4

Specifically, I want the user to be able to create/delete his own access keys ("Action": ["iam:*AccessKey*"]) in the AWS console, but without giving them a full user list view in the IAM dashboard.

The instructions listed in the AWS documentation here add "Action": "iam:ListUsers" for all users to the policy, which is what I'd like to avoid.

I tried using

{
  "Sid":"AllowUserToListHimselfInConsole",
  "Action": "iam:ListUsers",
  "Effect": "Allow",
  "Resource": "arn:aws:iam::593145159899:user/${aws:username}"
}

to allow the user to just list his own account, but it didn't work.

Is there a way to do what I aim for, or is the full user list a prerequisite to be able to change your own credentials in the console?

dorian
  • 427
  • 1
  • 8
  • 24

2 Answers2

4

Is there a way to do what I aim for, or is the full user list a prerequisite to be able to change your own credentials in the console?

I'm afraid the latter is the case, at least that has been my experience as well so far, see e.g. my related answer to IAM access to EC2 REST API?, where I explore 'IAM Credentials Self Management' - interestingly the Official Solution to Allow a user to manage his or her own security credentials quoted from the AWS documentation just two weeks ago has vanished there, which 'correlates' with my qualification (i.e. they might have realized this being only applicable via custom solutions using the API and thus confusing):

Please note that this solution still has usability flaws depending on how AWS resources are accessed by your users, i.e. via API, CLI, or the AWS Management Console (the latter requires additional permissions for example).

Accordingly, my Extended Variation includes iam:ListUsers as well to gain a usable result. This is really unfortunate, because granting meanwhile fine grained access to AWS resources via the AWS Management Console is by far the easiest and most instructive way to empower new AWS users to explore on their own.

Community
  • 1
Steffen Opel
  • 5,638
  • 37
  • 55
0

This post describes what you're looking for: https://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users

philfreo
  • 987
  • 2
  • 9
  • 22
  • 1
    Thanks for your answer. However I'm not sure if this will help as there's still a `iam:ListUsers` action allowed in the `Force_MFA` policy... – dorian May 02 '16 at 15:11