Home > Net >  AWS user listing - only see yourself
AWS user listing - only see yourself

Time:12-30

I am playing with AWS IAM and have the following scenario:

I have different projects for which I am collaborating with other people. I have a user group (IAM) project_x_admin to which user_x is assigned. Next to user_x, user_y and user_z are existing as well.

I now added policies to this group to allow those users to configure their SSH keys (e.g., to use within AWS CodeCommit) as described over here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage-no-mfa.html.

Now, when I login as user_x and when I go to the users page (to go to my detail page, to configure the SSH key), I get the message that ListUsers is not granted for this user.

Question: Is it possible to configure IAM to allow ListUsers with restricting the result set to only the logged in user? I already tried via Condition on tags, but until now, I only got or all users are visible or I get the message that the permission is not granted. Anyone knows how to fix this?

What I tried with Condition keyword:

{
            "Sid": "AllowListItself",
            "Effect": "Allow",
            "Action": [
                "iam:ListUsers"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:username": "${aws:username}"
                }
            }
        }

And

{
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:ListUsers",
            "Resource": "*",
            "Tags": [ 
                { 
                   "Key": "name",
                   "Value": "user_x"
                }
             ]
        }

And

{
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:ListUsers",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/name": [
                        "user_x"
                    ]
                },
                "ForAllValues:StringEquals": {"aws:TagKeys": "name"}
            }
        }

All these statements resulted in or all users visible or nothing. Can anyone help me with this configuration?

CodePudding user response:

The actual problem you are trying to solve is that you need to access your IAM account settings, and you can't get to it through the account list page due to permission issues.

The solution is to click your account name in the top-right section of the AWS console and a drop-down menu will appear. In that menu will be a link to "Security Credentials". Click that link and it will take you directly to your IAM account settings, where you can do things like upload SSH keys, and create API access keys.

  • Related