Oh, Nuts

Your AWS console login just expired, as the login prompt has been warning for weeks. You need to update that Route 53 entry and your boss is waiting. Do you call the sysadmin and beg for a reset, or can you solve this yourself?

AWS CLI To the Rescue

No worries, you’ve got this covered in 15 seconds.

Use the iam API call update-login-profile¹ combined with your aws iam username (login name for the AWS Console Login).

aws iam update-login-profile --user-name jsmith --password sesame --password-reset-required

The combination is cracked. Login. Whistle innocently like this never happened.

Other Dead Ends

The awscli has another tempting, but misleading API called change-password.

If you tried it, you’d be saddened to see the required --old-password parameter. This is a red herring. Dodge left.

You Don’t Have AWS CLI Password Reset Access

We got a problem here. Your choices are:

Kowtow to your sysadmin for mercy
If it’s a root account, use the password reset process to get a reset email²

Allow Users to Reset Passwords

If you’re a sysadmin, set the following IAM policy to enable self service user password reset.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1500731194000",
            "Effect": "Allow",
            "Action": [
                "iam:UpdateLoginProfile"
            ],
            "Resource": [
                "arn:aws:iam::1234567890:user/favorite_user"
            ]
        }
    ]
}

Password reset requires UpdateLoginProfile IAM policy action, included in Admin role. ↩︎
This email will be sent to the root account email only. You’ve got access, right? ↩︎

lust.dev

AWS Command Line Password Reset

Oh, Nuts

AWS CLI To the Rescue

Other Dead Ends

You Don’t Have AWS CLI Password Reset Access

Allow Users to Reset Passwords