How to Fix “iam:ChangePassword Permission Required” Error in AWS IAM Password Rotation


2 views

You've configured your AWS IAM password policy correctly with:

{
    "MinimumPasswordLength": 8,
    "RequireSymbols": true,
    "RequireNumbers": true,
    "RequireUppercaseCharacters": true,
    "RequireLowercaseCharacters": true,
    "AllowUsersToChangePassword": true,
    "MaxPasswordAge": 90,
    "PasswordReusePrevention": 3
}

Yet users still hit the frustrating "iam:ChangePassword permission required" roadblock. This happens because AWS makes a crucial distinction between password policy settings and actual permission grants.

For password changes to work, users need two distinct permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:GetAccountPasswordPolicy"
            ],
            "Resource": "*"
        }
    ]
}

The GetAccountPasswordPolicy permission is often overlooked but essential - it allows users to verify password requirements before attempting changes.

Here are three ways to attach the policy:

1. Managed Policy (Recommended):

aws iam attach-user-policy \
    --user-name username \
    --policy-arn arn:aws:iam::aws:policy/IAMUserChangePassword

2. Inline Policy:

aws iam put-user-policy \
    --user-name username \
    --policy-name PasswordChangePolicy \
    --policy-document file://password-policy.json

3. Group Assignment:

aws iam add-user-to-group \
    --user-name username \
    --group-name PasswordChangers

When users report CLI errors like:

An error occurred (AccessDenied) when calling the ChangePassword operation: 
User: arn:aws:iam::123456789012:user/testuser is not authorized to perform: 
iam:ChangePassword on resource: user testuser

The solution is to verify the effective permissions:

aws iam simulate-principal-policy \
    --policy-source-arn arn:aws:iam::123456789012:user/testuser \
    --action-names iam:ChangePassword

If this occurs with root account credentials, AWS enforces additional security measures. You'll need to:

  1. Enable MFA for the root account
  2. Create an IAM admin user with proper permissions
  3. Stop using root credentials for daily operations

For automated systems that need to rotate passwords, consider this Lambda example:

import boto3

def lambda_handler(event, context):
    iam = boto3.client('iam')
    
    try:
        response = iam.change_password(
            OldPassword=event['old_password'],
            NewPassword=event['new_password']
        )
        return {'status': 'success'}
    except Exception as e:
        return {'error': str(e)}

Remember to assign the Lambda execution role the necessary IAM permissions.

  • Always combine password change permissions with MFA requirements
  • Regularly audit who has iam:ChangePassword permissions
  • Consider temporary credentials for automated systems rather than permanent IAM users
  • Implement CloudTrail logging to monitor password change activities

Recently, I encountered an annoying AWS IAM issue where users couldn't change their passwords even though:

  • The account password policy explicitly allows password changes
  • Users were created with the "User must create a new password at next sign-in" option
  • The IAM console showed no obvious permission issues

Users received two types of error messages:

1. Web Console: "You need iam:ChangePassword permission to perform this action"
2. AWS CLI: "An error occurred (AccessDenied) when calling the ChangePassword operation: User is not authorized to perform: iam:ChangePassword"

After digging through AWS documentation and testing various scenarios, I discovered that AWS IAM requires two separate permissions for password management:

  1. The account-level password policy that defines password requirements
  2. User-specific IAM permissions that grant password change rights

The key insight: Having password change enabled in the account policy doesn't automatically grant individual users permission to change their passwords.

Here's the IAM policy that finally resolved the issue:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:ChangePassword",
        "iam:GetAccountPasswordPolicy"
      ],
      "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
      "Effect": "Allow",
      "Action": "iam:ListAccountAliases",
      "Resource": "*"
    }
  ]
}

To apply this fix:

  1. Create a new IAM policy with the above JSON
  2. Attach it to affected users or groups
  3. For CLI users, ensure they have valid credentials and proper session tokens

For organizations using AWS Organizations, remember that:

  • Password policies can be set at both master and member account levels
  • Service Control Policies (SCPs) might override individual account settings
  • Cross-account IAM roles require special permission handling

If the issue persists:

# Check effective permissions:
aws iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::ACCOUNT_ID:user/USERNAME \
--action-names iam:ChangePassword

# Verify password policy settings:
aws iam get-account-password-policy

Remember that IAM changes might take a few minutes to propagate across AWS systems.

This solution worked perfectly for our use case, but AWS IAM can be complex. Always test permission changes in a staging environment before applying them to production systems.