Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

How to determine if an IAM user has only API key access (no console access)?

See original GitHub issue

Here’s some psuedocode for what I’d like to do:


for user in iam.users.all():
    if user.password_enabled:
        #Do something

In the credentials report, there’s a field for password_enabled. What’s the equivalent property of an IAM user object?

If such a thing doesn’t exist, I am requesting one.

Thanks!

Issue Analytics

State:
Created 8 years ago
Comments:6 (5 by maintainers)

Top GitHub Comments

2reactions

jonathanwcranecommented, Jan 14, 2016

Update. This is the code I got working.

https://gist.github.com/jonathanwcrane/68ddff397ec85a8dddae

0reactions

glndscommented, Mar 29, 2018

If your users (or AWS account) are created after October 20th, 2014 then the code below should do the trick. See the docs for more info: http://boto3.readthedocs.io/en/latest/reference/services/iam.html#IAM.User.password_last_used

It makes the code far less verbose 😉

for iam_user in iam.users.all():      
    if iam_user.password_last_used:
        print('User has console access')
    else:
        print('User has only programmatic access')