Skip to content

Instantly share code, notes, and snippets.

@politician

politician/aws_change_password_error_path.md

Created February 15, 2020 12:08
Show Gist options
  • Save politician/9627f45ab04bab52ac1dc3b22ac6ddb4 to your computer and use it in GitHub Desktop.
Save politician/9627f45ab04bab52ac1dc3b22ac6ddb4 to your computer and use it in GitHub Desktop.
Download ZIP
Either user is not authorized to perform iam:ChangePassword or entered password does not comply with account password policy set by administrator
Raw
aws_change_password_error_path.md

If you get the following error on AWS:

Either user is not authorized to perform iam:ChangePassword or entered password does not comply with account password policy set by administrator

TLDR: Don't use "paths" in IAM

You checked all your policies for a while including AWS's managed policy IAMUserChangePassword and you can't find what the hell is wrong. Maybe you were using, like me, the IAM path feature...

The IAMUserChangePassword policy is as follow:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword"
            ],
            "Resource": [
                "arn:aws:iam::*:user/${aws:username}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetAccountPasswordPolicy"
            ],
            "Resource": "*"
        }
    ]
}

Now that I brought the word path to your mind, you must have already realised what is wrong! The allowed Resource is:

"Resource": [
    "arn:aws:iam::*:user/${aws:username}"
]

It should be:

"Resource": [
    "arn:aws:iam::*:user/${aws:username}",
    "arn:aws:iam::*:user/*/${aws:username}"
]

I fixed my issue by just getting rid of paths all together, so as to avoid headaches in the future.

@low-tony
Copy link

A lot of thanks, man 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment