UserLoginProfile

Manages an IAM User Login Profile with limited support for password creation during this provider resource creation. Uses PGP to encrypt the password for safe transport to the user. PGP keys can be obtained from Keybase.

To reset an IAM User login password via this provider, you can use delete and recreate this resource or change any of the arguments.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var exampleUser = new Aws.Iam.User("exampleUser", new Aws.Iam.UserArgs
        {
            Path = "/",
            ForceDestroy = true,
        });
        var exampleUserLoginProfile = new Aws.Iam.UserLoginProfile("exampleUserLoginProfile", new Aws.Iam.UserLoginProfileArgs
        {
            User = exampleUser.Name,
            PgpKey = "keybase:some_person_that_exists",
        });
        this.Password = exampleUserLoginProfile.EncryptedPassword;
    }

    [Output("password")]
    public Output<string> Password { get; set; }
}
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		exampleUser, err := iam.NewUser(ctx, "exampleUser", &iam.UserArgs{
			Path:         pulumi.String("/"),
			ForceDestroy: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		exampleUserLoginProfile, err := iam.NewUserLoginProfile(ctx, "exampleUserLoginProfile", &iam.UserLoginProfileArgs{
			User:   exampleUser.Name,
			PgpKey: pulumi.String("keybase:some_person_that_exists"),
		})
		if err != nil {
			return err
		}
		ctx.Export("password", exampleUserLoginProfile.EncryptedPassword)
		return nil
	})
}
import pulumi
import pulumi_aws as aws

example_user = aws.iam.User("exampleUser",
    path="/",
    force_destroy=True)
example_user_login_profile = aws.iam.UserLoginProfile("exampleUserLoginProfile",
    user=example_user.name,
    pgp_key="keybase:some_person_that_exists")
pulumi.export("password", example_user_login_profile.encrypted_password)
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const exampleUser = new aws.iam.User("exampleUser", {
    path: "/",
    forceDestroy: true,
});
const exampleUserLoginProfile = new aws.iam.UserLoginProfile("exampleUserLoginProfile", {
    user: exampleUser.name,
    pgpKey: "keybase:some_person_that_exists",
});
export const password = exampleUserLoginProfile.encryptedPassword;

Create a UserLoginProfile Resource

new UserLoginProfile(name: string, args: UserLoginProfileArgs, opts?: CustomResourceOptions);
@overload
def UserLoginProfile(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     password_length: Optional[int] = None,
                     password_reset_required: Optional[bool] = None,
                     pgp_key: Optional[str] = None,
                     user: Optional[str] = None)
@overload
def UserLoginProfile(resource_name: str,
                     args: UserLoginProfileArgs,
                     opts: Optional[ResourceOptions] = None)
func NewUserLoginProfile(ctx *Context, name string, args UserLoginProfileArgs, opts ...ResourceOption) (*UserLoginProfile, error)
public UserLoginProfile(string name, UserLoginProfileArgs args, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args UserLoginProfileArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args UserLoginProfileArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args UserLoginProfileArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args UserLoginProfileArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

UserLoginProfile Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The UserLoginProfile resource accepts the following input properties:

PgpKey string
Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.
User string
The IAM user’s name.
PasswordLength int
The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.
PasswordResetRequired bool
Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.
PgpKey string
Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.
User string
The IAM user’s name.
PasswordLength int
The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.
PasswordResetRequired bool
Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.
pgpKey string
Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.
user string
The IAM user’s name.
passwordLength number
The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.
passwordResetRequired boolean
Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.
pgp_key str
Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.
user str
The IAM user’s name.
password_length int
The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.
password_reset_required bool
Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.

Outputs

All input properties are implicitly available as output properties. Additionally, the UserLoginProfile resource produces the following output properties:

EncryptedPassword string
The encrypted password, base64 encoded. Only available if password was handled on this provider resource creation, not import.
Id string
The provider-assigned unique ID for this managed resource.
KeyFingerprint string
The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.
EncryptedPassword string
The encrypted password, base64 encoded. Only available if password was handled on this provider resource creation, not import.
Id string
The provider-assigned unique ID for this managed resource.
KeyFingerprint string
The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.
encryptedPassword string
The encrypted password, base64 encoded. Only available if password was handled on this provider resource creation, not import.
id string
The provider-assigned unique ID for this managed resource.
keyFingerprint string
The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.
encrypted_password str
The encrypted password, base64 encoded. Only available if password was handled on this provider resource creation, not import.
id str
The provider-assigned unique ID for this managed resource.
key_fingerprint str
The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.

Look up an Existing UserLoginProfile Resource

Get an existing UserLoginProfile resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: UserLoginProfileState, opts?: CustomResourceOptions): UserLoginProfile
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        encrypted_password: Optional[str] = None,
        key_fingerprint: Optional[str] = None,
        password_length: Optional[int] = None,
        password_reset_required: Optional[bool] = None,
        pgp_key: Optional[str] = None,
        user: Optional[str] = None) -> UserLoginProfile
func GetUserLoginProfile(ctx *Context, name string, id IDInput, state *UserLoginProfileState, opts ...ResourceOption) (*UserLoginProfile, error)
public static UserLoginProfile Get(string name, Input<string> id, UserLoginProfileState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

EncryptedPassword string
The encrypted password, base64 encoded. Only available if password was handled on this provider resource creation, not import.
KeyFingerprint string
The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.
PasswordLength int
The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.
PasswordResetRequired bool
Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.
PgpKey string
Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.
User string
The IAM user’s name.
EncryptedPassword string
The encrypted password, base64 encoded. Only available if password was handled on this provider resource creation, not import.
KeyFingerprint string
The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.
PasswordLength int
The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.
PasswordResetRequired bool
Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.
PgpKey string
Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.
User string
The IAM user’s name.
encryptedPassword string
The encrypted password, base64 encoded. Only available if password was handled on this provider resource creation, not import.
keyFingerprint string
The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.
passwordLength number
The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.
passwordResetRequired boolean
Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.
pgpKey string
Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.
user string
The IAM user’s name.
encrypted_password str
The encrypted password, base64 encoded. Only available if password was handled on this provider resource creation, not import.
key_fingerprint str
The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.
password_length int
The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.
password_reset_required bool
Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.
pgp_key str
Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.
user str
The IAM user’s name.

Import

IAM User Login Profiles can be imported without password information support via the IAM User name, e.g.

 $ pulumi import aws:iam/userLoginProfile:UserLoginProfile example myusername

Since this provider has no method to read the PGP or password information during import, use ignore_changes argument to ignore them unless password recreation is desired. e.g. terraform resource “aws_iam_user_login_profile” “example” {

… other configuration …

lifecycle {

ignore_changes = [

password_length,

password_reset_required,

pgp_key,

]

} }

Package Details

Repository
https://github.com/pulumi/pulumi-aws
License
Apache-2.0
Notes
This Pulumi package is based on the aws Terraform Provider.