Reputation: 1223
Allow AWS users to create their own first access key
I want my AWS IAM users that belong to a specific group to be able to manage their own credentials, including the creation of their first access key. It is a requirement that they don't get other permissions such as listing the account's users.
It seems that console access is not an option as it needs permissions I don't want to grant (such as ListUsers).
Thus I tried the AWS CLI option and added the following policy, as advised in AWS documentation.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:*LoginProfile",
"iam:*AccessKey*",
"iam:*SSHPublicKey*"
],
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
}
}
This works well, except that it seems AWS CLI requires an access key to login (which my users don't have yet, I want them to create their access key themselves).
As a work around, I create the access key for them, and then ask them to change it, but it's quite cumbersome.
Is there a way to log into AWS CLI with the user name and password? Is there another way to achieve my use case?
Upvotes: 4
Views: 5707
Answers (1)
Reputation: 3422
I encountered a similar issue. I want my non root users to be able to change their password and change (create/make inactive/delete) their access key for CLI access. However, those users must not be able to list users or display/do anything with other users.
My attempt to achieve the minimal policy is this JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:DeleteAccessKey",
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:ListAccessKeys"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iam:GetAccountPasswordPolicy",
"Resource": "*"
}
]
}
Some explanation for AWS noobs like myself:
I created a custom policy in
IAM > Policies > Create policy. I picked up the relevant permission, add the resources scope and then assign this permission to my user group.iam:ChangePasswordis obviously the password change permission which is restricted to the current user only by the resource ="arn:aws:iam::*:user/${aws:username}". Replace*with the account Id (without hyphens) if you need to restrict to a specific account. As mentioned in AWS doc,iam:GetAccountPasswordPolicyis requiredSources:
iam:*AccessKeymanage access key for the current user as well:createallows the creation of a new key so that admin do not know the keyupdateallows make inactive actiondeleteallows access key deletion as there is a quota of two keys per account
Upvotes: 8
Related Questions
- Allow power users on AWS to manage their passwords and keys
- creating iam user and aws secrets via iam:passrole
- How to set up an AWS key associated with IAM to restrict permissions available to an aws-sdk client?
- Can I automate user creation in AWS IAM service?
- create a read-only IAM user in AWS
- AWS access/secret keys for Amazon Simple AD users
- Can I create a AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY with an IAM user?
- Multiple Access Keys for the Same User
- How to map AWS ACCESS KEY to IAM user?
- Create AWS access key that only allow s3