When tried to change my AWS Identity and Access Management (IAM) user password I received the following error: "Either user is not authorized to perform iam:ChangePassword or entered password does not comply with account password policy".
Short description
Administrators can set account password custom policies for IAM users. If an administrator doesn't set a custom policy, then the IAM user passwords must meet the default password policy requirements. Administrators can also allow all users or selected IAM users to change their own passwords.
IAM users can then use the AWS Management Console or the AWS Command Line Interface (AWS CLI) to change their own passwords.
Resolution
This error occurs if the IAM user doesn't have permission to change their own password, or the new password doesn't meet the password policy requirements.
Password policy permissions
To set up a custom password policy for IAM users, see Setting an account password policy for IAM users.
Make sure that the policy grants access to the ChangePassword API action similar to the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:GetAccountPasswordPolicy",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:ChangePassword",
"Resource": "arn:aws:iam::*:user/${aws:username}"
}
]
}
Important: It's a best practice combine a strong password policy with multi-factor authentication (MFA). For more information, see MFA in IAM.
Password policy requirements
IAM users must meet the password requirements set by the administrator. To check your password policy, open the IAM console, and then choose Account settings. On the Account settings page, review the Password policy information.
Related information
How do I provide IAM users with a link to assume an IAM role?
How can I resolve issues with switching IAM roles using the AWS Management Console?