AWS API returns NoSuchEntity when querying for the account password policy if the default policy is set #8402
Labels
bug
This issue is a bug.
closed-for-staleness
iam
p2
This is a standard priority issue
response-requested
Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Describe the bug
Using the AWS CLI to query for an account password policy fails if the default policy is set.
Expected Behavior
If the default policy is set, I expect that running
aws iam get-account-password-policy
would return data on that policy:Current Behavior
CLI command:
Examining the AWS console shows that I do in fact have an account password policy:
![image](https://private-user-images.githubusercontent.com/57142072/289596402-48cafe77-37fb-4b4c-b619-78826995c0f7.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk4MzI2MjcsIm5iZiI6MTcxOTgzMjMyNywicGF0aCI6Ii81NzE0MjA3Mi8yODk1OTY0MDItNDhjYWZlNzctMzdmYi00YjRjLWI2MTktNzg4MjY5OTVjMGY3LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MDElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzAxVDExMTIwN1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWVjMzhmZjE2MTU2ZmE1YzIxMGEzMTA3MjYyOTk4ZDg0MzE2Mjk1MmM1N2ZmZDZkNGE3Zjk2ZmFkMjJmYTJkMWQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.OwcqjHzcnm7sumRWhGRrrxLujgeroXk1tNdfqUocino)
If I edit the default password policy, like so:
![image](https://private-user-images.githubusercontent.com/57142072/289596961-5fd9ee43-a8fe-499b-996e-fe60785cde02.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk4MzI2MjcsIm5iZiI6MTcxOTgzMjMyNywicGF0aCI6Ii81NzE0MjA3Mi8yODk1OTY5NjEtNWZkOWVlNDMtYThmZS00OTliLTk5NmUtZmU2MDc4NWNkZTAyLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MDElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzAxVDExMTIwN1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWU1MjUwMzM4ZGJjNWY1ZTA5MDJhOTRhOWNhYmRmMTIzZjQ3ZDI3NzNjMzM3MjgxNTYwNWE2ZDMyNGQ2NTY4MTkmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.TJBsNLMVH9mPYq9tqIzgBcFKup1ov00WdAkFEP0Lyk4)
Then suddenly the CLI command works as expected:
So it looks like the AWS API thinks that having the default password policy in place is equivalent to having no password policy set at all. This is incorrect.
Reproduction Steps
aws iam get-account-password-policy
. There should be an error message like:Possible Solution
No response
Additional Information/Context
Version of the CLI:
NOTE: I originally saw this issue when using the AWS SDK for Ruby3 (calling GetAccountPasswordPolicy). If the error appears in both the AWS CLI and one of the SDKs, I'd assume that the problem is with the underlying API logic.
CLI version used
2.13.37
Environment details (OS name and version, etc.)
Ubuntu 20
The text was updated successfully, but these errors were encountered: