I'm using OKTA as our Identity Provider which is allowing me to dictate which Roles users can Assume when logging into the Console.
The Goal: Have a Role that allows a user to log into the console and only manage their Access Keys (List, Create, Update, Delete).
This Policy should allow the current user to manage their own keys but I get this error when trying to do anything other than List the access keys
User: arn:aws:sts::[ACCOUNT-NUMBER]:assumed-role/AccessKeyManagement/[Logged In Username] is not authorized to perform: iam:CreateAccessKey on resource: user [Logged In Username]
Granted if I change the Resource to be "*" it will work but the user can alter other account Access Keys.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:DecodeAuthorizationMessage",
"iam:ListAccountAliases",
"iam:ListUsers",
"sts:GetCallerIdentity",
"iam:ListAccessKeys"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:DeleteAccessKey",
"iam:UpdateAccessKey",
"iam:CreateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
}
]
}
Role Trusted Relationships (just in case it's needed)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::[ACCOUNT-NUMBER]:saml-provider/OKTA"
},
"Action": [
"sts:AssumeRoleWithSAML",
"sts:AssumeRole"
],
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
}
I'm at a loss as to what I need to do to allow the "Assumed-Role" of the current user permission to modify the Access keys.
So, an IAM role does not have permanent access key associated with it and you get temporary credentials (access keys, secret key and session token) when you login to the console. Now, the "${aws:username}" resolves to IAM user name and it does not apply to IAM role. Thus you can't manage the access key creation of IAM roles and you don't have to.