search

aws / aws-cli

Universal Command Line Interface for Amazon Web Services
Other
15.56k stars 4.13k forks source link

AWS API returns NoSuchEntity when querying for the account password policy if the default policy is set #8402

Closed wdower closed 10 months ago

wdower commented 11 months ago

Describe the bug

Using the AWS CLI to query for an account password policy fails if the default policy is set.

Expected Behavior

If the default policy is set, I expect that running aws iam get-account-password-policy would return data on that policy:

$> aws iam get-account-password-policy
{
    "PasswordPolicy": {
        "MinimumPasswordLength": 8,
        "RequireSymbols": false,
        "RequireNumbers": false,
        "RequireUppercaseCharacters": false,
        "RequireLowercaseCharacters": false,
        "AllowUsersToChangePassword": false,
        "ExpirePasswords": false,
        "HardExpiry": false
    }
}

Current Behavior

CLI command:

$> aws iam get-account-password-policy --debug 2>&1 | tee error.log

2023-12-11 21:29:17,379 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.13.37 Python/3.11.6 Linux/6.2.0-1016-azure exe/x86_64.ubuntu.20
2023-12-11 21:29:17,380 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['iam', 'get-account-password-policy', '--debug']
2023-12-11 21:29:17,399 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_s3 at 0x7ff00e5fc220>
2023-12-11 21:29:17,399 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_ddb at 0x7ff00e820ea0>
2023-12-11 21:29:17,399 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.configure.configure.ConfigureCommand'>>
2023-12-11 21:29:17,399 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x7ff00eb831a0>
2023-12-11 21:29:17,399 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x7ff00e7a8860>
2023-12-11 21:29:17,399 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function alias_opsworks_cm at 0x7ff00e5feca0>
2023-12-11 21:29:17,399 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_history_commands at 0x7ff00e853880>
2023-12-11 21:29:17,399 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.devcommands.CLIDevCommand'>>
2023-12-11 21:29:17,399 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_waiters at 0x7ff00e5feb60>
2023-12-11 21:29:17,399 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method AliasSubCommandInjector.on_building_command_table of <awscli.alias.AliasSubCommandInjector object at 0x7ff00e4b5cd0>>
2023-12-11 21:29:17,399 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.13.37/dist/awscli/data/cli.json
2023-12-11 21:29:17,401 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_types at 0x7ff00e731260>
2023-12-11 21:29:17,401 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function no_sign_request at 0x7ff00e731580>
2023-12-11 21:29:17,401 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_verify_ssl at 0x7ff00e7314e0>
2023-12-11 21:29:17,401 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_read_timeout at 0x7ff00e7316c0>
2023-12-11 21:29:17,401 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_connect_timeout at 0x7ff00e731620>
2023-12-11 21:29:17,401 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <built-in method update of dict object at 0x7ff00e4b3480>
2023-12-11 21:29:17,402 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.13.37 Python/3.11.6 Linux/6.2.0-1016-azure exe/x86_64.ubuntu.20 prompt/off
2023-12-11 21:29:17,402 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['iam', 'get-account-password-policy', '--debug']
2023-12-11 21:29:17,402 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_timestamp_parser at 0x7ff00e5fcb80>
2023-12-11 21:29:17,402 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x7ff00ebf4c20>
2023-12-11 21:29:17,402 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_binary_formatter at 0x7ff00e6804a0>
2023-12-11 21:29:17,402 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function no_pager_handler at 0x7ff00ecef420>
2023-12-11 21:29:17,403 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x7ff00ec20540>
2023-12-11 21:29:17,404 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/
2023-12-11 21:29:17,406 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x7ff00e8500e0>
2023-12-11 21:29:17,406 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_json_file_cache at 0x7ff00e811120>
2023-12-11 21:29:17,426 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.13.37/dist/awscli/botocore/data/iam/2010-05-08/service-2.json
2023-12-11 21:29:17,451 - MainThread - botocore.hooks - DEBUG - Event building-command-table.iam: calling handler <function _add_wizard_command at 0x7ff00e66b1a0>
2023-12-11 21:29:17,451 - MainThread - botocore.hooks - DEBUG - Event building-command-table.iam: calling handler <function add_waiters at 0x7ff00e5feb60>
2023-12-11 21:29:17,469 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.13.37/dist/awscli/botocore/data/iam/2010-05-08/waiters-2.json
2023-12-11 21:29:17,470 - MainThread - botocore.hooks - DEBUG - Event building-command-table.iam: calling handler <bound method AliasSubCommandInjector.on_building_command_table of <awscli.alias.AliasSubCommandInjector object at 0x7ff00e4b5cd0>>
2023-12-11 21:29:17,470 - MainThread - awscli.clidriver - DEBUG - OrderedDict()
2023-12-11 21:29:17,471 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.iam.get-account-password-policy: calling handler <function add_streaming_output_arg at 0x7ff00e5fd080>
2023-12-11 21:29:17,471 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.iam.get-account-password-policy: calling handler <function add_cli_input_json at 0x7ff00ec20ea0>
2023-12-11 21:29:17,471 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.iam.get-account-password-policy: calling handler <function add_cli_input_yaml at 0x7ff00ec20f40>
2023-12-11 21:29:17,471 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.iam.get-account-password-policy: calling handler <function unify_paging_params at 0x7ff00e8214e0>
2023-12-11 21:29:17,489 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.13.37/dist/awscli/botocore/data/iam/2010-05-08/paginators-1.json
2023-12-11 21:29:17,490 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.iam.get-account-password-policy: calling handler <function add_generate_skeleton at 0x7ff00e70fa60>
2023-12-11 21:29:17,490 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.iam.get-account-password-policy: calling handler <bound method OverrideRequiredArgsArgument.override_required_args of <awscli.customizations.cliinput.CliInputJSONArgument object at 0x7ff00d9f4cd0>>
2023-12-11 21:29:17,490 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.iam.get-account-password-policy: calling handler <bound method OverrideRequiredArgsArgument.override_required_args of <awscli.customizations.cliinput.CliInputYAMLArgument object at 0x7ff00db81710>>
2023-12-11 21:29:17,490 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.iam.get-account-password-policy: calling handler <bound method GenerateCliSkeletonArgument.override_required_args of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7ff00d8bd490>>
2023-12-11 21:29:17,490 - MainThread - botocore.hooks - DEBUG - Event building-command-table.iam_get-account-password-policy: calling handler <function add_waiters at 0x7ff00e5feb60>
2023-12-11 21:29:17,490 - MainThread - botocore.hooks - DEBUG - Event building-command-table.iam_get-account-password-policy: calling handler <bound method AliasSubCommandInjector.on_building_command_table of <awscli.alias.AliasSubCommandInjector object at 0x7ff00e4b5cd0>>
2023-12-11 21:29:17,491 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.iam.get-account-password-policy.cli-input-json: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7ff00ebe1510>
2023-12-11 21:29:17,491 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.iam.get-account-password-policy.cli-input-yaml: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7ff00ebe1510>
2023-12-11 21:29:17,491 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.iam.get-account-password-policy.generate-cli-skeleton: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7ff00ebe1510>
2023-12-11 21:29:17,491 - MainThread - botocore.hooks - DEBUG - Event calling-command.iam.get-account-password-policy: calling handler <bound method CliInputArgument.add_to_call_parameters of <awscli.customizations.cliinput.CliInputJSONArgument object at 0x7ff00d9f4cd0>>
2023-12-11 21:29:17,491 - MainThread - botocore.hooks - DEBUG - Event calling-command.iam.get-account-password-policy: calling handler <bound method CliInputArgument.add_to_call_parameters of <awscli.customizations.cliinput.CliInputYAMLArgument object at 0x7ff00db81710>>
2023-12-11 21:29:17,491 - MainThread - botocore.hooks - DEBUG - Event calling-command.iam.get-account-password-policy: calling handler <bound method GenerateCliSkeletonArgument.generate_skeleton of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7ff00d8bd490>>
2023-12-11 21:29:17,492 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env
2023-12-11 21:29:17,492 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2023-12-11 21:29:17,492 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2023-12-11 21:29:17,492 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso
2023-12-11 21:29:17,492 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2023-12-11 21:29:17,492 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
2023-12-11 21:29:17,493 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.13.37/dist/awscli/botocore/data/endpoints.json
2023-12-11 21:29:17,507 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x7ff0109fcae0>
2023-12-11 21:29:17,526 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.13.37/dist/awscli/botocore/data/iam/2010-05-08/endpoint-rule-set-1.json
2023-12-11 21:29:17,526 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.13.37/dist/awscli/botocore/data/partitions.json
2023-12-11 21:29:17,531 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.iam: calling handler <function add_generate_presigned_url at 0x7ff0111eec00>
2023-12-11 21:29:17,531 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for iam via: environment_service
2023-12-11 21:29:17,531 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for iam via: environment_global
2023-12-11 21:29:17,531 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for iam via: config_service
2023-12-11 21:29:17,532 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for iam via: config_global
2023-12-11 21:29:17,532 - MainThread - botocore.configprovider - DEBUG - No configured endpoint found.
2023-12-11 21:29:17,532 - MainThread - botocore.regions - DEBUG - Using partition endpoint for iam, us-gov-east-1: aws-us-gov-global
2023-12-11 21:29:17,535 - MainThread - botocore.endpoint - DEBUG - Setting iam timeout as (60, 60)
2023-12-11 21:29:17,537 - MainThread - botocore.regions - DEBUG - Calling endpoint provider with parameters: {'Region': 'us-gov-east-1', 'UseDualStack': False, 'UseFIPS': False}
2023-12-11 21:29:17,537 - MainThread - botocore.regions - DEBUG - Endpoint provider result: https://iam.us-gov.amazonaws.com
2023-12-11 21:29:17,537 - MainThread - botocore.regions - DEBUG - Selecting from endpoint provider's list of auth schemes: "sigv4". User selected auth scheme is: "None"
2023-12-11 21:29:17,537 - MainThread - botocore.regions - DEBUG - Selected auth type "v4" as "v4" with signing context params: {'region': 'us-gov-west-1', 'signing_name': 'iam'}
2023-12-11 21:29:17,537 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.iam.GetAccountPasswordPolicy: calling handler <function base64_decode_input_blobs at 0x7ff00e680540>
2023-12-11 21:29:17,537 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.iam.GetAccountPasswordPolicy: calling handler <function generate_idempotent_uuid at 0x7ff0109fed40>
2023-12-11 21:29:17,538 - MainThread - botocore.hooks - DEBUG - Event before-call.iam.GetAccountPasswordPolicy: calling handler <function inject_api_version_header_if_needed at 0x7ff010a14860>
2023-12-11 21:29:17,538 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=GetAccountPasswordPolicy) with params: {'url_path': '/', 'query_string': '', 'method': 'POST', 'headers': {'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8', 'User-Agent': 'aws-cli/2.13.37 Python/3.11.6 Linux/6.2.0-1016-azure exe/x86_64.ubuntu.20 prompt/off command/iam.get-account-password-policy'}, 'body': {'Action': 'GetAccountPasswordPolicy', 'Version': '2010-05-08'}, 'url': 'https://iam.us-gov.amazonaws.com/', 'context': {'client_region': 'aws-us-gov-global', 'client_config': <botocore.config.Config object at 0x7ff00d9789d0>, 'has_streaming_input': False, 'auth_type': 'v4', 'signing': {'region': 'us-gov-west-1', 'signing_name': 'iam'}}}
2023-12-11 21:29:17,538 - MainThread - botocore.hooks - DEBUG - Event request-created.iam.GetAccountPasswordPolicy: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x7ff00d37bc90>>
2023-12-11 21:29:17,538 - MainThread - botocore.hooks - DEBUG - Event choose-signer.iam.GetAccountPasswordPolicy: calling handler <function set_operation_specific_signer at 0x7ff0109fec00>
2023-12-11 21:29:17,538 - MainThread - botocore.auth - DEBUG - Calculating signature using v4 auth.
2023-12-11 21:29:17,538 - MainThread - botocore.auth - DEBUG - CanonicalRequest:
POST
/

content-type:application/x-www-form-urlencoded; charset=utf-8
host:iam.us-gov.amazonaws.com
x-amz-date:20231211T212917Z

content-type;host;x-amz-date
ea932dc167ba62f61056ffd881499668d7cf04f9c4ed7883675e860d28fff1e9
2023-12-11 21:29:17,538 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20231211T212917Z
20231211/us-gov-west-1/iam/aws4_request
a5f0391ad8658c55c22f737fb0d8dc6ae7e3eeea2591fba1dab8221fc80bca70
2023-12-11 21:29:17,538 - MainThread - botocore.auth - DEBUG - Signature:
1fbca2ed9685ee62b0b83d3981ba45863e0e6f544b735b6409af2bfb179e3092
2023-12-11 21:29:17,539 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=https://iam.us-gov.amazonaws.com/, headers={'Content-Type': b'application/x-www-form-urlencoded; charset=utf-8', 'User-Agent': b'aws-cli/2.13.37 Python/3.11.6 Linux/6.2.0-1016-azure exe/x86_64.ubuntu.20 prompt/off command/iam.get-account-password-policy', 'X-Amz-Date': b'20231211T212917Z', 'Authorization': b'AWS4-HMAC-SHA256 Credential=<crederntial>, SignedHeaders=content-type;host;x-amz-date, Signature=1fbca2ed9685ee62b0b83d3981ba45863e0e6f544b735b6409af2bfb179e3092', 'Content-Length': '50'}>
2023-12-11 21:29:17,539 - MainThread - botocore.httpsession - DEBUG - Certificate path: /usr/local/aws-cli/v2/2.13.37/dist/awscli/botocore/cacert.pem
2023-12-11 21:29:17,540 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): iam.us-gov.amazonaws.com:443
2023-12-11 21:29:17,914 - MainThread - urllib3.connectionpool - DEBUG - https://iam.us-gov.amazonaws.com:443 "POST / HTTP/1.1" 404 310
2023-12-11 21:29:17,914 - MainThread - botocore.parsers - DEBUG - Response headers: {'x-amzn-RequestId': '3eae9747-1d01-4f04-979d-fafd7a1dafd7', 'Content-Type': 'text/xml', 'Content-Length': '310', 'Date': 'Mon, 11 Dec 2023 21:29:17 GMT'}
2023-12-11 21:29:17,915 - MainThread - botocore.parsers - DEBUG - Response body:
b'<ErrorResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">\n  <Error>\n    <Type>Sender</Type>\n    <Code>NoSuchEntity</Code>\n    <Message>The Password Policy with domain name <acct> cannot be found.</Message>\n  </Error>\n  <RequestId>3eae9747-1d01-4f04-979d-fafd7a1dafd7</RequestId>\n</ErrorResponse>\n'
2023-12-11 21:29:17,917 - MainThread - botocore.parsers - DEBUG - Response headers: {'x-amzn-RequestId': '3eae9747-1d01-4f04-979d-fafd7a1dafd7', 'Content-Type': 'text/xml', 'Content-Length': '310', 'Date': 'Mon, 11 Dec 2023 21:29:17 GMT'}
2023-12-11 21:29:17,917 - MainThread - botocore.parsers - DEBUG - Response body:
b'<ErrorResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">\n  <Error>\n    <Type>Sender</Type>\n    <Code>NoSuchEntity</Code>\n    <Message>The Password Policy with domain name <acct> cannot be found.</Message>\n  </Error>\n  <RequestId>3eae9747-1d01-4f04-979d-fafd7a1dafd7</RequestId>\n</ErrorResponse>\n'
2023-12-11 21:29:17,917 - MainThread - botocore.hooks - DEBUG - Event needs-retry.iam.GetAccountPasswordPolicy: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x7ff00d3c3190>>
2023-12-11 21:29:17,918 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2023-12-11 21:29:17,918 - MainThread - botocore.hooks - DEBUG - Event after-call.iam.GetAccountPasswordPolicy: calling handler <function json_decode_policies at 0x7ff0109ff9c0>
2023-12-11 21:29:17,918 - MainThread - botocore.hooks - DEBUG - Event after-call.iam.GetAccountPasswordPolicy: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x7ff00d3c2d90>>
2023-12-11 21:29:17,918 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "awscli/clidriver.py", line 460, in main
  File "awscli/clidriver.py", line 595, in __call__
  File "awscli/clidriver.py", line 798, in __call__
  File "awscli/clidriver.py", line 929, in invoke
  File "awscli/clidriver.py", line 941, in _make_client_call
  File "awscli/botocore/client.py", line 342, in _api_call
  File "awscli/botocore/client.py", line 701, in _make_api_call
botocore.errorfactory.NoSuchEntityException: An error occurred (NoSuchEntity) when calling the GetAccountPasswordPolicy operation: The Password Policy with domain name <acct> cannot be found.

An error occurred (NoSuchEntity) when calling the GetAccountPasswordPolicy operation: The Password Policy with domain name <acct> cannot be found.

Examining the AWS console shows that I do in fact have an account password policy: image

If I edit the default password policy, like so: image

Then suddenly the CLI command works as expected:

$> aws iam get-account-password-policy
{
    "PasswordPolicy": {
        "MinimumPasswordLength": 16,
        "RequireSymbols": false,
        "RequireNumbers": false,
        "RequireUppercaseCharacters": false,
        "RequireLowercaseCharacters": false,
        "AllowUsersToChangePassword": false,
        "ExpirePasswords": false,
        "HardExpiry": false
    }
}

So it looks like the AWS API thinks that having the default password policy in place is equivalent to having no password policy set at all. This is incorrect.

Reproduction Steps

1) Enter the AWS console and use an appropriate IAM role to log in and change the account password policy to the default (if not already set), as indicated in the menu: image 2) Open a terminal and configure the AWS CLI to use the same IAM role as the one used to set the password policy to the default (if not already set). 3) Run aws iam get-account-password-policy. There should be an error message like:

An error occurred (NoSuchEntity) when calling the GetAccountPasswordPolicy operation: The Password Policy with domain name <acct> cannot be found.

Possible Solution

No response

Additional Information/Context

Version of the CLI:

$> aws --version
aws-cli/2.13.37 Python/3.11.6 Linux/6.2.0-1016-azure exe/x86_64.ubuntu.20 prompt/off

NOTE: I originally saw this issue when using the AWS SDK for Ruby3 (calling GetAccountPasswordPolicy). If the error appears in both the AWS CLI and one of the SDKs, I'd assume that the problem is with the underlying API logic.

CLI version used

2.13.37

Environment details (OS name and version, etc.)

Ubuntu 20

RyanFitzSimmonsAK commented 10 months ago

Hi @wdower, thanks for reaching out. This behavior is intended. Per the GetAccountPasswordPolicy documentation,

If no password policy is defined for the account, the command returns a NoSuchEntity error.

Re :

So it looks like the AWS API thinks that having the default password policy in place is equivalent to having no password policy set at all. This is incorrect.

Using the default password policy is considered having no password policy defined. There isn't a situation where you literally have no password policy, because you have to be using either the default or a custom policy.

Hope that clears things up!

github-actions[bot] commented 10 months ago

Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.