AWS Console Change Password Screen Should Display Policy

Author: Steven Neiland

Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.

Ah, amazon AWS. The greatest cloud platform there is for developers. Except the UI can painfully un-intuitive at times.

Take for example an error I got when I tried to change my console password the other day on a client account I rarely use. So I enter my account alias, lookup and enter my old password out of my account manager and I get presented with a change password screen since its been so long. No problem, I generate a new password which I dutifully enter only to get this error:

Either user is not authorized to perform iam:ChangePassword or entered password does not comply with account password policy set by administrator

Ok so either my account does not have the authorization to change my own password, which by the way is the most idiotic security setting there can be to not allow a user to update their own password...but whatever. Or my new password does not meet the password rules.

Except nowhere during this change password workflow it is possible to see what that policy is, I have to guess.

Come on it is 2020 and password change screens are pretty well understood. If you have a policy you display it, and if you are being fancy you have a little bit of javascript to alert the user before they hit submit that their new password does not meet this policy. Why is it so hard for one of the largest technology platforms in the world to get such a simple thing right.

And this is not a new issue. Here is an article from 2017 complaining about the exact same issue "User is not authorized to perform iam:ChangePassword". So come on amazon, you know you can do better.

Reader Comments

  • Please keep comments on-topic.
  • Please do not post unrelated questions or large chunks of code.
  • Please do not engage in flaming/abusive behaviour.
  • Comments that contain advertisments or appear to be created for the purpose of link building, will not be published.

Archives Blog Listing