I wanted to allow a general user to create and manage access key on AWS console. To grant those permissions to that user, I created 2 IAM policies below referring to https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html .
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:GetUser",
"iam:ListAccessKeys"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:GetAccessKeyLastUsed",
"iam:GetUser",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
}
]
}
With the 2 IAM policies, still, that user could not create and manage access key on AWS console and found error messages as follows.
User: arn:aws:iam::711268734740:user/testuser is not authorized to perform: iam:ListAccessKeys on resource: user testuser with an explicit deny in an identity-based policy
How do I grant permissions to that user to create and manage own access keys?
You are right. Those two policies have conflict with the policy allowing IAM users to self-manage their multi-factor authentication device(https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html). Thanks for your help!