support for credentials that don't have permissions

[silarsis]

ERROR: AccessDenied: User: arn:aws:iam::566964866387:user/docker is not authorized to perform: iam:GetUser on resource: arn:aws:iam::566964866387:user/docker

This is a user that doesn't have permissions for any user-related operations ("power user" by the standard IAM policies). Would it be possible to catch errors at that point and prompt the user for identification of the credentials instead?

[silarsis]

Further: I fixed this with the following AWS credentials - perhaps this is just a documentation issue?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1404777211000",
      "Effect": "Allow",
      "Action": [
        "iam:ListAccountAliases",
        "iam:ListAccessKeys",
        "iam:GetUser"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

[joelrobotham]

Got caught out by this one too!
Feels like having the user supply the identification in this case would be a good way to go. (I'm assuming that's all the extra access is needed for?)

[arnuschky]

Same here - all my accounts are very restricted to a very specific resource subset. For now, I simply created a group called credulous-users with above policy and subscribed all users to it. However, a manual alternative would be great - especially as this info is only needed for descriptive purposes if I understood correctly.