AWS IAM won't let my users change their passwords

8,723

Solution 1

I was having the same problem. New users were getting the following error message:

Either user is not authorized to perform iam:ChangePassword or entered password does not comply with account password policy set by administrator

This despite the "Allow users to change their own password" option being set. Explicitly adding the iam:ChangePassword permission also didn't help.

What turned out to be the issue in my case was that we had a policy to force MFA authentication, but when the user has just signed in for the first time they obviously have no MFA set up yet.

Removing the MFA policy fixed the issue for me.

Solution 2

I had the same issue, I found out you can exempt actions from having to have mfa:

{
  "Sid": "DenyAllExceptListedIfNoMFA",
  "Effect": "Deny",
  "NotAction": [
    "iam:CreateVirtualMFADevice",
    "iam:EnableMFADevice",
    "iam:GetUser",
    "iam:ListMFADevices",
    "iam:ListVirtualMFADevices",
    "iam:ResyncMFADevice",
    "sts:GetSessionToken",
    "iam:ChangePassword"
  ],
  "Resource": "*",
  "Condition": {
    "BoolIfExists": {
      "aws:MultiFactorAuthPresent": "false"
    }
  }
}

This is a generated policy that does not have the changepassword in the exception list. The policy disallows any access without mfa except the actions in the NotAction list. You need to add the "iam:ChangePassword" to the list

Share:
8,723
scottb
Author by

scottb

Updated on September 18, 2022

Comments

  • scottb
    scottb about 1 year

    My password policy is configured to allow users to change their passwords, but when I create a new user with the "must change password" option, the user gets told they need "iam:ChangePassword" permission.

    They get a similar message when they try to change it using the CLI.

    Any idea how to diagnose and fix this?

  • elichai2
    elichai2 almost 3 years
    The real question is how to both require MFA and allow users to change their passwords before they've set up MFA
  • urig
    urig almost 3 years
    @elichai2 to enable that, find the clause in your "require MFA" policy that excludes certain permissions and add "iam:ChangePassword" and "iam:GetUser" to its "NotAction" list. It's the clause that has "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } on it.
  • Amir
    Amir over 2 years
    The answer may be more accessible if you add a little formatting.
  • JARC
    JARC over 2 years
    This fixed my issue since we have MFA enabled.
  • Admin
    Admin over 1 year
    But if I let users change their passwords without MFA, wouldn't that be a big security hole? Is there a way to allow that only the first time?