cloudposse · goruha · Dec 26, 2018 · Dec 19, 2018 · Dec 19, 2018 · Dec 19, 2018
diff --git a/main.tf b/main.tf
@@ -90,7 +90,10 @@ data "aws_iam_policy_document" "manage_mfa" {
 
 data "aws_iam_policy_document" "allow_change_password" {
   statement {
-    actions   = ["iam:ChangePassword"]
+    actions   = [
+      "iam:ChangePassword",
+      "iam:GetLoginProfile"
+    ]
     resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/&{aws:username}"]
   }
 
@@ -100,6 +103,26 @@ data "aws_iam_policy_document" "allow_change_password" {
   }
 }
 
+data "aws_iam_policy_document" "allow_manage_access_keys" {
+  statement {
+    actions = [
+      "iam:DeleteAccessKey",
+      "iam:GetAccessKeyLastUsed",
+      "iam:UpdateAccessKey",
+      "iam:GetUser",
+      "iam:CreateAccessKey",
+      "iam:ListAccessKeys",
+    ]
+
+    resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/&{aws:username}"]
+  }
+
+  statement {
+    actions   = ["iam:ListUsers"]
+    resources = ["*"]
+  }
+}
+
 # Admin config
 
 resource "aws_iam_policy" "manage_mfa_admin" {
@@ -114,6 +137,12 @@ resource "aws_iam_policy" "allow_change_password_admin" {
   policy      = "${data.aws_iam_policy_document.allow_change_password.json}"
 }
 
+resource "aws_iam_policy" "allow_manage_access_keys_admin" {
+  name        = "${module.admin_label.id}-permit-manage-keys"
+  description = "Allow admin users to manage own access keys"
+  policy      = "${data.aws_iam_policy_document.allow_manage_access_keys.json}"
+}
+
 data "aws_iam_policy_document" "assume_role_admin" {
   statement {
     actions   = ["sts:AssumeRole"]
@@ -151,6 +180,11 @@ resource "aws_iam_group_policy_attachment" "allow_chage_password_admin" {
   policy_arn = "${aws_iam_policy.allow_change_password_admin.arn}"
 }
 
+resource "aws_iam_group_policy_attachment" "manage_access_key_admin" {
+  group      = "${aws_iam_group.admin.name}"
+  policy_arn = "${aws_iam_policy.allow_manage_access_keys_admin.arn}"
+}
+
 resource "aws_iam_role_policy_attachment" "admin" {
   role       = "${aws_iam_role.admin.name}"
   policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
@@ -177,6 +211,12 @@ resource "aws_iam_policy" "allow_change_password_readonly" {
   policy      = "${data.aws_iam_policy_document.allow_change_password.json}"
 }
 
+resource "aws_iam_policy" "allow_manage_access_keys_readonly" {
+  name        = "${module.readonly_label.id}-permit-manage-keys"
+  description = "Allow readonly users to manage own access keys"
+  policy      = "${data.aws_iam_policy_document.allow_manage_access_keys.json}"
+}
+
 data "aws_iam_policy_document" "assume_role_readonly" {
   statement {
     actions   = ["sts:AssumeRole"]
@@ -214,6 +254,11 @@ resource "aws_iam_group_policy_attachment" "allow_change_password_readonly" {
   policy_arn = "${aws_iam_policy.allow_change_password_readonly.arn}"
 }
 
+resource "aws_iam_group_policy_attachment" "manage_access_key_readonly" {
+  group      = "${aws_iam_group.readonly.name}"
+  policy_arn = "${aws_iam_policy.allow_manage_access_keys_readonly.arn}"
+}
+
 resource "aws_iam_role_policy_attachment" "readonly" {
   role       = "${aws_iam_role.readonly.name}"
   policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"