AWS-IAM policy on access key giving error message

Question

Policy used :

{
   "Version": "2012-10-17",

    "Statement": [
        {
            "Action": [
                "iam:*AccessKey*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::account#:user/user1"
            ]
        }
    ]
}

What does the policy do : Allows user to change to manage his own access keys .

What have I tried till now

1. Attached the above policy to the user
2. Tried logging with the user name and clicked on IAM and clicked on rotate your access keys and manage your access keys .
3. The error message comes up and doesnt allow the user to change the access keys
4. Error message is as follows:

You need permissions You do not have the permission required to perform this operation. Ask your administrator to add permissions. Learn more

User: arn:aws:iam::account#:user/user1 is not authorized to perform: iam:ListUsers on resource: arn:aws:iam::account#:user/

Answer 1

You need to allow IAM iam:ListUsers actions on the * resource. The error message indicates missing permission for that action.

See: Allow a User to List the Account's Groups, Users, Policies, and More for Reporting Purposes

There it provides a sample policy to: "Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys".

The following policy allows users to perform these actions in the AWS Management Console:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:*LoginProfile",
        "iam:*AccessKey*",
        "iam:*SSHPublicKey*"
      ],
      "Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListAccount*",
        "iam:GetAccountSummary",
        "iam:GetAccountPasswordPolicy",
        "iam:ListUsers"
      ],
      "Resource": "*"
    }
  ]
}