Specifically, I want the user to be able to create/delete his own access keys ("Action": ["iam:*AccessKey*"]) in the AWS console, but without giving them a full user list view in the IAM dashboard.
The instructions listed in the AWS documentation here add "Action": "iam:ListUsers" for all users to the policy, which is what I'd like to avoid.
I tried using
{
"Sid":"AllowUserToListHimselfInConsole",
"Action": "iam:ListUsers",
"Effect": "Allow",
"Resource": "arn:aws:iam::593145159899:user/${aws:username}"
}
to allow the user to just list his own account, but it didn't work.
Is there a way to do what I aim for, or is the full user list a prerequisite to be able to change your own credentials in the console?
I'm afraid the latter is the case, at least that has been my experience as well so far, see e.g. my related answer to IAM access to EC2 REST API?, where I explore 'IAM Credentials Self Management' - interestingly the Official Solution to Allow a user to manage his or her own security credentials quoted from the AWS documentation just two weeks ago has vanished there, which 'correlates' with my qualification (i.e. they might have realized this being only applicable via custom solutions using the API and thus confusing):
Accordingly, my Extended Variation includes
iam:ListUsersas well to gain a usable result. This is really unfortunate, because granting meanwhile fine grained access to AWS resources via the AWS Management Console is by far the easiest and most instructive way to empower new AWS users to explore on their own.This post describes what you're looking for: https://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users