I wanted to allow a general user to create and manage access key on AWS console. To grant those permissions to that user, I created 2 IAM policies below referring to https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html .
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:GetUser",
"iam:ListAccessKeys"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:GetAccessKeyLastUsed",
"iam:GetUser",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
}
]
}
With the 2 IAM policies, still, that user could not create and manage access key on AWS console and found error messages as follows.
User: arn:aws:iam::711268734740:user/testuser is not authorized to perform: iam:ListAccessKeys on resource: user testuser with an explicit deny in an identity-based policy
How do I grant permissions to that user to create and manage own access keys?
AWS OFFICIALAktualisiert vor 10 Monaten
You are right. Those two policies have conflict with the policy allowing IAM users to self-manage their multi-factor authentication device(https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html). Thanks for your help!