Articles

Decoding AWS IAM Password Change Errors: A Human’s Guide

Jul 24, 2024 | 2 minutes read

Tags: AWS, IAM, Troubleshooting, Password Policy, Permissions

Have you ever encountered a perplexing error message when trying to change your AWS IAM user password? You’re not alone. Let’s decode one such message and provide a clear solution.

When attempting to change an IAM user password, you might encounter an error like this:

arn:aws:iam::123456789012:user/example-user is not authorized to perform:
iam:ChangePassword on resource: user example-user with an explicit deny in
an identity-based policy

At first glance, this error suggests an IAM permissions issue - and it might be.

Before we dive into other explanations, it’s crucial to confirm that you actually have the necessary permissions to change your password. This error message could be literal - you might not have the iam:ChangePassword permission.

  1. Check your IAM policies to ensure you have the required permissions.
  2. If you’re unsure, contact your AWS account administrator to verify your permissions.

If you’ve confirmed that your IAM policies are not the problem and you should have the necessary permissions, then we can move on to the next possible explanation.

If permissions aren’t the issue, what AWS is really trying to tell you with this error is (or your orgs version of the same):

The password you entered does not conform to the account's password policy:
- Must be at least 16 characters long
- Must include at least one uppercase letter (A-Z)
- Must include at least one number (0-9)

This error occurs when your new password doesn’t meet the account’s password policy requirements.

To successfully change your password and see the actual policy requirements:

  1. Don’t use the upper right dropdown > Security credentials > Change console password interface.
  2. Instead, navigate to: IAM > Users > [Your User] > Security credentials > Manage console access > Reset password > Custom password

This alternative path will provide you with the correct, human-readable error message if your password doesn’t meet the policy requirements.

AWS error messages can sometimes be more cryptic than helpful. While this particular error might suggest a permissions issue, it could also indicate a password policy conflict. By first verifying your permissions and then using the correct interface to change your password, you can save time and frustration. Always remember to check your account’s password policy when setting up new passwords, and use the proper interface to ensure you receive clear, actionable feedback.

[credit to claude.ai for rewriting this out of my notes]