Skip to content

Commit

Permalink
returns boolean if a user has access to console login (#2012) (#2023)
Browse files Browse the repository at this point in the history
[PR #2012/8b138e39 backport][stable-7] returns boolean if a user has access to console login

This is a backport of PR #2012 as merged into main (8b138e3).
Summary
I've introduced a new feature that includes in the response a console_access parameter, which is a boolean indicating whether an iam user has the ability to log in through the AWS console. This addition is particularly useful for scenarios where administrative constraints require users to access AWS services exclusively via API keys or through controlled environments, such as landing zones, without using the AWS console login interface.
Issue Type

Feature Pull Request
Component Name: botocore
includes the botocore interaction, specifically regarding the console_access information retrievals

Additional Information
With this update, the module now provides visibility into whether an IAM user is permitted console access. This could be pivotal for enforcing stricter security protocols, ensuring users do not bypass VPN requirements, API keys, or other access control measures by logging in through the AWS console
Before the change a normal response:
{
    "arn": "arn:aws:iam::11111111:user/terraform",
    "create_date": "2018-04-18T14:12:44+00:00",
    "path": "/",
    "tags": {},
    "user_id": "12345abcd",
    "user_name": "terraform"
}

After the change:
{
    "arn": "arn:aws:iam::11111111:user/terraform",
    "console_access": false,
    "create_date": "2018-04-18T14:12:44+00:00",
    "path": "/",
    "tags": {},
    "user_id": "12345abcd",
    "user_name": "terraform"
}

Reviewed-by: Alina Buzachis
Reviewed-by: Helen Bailey <[email protected]>
  • Loading branch information
patchback[bot] authored Apr 1, 2024
1 parent a1efa38 commit 5f41423
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 1 deletion.
3 changes: 3 additions & 0 deletions changelogs/fragments/20240321-iam-user-info.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
---
minor_changes:
- iam_user_info - Add ``login_profile`` to return info that is get from a user, to know if they can login from AWS console (https://github.com/ansible-collections/amazon.aws/pull/2012).
19 changes: 18 additions & 1 deletion plugins/modules/iam_user_info.py
Original file line number Diff line number Diff line change
Expand Up @@ -103,14 +103,27 @@
type: dict
returned: if user exists
sample: '{"Env": "Prod"}'
login_profile:
description: Detailed login profile information if the user has access to log in from AWS default console. Returns an empty object {} if no access.
returned: always
type: dict
sample: {"create_date": "2024-03-20T12:50:56+00:00", "password_reset_required": false, "user_name": "i_am_a_user"}
"""

from ansible_collections.amazon.aws.plugins.module_utils.iam import AnsibleIAMError
from ansible_collections.amazon.aws.plugins.module_utils.iam import IAMErrorHandler
from ansible_collections.amazon.aws.plugins.module_utils.iam import get_iam_group
from ansible_collections.amazon.aws.plugins.module_utils.iam import get_iam_user
from ansible_collections.amazon.aws.plugins.module_utils.iam import list_iam_users
from ansible_collections.amazon.aws.plugins.module_utils.iam import normalize_iam_user
from ansible_collections.amazon.aws.plugins.module_utils.modules import AnsibleAWSModule
from ansible_collections.amazon.aws.plugins.module_utils.retries import AWSRetry


@IAMErrorHandler.list_error_handler("get login profile", {})
@AWSRetry.jittered_backoff()
def check_console_access(connection, user_name):
return connection.get_login_profile(UserName=user_name)["LoginProfile"]


def _list_users(connection, name, group, path):
Expand All @@ -136,6 +149,8 @@ def _list_users(connection, name, group, path):
def list_users(connection, name, group, path):
users = _list_users(connection, name, group, path)
users = [u for u in users if u is not None]
for user in users:
user["LoginProfile"] = check_console_access(connection, user["UserName"])
return [normalize_iam_user(user) for user in users]


Expand All @@ -147,7 +162,9 @@ def main():
)

module = AnsibleAWSModule(
argument_spec=argument_spec, mutually_exclusive=[["group", "path_prefix"]], supports_check_mode=True
argument_spec=argument_spec,
mutually_exclusive=[["group", "path_prefix"]],
supports_check_mode=True,
)

name = module.params.get("name")
Expand Down

0 comments on commit 5f41423

Please sign in to comment.