Using boto3, how to check if AWS IAM user has password?

Question

Among the users in IAM, I want to programmatically get the list of all password enabled users. From AWS Console, I can easily spot them. But, how to get their list programmatically? I want to use python boto to get that.

I was reading up here http://boto3.readthedocs.io/en/latest/reference/services/iam.html#iam, but by most of the ways listed in this doc, I can only see option of using 'PasswordLastUsed' which would be null in three cases

1. The user does not have a password
2. The password exists but has never been used
3. there is no sign-in data associated with the user.

So just by checking if 'PasswordLastUsed' is null I can not claim that user does not have password and thereby, can not get all the users with password. Am I missing something here? Any other way or any other python resource I can use to do this?

Answer 1

import boto3

iam = boto3.resource('iam')
def isPasswordEnabled(user):
   login_profile = iam.LoginProfile(user)
   try:
     login_profile.create_date
     print True
  except:
     print False

>>> isPasswordEnabled('user1')
True
>>> isPasswordEnabled('user2')
False

Answer 2

You could use the GetLoginProfile API request to determine if an IAM user has a login profile or not. If there is no login profile associated with the user this request will return a 404 response. Some code like this should work:

import boto3
iam = boto3.client('iam')
user_name = 'bob'
try:
    response = iam.get_login_profile(UserName=user_name)
except Exception, e:
    if e.response['ResponseMetadata']['HTTPStatusCode'] == 404:
        print('User {} has no login profile'.format(user_name))

Answer 3

I can see that there is a way, just where you would expect it to be...

http://boto3.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.get_credential_report

In the report, field password_enabled set to false indicates no password.