- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
This issue occurs when an IAM user doesn't have the necessary permissions to change their own password. Even if you're an admin user, you still need specific permissions to change your password through the console.
The error you encountered is likely due to missing the iam:ChangePassword permission in your IAM policy. This is a common issue where users receive the error message "You don't have permission to iam:ChangePassword" when trying to update their password.
The reason your second approach worked (going through the Users home page to your profile) is that this path might be using a different API action than the direct "Update Console Password" option. The second method might be using iam:UpdateLoginProfile instead of iam:ChangePassword.
To properly resolve this issue and ensure you can change your password from any path in the console, you should ensure your IAM user has a policy that includes at least these permissions:
iam:GetAccountPasswordPolicy- To view the password requirementsiam:ChangePassword- To change your own passwordiam:GetUser- To access your user informationiam:UpdateLoginProfile- To update your login profile
The resource for these permissions should be scoped to your own user with something like: arn:aws:iam::*:user/${aws:username}
If you continue to experience issues, check if there are any Service Control Policies (SCPs) in AWS Organizations that might be restricting these actions, or if there are any explicit deny statements in other policies attached to your user or groups.
Sources
How do I change my password on the AWS Management Console | AWS re:Post
Resolve the IAM user password error "user is not authorized or password does not comply" | AWS re:Post
User(s) can't change their passwords - can't find any deny's | AWS re:Post
