AWS IAM won't let my users change their passwords

Question

My password policy is configured to allow users to change their passwords, but when I create a new user with the "must change password" option, the user gets told they need "iam:ChangePassword" permission.

They get a similar message when they try to change it using the CLI.

Any idea how to diagnose and fix this?

score 14 · Answer 1 · answered Jul 02 '20 at 11:51

14

I was having the same problem. New users were getting the following error message:

Either user is not authorized to perform iam:ChangePassword or entered password does not comply with account password policy set by administrator

This despite the "Allow users to change their own password" option being set. Explicitly adding the iam:ChangePassword permission also didn't help.

What turned out to be the issue in my case was that we had a policy to force MFA authentication, but when the user has just signed in for the first time they obviously have no MFA set up yet.

Removing the MFA policy fixed the issue for me.

answered Jul 02 '20 at 11:51

Pedro Rodrigues

240
2
5

2

The real question is how to both require MFA and allow users to change their passwords before they've set up MFA – elichai2 Jan 18 '21 at 11:13
7

@elichai2 to enable that, find the clause in your "require MFA" policy that excludes certain permissions and add `"iam:ChangePassword"` and `"iam:GetUser"` to its "NotAction" list. It's the clause that has `"Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } }` on it. – urig Feb 08 '21 at 16:31
But if I let users change their passwords without MFA, wouldn't that be a big security hole? Is there a way to allow that only the first time? – Andre Carlucci May 04 '22 at 10:16

score 3 · Answer 2 · edited Jan 19 '22 at 18:09

3

I had the same issue, I found out you can exempt actions from having to have mfa:

{
  "Sid": "DenyAllExceptListedIfNoMFA",
  "Effect": "Deny",
  "NotAction": [
    "iam:CreateVirtualMFADevice",
    "iam:EnableMFADevice",
    "iam:GetUser",
    "iam:ListMFADevices",
    "iam:ListVirtualMFADevices",
    "iam:ResyncMFADevice",
    "sts:GetSessionToken",
    "iam:ChangePassword"
  ],
  "Resource": "*",
  "Condition": {
    "BoolIfExists": {
      "aws:MultiFactorAuthPresent": "false"
    }
  }
}

This is a generated policy that does not have the changepassword in the exception list. The policy disallows any access without mfa except the actions in the NotAction list. You need to add the "iam:ChangePassword" to the list

edited Jan 19 '22 at 18:09

Ben Mares

103
3

answered Jun 01 '21 at 23:41

Philip Rodrigues

31
1

1

The answer may be more accessible if you add a little formatting. – Amir Jun 02 '21 at 14:47
This fixed my issue since we have MFA enabled. – JARC Jun 16 '21 at 13:02

score 1 · Answer 3 · answered Nov 15 '19 at 17:23

1

You didn't include the policies you put in place but from the error message it's clear the user does not have ChangePassword permissions.

The reference below gives all the details but in general, you need to ensure there is a policy attached to your uses that matches the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:GetAccountPasswordPolicy",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iam:ChangePassword",
      "Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
    }
  ]
}

Reference

Enable Users to Change Passwords

answered Nov 15 '19 at 17:23

kenlukas

2,886
2
14
25

I didn't put any specific policy in place--I went to IAM's "Account Settings" and checked the box that said "Allow users to change their own password". If I have to _separately_ set the iam:ChangePassword, then what's the point of the checkbox? – scottb Nov 19 '19 at 16:42
@scottb Is there error message you posted the full error message? I created a test account with read-only access and the "allow users to change..." checked. It allowed me to change without an issue as long as the new password met the password criteria. If it was too short or didn't have a special character I received an error that said I either didn't have iam:ChangePassword access or my password didn't conform to the policy. – kenlukas Nov 19 '19 at 19:32
I can't be certain that the password conformed to the policy, but I know that the user was aware of the policy, so I assume he chose one that conformed. – scottb Nov 21 '19 at 16:21
Can you have them grab a screenshot of the error? – kenlukas Nov 21 '19 at 19:43

score 0 · Answer 4 · answered Mar 21 '22 at 15:29

In my case, we have MFA mandated, but that wasn't the actual issue. The password that I was trying to use did not meet the security requirements listed in IAM for our password policy. When I tried changing it via the AWS Console, I got the a much clearer error message of "The password does not conform to the account password policy: it must contain at least 10 characters".

I'm not exactly sure why this was the case, as doing echo 'mynewpassword' | wc -c showed 10 characters, but when I changed it to a longer password, the change was successful. The message from the CLI was certainly not clear that it was an issue with the password policy, as the error gave the impression that it was a problem with IAM permissions instead.

AWS IAM won't let my users change their passwords

4 Answers4