CODEWITHSUNDEEP
amazon-web-servicesamazon-iam
VIAE IT
VIAE IT

Reputation: 113

AWS user listing - only see yourself

I am playing with AWS IAM and have the following scenario:

I have different projects for which I am collaborating with other people. I have a user group (IAM) project_x_admin to which user_x is assigned. Next to user_x, user_y and user_z are existing as well.

I now added policies to this group to allow those users to configure their SSH keys (e.g., to use within AWS CodeCommit) as described over here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage-no-mfa.html.

Now, when I login as user_x and when I go to the users page (to go to my detail page, to configure the SSH key), I get the message that ListUsers is not granted for this user.

Question: Is it possible to configure IAM to allow ListUsers with restricting the result set to only the logged in user? I already tried via Condition on tags, but until now, I only got or all users are visible or I get the message that the permission is not granted. Anyone knows how to fix this?

What I tried with Condition keyword:

{
            "Sid": "AllowListItself",
            "Effect": "Allow",
            "Action": [
                "iam:ListUsers"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:username": "${aws:username}"
                }
            }
        }

And

{
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:ListUsers",
            "Resource": "*",
            "Tags": [ 
                { 
                   "Key": "name",
                   "Value": "user_x"
                }
             ]
        }

And

{
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:ListUsers",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/name": [
                        "user_x"
                    ]
                },
                "ForAllValues:StringEquals": {"aws:TagKeys": "name"}
            }
        }

All these statements resulted in or all users visible or nothing. Can anyone help me with this configuration?

Upvotes: 2

Views: 317

Answers (2)

VIAE IT
VIAE IT

Reputation: 113

I found out that the way to solve this, is to work with AWS Organizations in which you have an account per department or organization and a master account on top of it

Upvotes: 0

Mark B
Mark B

Reputation: 200446

The actual problem you are trying to solve is that you need to access your IAM account settings, and you can't get to it through the account list page due to permission issues.

The solution is to click your account name in the top-right section of the AWS console and a drop-down menu will appear. In that menu will be a link to "Security Credentials". Click that link and it will take you directly to your IAM account settings, where you can do things like upload SSH keys, and create API access keys.

Upvotes: 2

Related Questions