Oh, Nuts

Your AWS console login just expired, as the login prompt has been warning for weeks. You need to update that Route 53 entry and your boss is waiting. Do you call the sysadmin and beg for a reset, or can you solve this yourself?

AWS CLI To the Rescue

No worries, you’ve got this covered in 15 seconds.

Use the iam API call update-login-profile1 combined with your aws iam username (login name for the AWS Console Login).

aws iam update-login-profile --user-name jsmith --password sesame --password-reset-required

The combination is cracked. Login. Whistle innocently like this never happened.

Other Dead Ends

The awscli has another tempting, but misleading API called change-password.

If you tried it, you’d be saddened to see the required --old-password parameter. This is a red herring. Dodge left.

You Don’t Have AWS CLI Password Reset Access

We got a problem here. Your choices are:

Allow Users to Reset Passwords

If you’re a sysadmin, set the following IAM policy to enable self service user password reset.

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "Stmt1500731194000",
            "Effect": "Allow",
            "Action": [
            "Resource": [

  1. Password reset requires UpdateLoginProfile IAM policy action, included in Admin role. ↩︎

  2. This email will be sent to the root account email only. You’ve got access, right? ↩︎