Skip to content

Commit

Permalink
feat: Allow users to change own password in iam-group-with-policies m…
Browse files Browse the repository at this point in the history
…odule (#435)
  • Loading branch information
vutny authored Nov 13, 2023
1 parent 577b65e commit eb5b218
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions modules/iam-group-with-policies/policies.tf
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,9 @@ data "aws_iam_policy_document" "iam_self_management" {

actions = [
"iam:ChangePassword",
"iam:GetUser"
"iam:GetLoginProfile",
"iam:GetUser",
"iam:UpdateLoginProfile"
]

resources = [
Expand Down Expand Up @@ -153,10 +155,10 @@ data "aws_iam_policy_document" "iam_self_management" {
sid = "DenyAllExceptListedIfNoMFA"
effect = "Deny"
not_actions = [
"iam:ChangePassword",

This comment has been minimized.

Copy link
@Lillecarl

Lillecarl Feb 20, 2024

This does the opposite of what it's supposed to do, so this broke password changing.

This comment has been minimized.

Copy link
@wonko

wonko Mar 25, 2024

Contributor

this needs to be added back, it breaks allowing new users to change their password on first login, before they can set their MFA credentials.

This comment has been minimized.

Copy link
@wonko

wonko Mar 25, 2024

Contributor

PR in #470

"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:GetMFADevice",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
Expand Down

0 comments on commit eb5b218

Please sign in to comment.