is configured to allow users to change their passwords, but when I create a new user with the "must change password" option, the user gets told they need "iam:ChangePassword" permission.
They get a similar message when they try to change it using the CLI.
Any idea how to diagnose and fix this?
-
elichai2 almost 3 yearsThe real question is how to both require MFA and allow users to change their passwords before they've set up MFA
-
urig almost 3 years@elichai2 to enable that, find the clause in your "require MFA" policy that excludes certain permissions and add
"iam:ChangePassword"
and"iam:GetUser"
to its "NotAction" list. It's the clause that has"Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } }
on it. -
Amir over 2 yearsThe answer may be more accessible if you add a little formatting.
-
JARC over 2 yearsThis fixed my issue since we have MFA enabled.
-
Admin over 1 yearBut if I let users change their passwords without MFA, wouldn't that be a big security hole? Is there a way to allow that only the first time?