AWS IAM rules to allow users to manage their own credentials
Amazon's Identity and Access Management (IAM) not only has a funky acronym relating to what it achieves, it's also pretty handy for controlling access in a multi-admin/multi-developer context.
I couldn't see an obvious way of allowing a user to control their own access credentials, however, which is important since I don't want to have to create, download and distribute what should be private data for each user. I just don't trust myself, as it should be.
It turns out that, whilst there isn't a IAM policy to express "Every user should be able to manage their own credentials", you can express it at the individual user level. Sub-optimal, to be sure, but at least it's possible.
Here's the IAM policy. Apply it with per-user customisations to each user you want to allow to self-manage. The customisation shouldn't be too tricky, given that it's an inherently API-driven and scriptable service. If you're just administrating your IAM policies via the management console for any decent number of users, you're doing it wrong!
{
"Statement": [
{
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:DeleteSigningCertificate",
"iam:ListAccessKeys",
"iam:ListGroupsForUser",
"iam:ListSigningCertificates",
"iam:UpdateAccessKey",
"iam:UpdateLoginProfile",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::_ACCOUNTID_:user/_USERID_"
}
]
}
Just replace _ACCOUNTID_
and _USERID_
as appropriate and apply to
each user.