Skip to content

feat: surface IAM user console access (LoginProfile) status#123

Open
c1-dev-bot[bot] wants to merge 1 commit into
mainfrom
cxh-1574/iam-user-console-access
Open

feat: surface IAM user console access (LoginProfile) status#123
c1-dev-bot[bot] wants to merge 1 commit into
mainfrom
cxh-1574/iam-user-console-access

Conversation

@c1-dev-bot

@c1-dev-bot c1-dev-bot Bot commented May 29, 2026

Copy link
Copy Markdown

Summary

  • Add GetLoginProfile check during IAM user sync to expose whether each user has AWS Management Console access enabled
  • New profile fields on IAM user resources: console_access_enabled (bool), password_reset_required (bool), login_profile_created_at (RFC3339 timestamp)
  • Add iam:GetLoginProfile to the required IAM permissions for the iam_user resource type

Approach

Uses the per-user GetLoginProfile API call rather than the bulk GenerateCredentialReport/GetCredentialReport approach. This fits the existing code pattern where getLastLogin already makes per-user API calls (ListAccessKeys + GetAccessKeyLastUsed). The GetLoginProfile approach is real-time and authoritative — success means console access is enabled, NoSuchEntity (404) means it's disabled.

If throttle risk at scale becomes an issue, a follow-up could add GenerateCredentialReport as the bulk primary source, but for v1 this approach is simpler and consistent with the connector's existing design.

Test plan

  • Verify connector builds successfully
  • Sync an AWS account with a mix of IAM users (some with console access enabled, some without)
  • Confirm console_access_enabled: true appears for users with a LoginProfile
  • Confirm console_access_enabled: false appears for users without a LoginProfile
  • Confirm password_reset_required and login_profile_created_at are populated when console access is enabled
  • Verify no throttling issues with moderately sized user populations
  • Confirm the connector still works without iam:GetLoginProfile permission (graceful degradation — logs debug warning, reports false)

Fixes: CXH-1574


Automated PR Notice

This PR was automatically created by c1-dev-bot as a potential implementation.

This code requires:

  • Human review of the implementation approach
  • Manual testing to verify correctness
  • Approval from the appropriate team before merging

Add GetLoginProfile check during IAM user sync to expose whether each
user has AWS Management Console access enabled. This allows users to
distinguish between IAM users with active console passwords and those
without, enabling dormant-account identification and least-privilege
review.

New profile fields on IAM user resources:
- console_access_enabled (bool): true if a LoginProfile exists
- password_reset_required (bool): true if user must reset password
- login_profile_created_at (RFC3339 timestamp): when console password
  was created

Requires iam:GetLoginProfile permission (added to resource type).

Fixes: CXH-1574
@c1-dev-bot c1-dev-bot Bot requested a review from a team May 29, 2026 13:04
@linear-code

linear-code Bot commented May 29, 2026

Copy link
Copy Markdown

CXH-1574

@github-actions

Copy link
Copy Markdown
Contributor

Connector PR Review: feat: surface IAM user console access (LoginProfile) status

Blocking Issues: 0 | Suggestions: 0 | Threads Resolved: 0
Review mode: full
View review run

Review Summary

This PR adds a getConsoleAccess helper that calls the per-user GetLoginProfile API during IAM user sync, populating three new profile fields (console_access_enabled, password_reset_required, login_profile_created_at). The implementation is consistent with the existing getLastLogin pattern (per-user API call with graceful degradation on error), handles NoSuchEntityException correctly to distinguish "no console access" from API errors, and properly nil-checks LoginProfile and CreateDate before use. The new iam:GetLoginProfile permission is declared in capabilityPermissions and the code degrades gracefully without it. No issues found.

Security Issues

None found.

Correctness Issues

None found.

Suggestions

None.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No blocking issues found.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants