My password policy is configured to allow users to change their passwords, but when I create a new user with the "must change password" option, the user gets told they need "iam:ChangePassword" permission.
They get a similar message when they try to change it using the CLI.
Any idea how to diagnose and fix this?
I was having the same problem. New users were getting the following error message:
Either user is not authorized to perform iam:ChangePassword or entered password does not comply with account password policy set by administrator
This despite the "Allow users to change their own password" option being set. Explicitly adding the iam:ChangePassword permission also didn't help.
What turned out to be the issue in my case was that we had a policy to force MFA authentication, but when the user has just signed in for the first time they obviously have no MFA set up yet.
Removing the MFA policy fixed the issue for me.
I had the same issue, I found out you can exempt actions from having to have mfa:
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ChangePassword"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
This is a generated policy that does not have the changepassword in the exception list. The policy disallows any access without mfa except the actions in the NotAction list. You need to add the "iam:ChangePassword" to the list
In my case, we have MFA mandated, but that wasn't the actual issue. The password that I was trying to use did not meet the security requirements listed in IAM for our password policy. When I tried changing it via the AWS Console, I got the a much clearer error message of "The password does not conform to the account password policy: it must contain at least 10 characters".
I'm not exactly sure why this was the case, as doing echo 'mynewpassword' | wc -c showed 10 characters, but when I changed it to a longer password, the change was successful. The message from the CLI was certainly not clear that it was an issue with the password policy, as the error gave the impression that it was a problem with IAM permissions instead.
You didn't include the policies you put in place but from the error message it's clear the user does not have ChangePassword permissions.
The reference below gives all the details but in general, you need to ensure there is a policy attached to your uses that matches the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:GetAccountPasswordPolicy",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:ChangePassword",
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
}
]
}
Reference
I also experienced this after doing a revision of the user login experience. In my case, it was because I was adding a path to the new user (which was to be used in a policy I implemented).
However, the default AWS Policy IAMUserChangePassword does not take this into account.
i.e.
"arn:aws:iam::*:user/${aws:username}"
If you added a path to an IAM user, this would be the effective arn:
"arn:aws:iam::account-id:user/mypath/myuser
In the meantime, we just took note to just add the path after the user has logged in or not check the change password on the login option.
In my case was a problem with the password format:
The windows showed by AWS to change the password when it is near-expired, don't show the admited format (upper and lower case, force at least one number and/or special char....)
If the user enters a wrong format, instead to warn about it, shows the permission error, misleading from the real failure.
