Docs Home
AWS v6.83.0 published on Monday, Jun 16, 2025 by Pulumi
aws.iam.UserLoginProfile
Explore with Pulumi AI
Manages an IAM User Login Profile with limited support for password creation during this provider resource creation. Uses PGP to encrypt the password for safe transport to the user. PGP keys can be obtained from Keybase.
To reset an IAM User login password via this provider, you can use delete and recreate this resource or change any of the arguments.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.iam.User("example", {
name: "example",
path: "/",
forceDestroy: true,
});
const exampleUserLoginProfile = new aws.iam.UserLoginProfile("example", {
user: example.name,
pgpKey: "keybase:some_person_that_exists",
});
export const password = exampleUserLoginProfile.encryptedPassword;
import pulumi
import pulumi_aws as aws
example = aws.iam.User("example",
name="example",
path="/",
force_destroy=True)
example_user_login_profile = aws.iam.UserLoginProfile("example",
user=example.name,
pgp_key="keybase:some_person_that_exists")
pulumi.export("password", example_user_login_profile.encrypted_password)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := iam.NewUser(ctx, "example", &iam.UserArgs{
Name: pulumi.String("example"),
Path: pulumi.String("/"),
ForceDestroy: pulumi.Bool(true),
})
if err != nil {
return err
}
exampleUserLoginProfile, err := iam.NewUserLoginProfile(ctx, "example", &iam.UserLoginProfileArgs{
User: example.Name,
PgpKey: pulumi.String("keybase:some_person_that_exists"),
})
if err != nil {
return err
}
ctx.Export("password", exampleUserLoginProfile.EncryptedPassword)
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Iam.User("example", new()
{
Name = "example",
Path = "/",
ForceDestroy = true,
});
var exampleUserLoginProfile = new Aws.Iam.UserLoginProfile("example", new()
{
User = example.Name,
PgpKey = "keybase:some_person_that_exists",
});
return new Dictionary<string, object?>
{
["password"] = exampleUserLoginProfile.EncryptedPassword,
};
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.User;
import com.pulumi.aws.iam.UserArgs;
import com.pulumi.aws.iam.UserLoginProfile;
import com.pulumi.aws.iam.UserLoginProfileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new User("example", UserArgs.builder()
.name("example")
.path("/")
.forceDestroy(true)
.build());
var exampleUserLoginProfile = new UserLoginProfile("exampleUserLoginProfile", UserLoginProfileArgs.builder()
.user(example.name())
.pgpKey("keybase:some_person_that_exists")
.build());
ctx.export("password", exampleUserLoginProfile.encryptedPassword());
}
}
resources:
example:
type: aws:iam:User
properties:
name: example
path: /
forceDestroy: true
exampleUserLoginProfile:
type: aws:iam:UserLoginProfile
name: example
properties:
user: ${example.name}
pgpKey: keybase:some_person_that_exists
outputs:
password: ${exampleUserLoginProfile.encryptedPassword}
Create UserLoginProfile Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new UserLoginProfile(name: string, args: UserLoginProfileArgs, opts?: CustomResourceOptions);@overload
def UserLoginProfile(resource_name: str,
args: UserLoginProfileArgs,
opts: Optional[ResourceOptions] = None)
@overload
def UserLoginProfile(resource_name: str,
opts: Optional[ResourceOptions] = None,
user: Optional[str] = None,
password_length: Optional[int] = None,
password_reset_required: Optional[bool] = None,
pgp_key: Optional[str] = None)func NewUserLoginProfile(ctx *Context, name string, args UserLoginProfileArgs, opts ...ResourceOption) (*UserLoginProfile, error)public UserLoginProfile(string name, UserLoginProfileArgs args, CustomResourceOptions? opts = null)
public UserLoginProfile(String name, UserLoginProfileArgs args)
public UserLoginProfile(String name, UserLoginProfileArgs args, CustomResourceOptions options)
type: aws:iam:UserLoginProfile
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args UserLoginProfileArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args UserLoginProfileArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args UserLoginProfileArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args UserLoginProfileArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args UserLoginProfileArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var userLoginProfileResource = new Aws.Iam.UserLoginProfile("userLoginProfileResource", new()
{
User = "string",
PasswordLength = 0,
PasswordResetRequired = false,
PgpKey = "string",
});
example, err := iam.NewUserLoginProfile(ctx, "userLoginProfileResource", &iam.UserLoginProfileArgs{
User: pulumi.String("string"),
PasswordLength: pulumi.Int(0),
PasswordResetRequired: pulumi.Bool(false),
PgpKey: pulumi.String("string"),
})
var userLoginProfileResource = new UserLoginProfile("userLoginProfileResource", UserLoginProfileArgs.builder()
.user("string")
.passwordLength(0)
.passwordResetRequired(false)
.pgpKey("string")
.build());
user_login_profile_resource = aws.iam.UserLoginProfile("userLoginProfileResource",
user="string",
password_length=0,
password_reset_required=False,
pgp_key="string")
const userLoginProfileResource = new aws.iam.UserLoginProfile("userLoginProfileResource", {
user: "string",
passwordLength: 0,
passwordResetRequired: false,
pgpKey: "string",
});
type: aws:iam:UserLoginProfile
properties:
passwordLength: 0
passwordResetRequired: false
pgpKey: string
user: string
UserLoginProfile Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The UserLoginProfile resource accepts the following input properties:
- User string
- The IAM user's name.
- Password
Length int - The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument. Default value is
20. - Password
Reset boolRequired - Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation.
- Pgp
Key string - Either a base-64 encoded PGP public key, or a keybase username in the form
keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.
- User string
- The IAM user's name.
- Password
Length int - The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument. Default value is
20. - Password
Reset boolRequired - Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation.
- Pgp
Key string - Either a base-64 encoded PGP public key, or a keybase username in the form
keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.
- user String
- The IAM user's name.
- password
Length Integer - The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument. Default value is
20. - password
Reset BooleanRequired - Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation.
- pgp
Key String - Either a base-64 encoded PGP public key, or a keybase username in the form
keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.
- user string
- The IAM user's name.
- password
Length number - The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument. Default value is
20. - password
Reset booleanRequired - Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation.
- pgp
Key string - Either a base-64 encoded PGP public key, or a keybase username in the form
keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.
- user str
- The IAM user's name.
- password_
length int - The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument. Default value is
20. - password_
reset_ boolrequired - Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation.
- pgp_
key str - Either a base-64 encoded PGP public key, or a keybase username in the form
keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.
- user String
- The IAM user's name.
- password
Length Number - The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument. Default value is
20. - password
Reset BooleanRequired - Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation.
- pgp
Key String - Either a base-64 encoded PGP public key, or a keybase username in the form
keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.
Outputs
All input properties are implicitly available as output properties. Additionally, the UserLoginProfile resource produces the following output properties:
- Encrypted
Password string - The encrypted password, base64 encoded. Only available if password was handled on resource creation, not import.
- Id string
- The provider-assigned unique ID for this managed resource.
- Key
Fingerprint string - The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.
- Password string
- The plain text password, only available when
pgp_keyis not provided.
- Encrypted
Password string - The encrypted password, base64 encoded. Only available if password was handled on resource creation, not import.
- Id string
- The provider-assigned unique ID for this managed resource.
- Key
Fingerprint string - The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.
- Password string
- The plain text password, only available when
pgp_keyis not provided.
- encrypted
Password String - The encrypted password, base64 encoded. Only available if password was handled on resource creation, not import.
- id String
- The provider-assigned unique ID for this managed resource.
- key
Fingerprint String - The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.
- password String
- The plain text password, only available when
pgp_keyis not provided.
- encrypted
Password string - The encrypted password, base64 encoded. Only available if password was handled on resource creation, not import.
- id string
- The provider-assigned unique ID for this managed resource.
- key
Fingerprint string - The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.
- password string
- The plain text password, only available when
pgp_keyis not provided.
- encrypted_
password str - The encrypted password, base64 encoded. Only available if password was handled on resource creation, not import.
- id str
- The provider-assigned unique ID for this managed resource.
- key_
fingerprint str - The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.
- password str
- The plain text password, only available when
pgp_keyis not provided.
- encrypted
Password String - The encrypted password, base64 encoded. Only available if password was handled on resource creation, not import.
- id String
- The provider-assigned unique ID for this managed resource.
- key
Fingerprint String - The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.
- password String
- The plain text password, only available when
pgp_keyis not provided.
Look up Existing UserLoginProfile Resource
Get an existing UserLoginProfile resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: UserLoginProfileState, opts?: CustomResourceOptions): UserLoginProfile@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
encrypted_password: Optional[str] = None,
key_fingerprint: Optional[str] = None,
password: Optional[str] = None,
password_length: Optional[int] = None,
password_reset_required: Optional[bool] = None,
pgp_key: Optional[str] = None,
user: Optional[str] = None) -> UserLoginProfilefunc GetUserLoginProfile(ctx *Context, name string, id IDInput, state *UserLoginProfileState, opts ...ResourceOption) (*UserLoginProfile, error)public static UserLoginProfile Get(string name, Input<string> id, UserLoginProfileState? state, CustomResourceOptions? opts = null)public static UserLoginProfile get(String name, Output<String> id, UserLoginProfileState state, CustomResourceOptions options)resources: _: type: aws:iam:UserLoginProfile get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Encrypted
Password string - The encrypted password, base64 encoded. Only available if password was handled on resource creation, not import.
- Key
Fingerprint string - The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.
- Password string
- The plain text password, only available when
pgp_keyis not provided. - Password
Length int - The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument. Default value is
20. - Password
Reset boolRequired - Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation.
- Pgp
Key string - Either a base-64 encoded PGP public key, or a keybase username in the form
keybase:username. Only applies on resource creation. Drift detection is not possible with this argument. - User string
- The IAM user's name.
- Encrypted
Password string - The encrypted password, base64 encoded. Only available if password was handled on resource creation, not import.
- Key
Fingerprint string - The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.
- Password string
- The plain text password, only available when
pgp_keyis not provided. - Password
Length int - The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument. Default value is
20. - Password
Reset boolRequired - Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation.
- Pgp
Key string - Either a base-64 encoded PGP public key, or a keybase username in the form
keybase:username. Only applies on resource creation. Drift detection is not possible with this argument. - User string
- The IAM user's name.
- encrypted
Password String - The encrypted password, base64 encoded. Only available if password was handled on resource creation, not import.
- key
Fingerprint String - The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.
- password String
- The plain text password, only available when
pgp_keyis not provided. - password
Length Integer - The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument. Default value is
20. - password
Reset BooleanRequired - Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation.
- pgp
Key String - Either a base-64 encoded PGP public key, or a keybase username in the form
keybase:username. Only applies on resource creation. Drift detection is not possible with this argument. - user String
- The IAM user's name.
- encrypted
Password string - The encrypted password, base64 encoded. Only available if password was handled on resource creation, not import.
- key
Fingerprint string - The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.
- password string
- The plain text password, only available when
pgp_keyis not provided. - password
Length number - The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument. Default value is
20. - password
Reset booleanRequired - Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation.
- pgp
Key string - Either a base-64 encoded PGP public key, or a keybase username in the form
keybase:username. Only applies on resource creation. Drift detection is not possible with this argument. - user string
- The IAM user's name.
- encrypted_
password str - The encrypted password, base64 encoded. Only available if password was handled on resource creation, not import.
- key_
fingerprint str - The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.
- password str
- The plain text password, only available when
pgp_keyis not provided. - password_
length int - The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument. Default value is
20. - password_
reset_ boolrequired - Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation.
- pgp_
key str - Either a base-64 encoded PGP public key, or a keybase username in the form
keybase:username. Only applies on resource creation. Drift detection is not possible with this argument. - user str
- The IAM user's name.
- encrypted
Password String - The encrypted password, base64 encoded. Only available if password was handled on resource creation, not import.
- key
Fingerprint String - The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.
- password String
- The plain text password, only available when
pgp_keyis not provided. - password
Length Number - The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument. Default value is
20. - password
Reset BooleanRequired - Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation.
- pgp
Key String - Either a base-64 encoded PGP public key, or a keybase username in the form
keybase:username. Only applies on resource creation. Drift detection is not possible with this argument. - user String
- The IAM user's name.
Import
Using pulumi import, import IAM User Login Profiles without password information via the IAM User name. For example:
$ pulumi import aws:iam/userLoginProfile:UserLoginProfile example myusername
Since Pulumi has no method to read the PGP or password information during import, use the resource options ignore_changes argument to ignore them (unless you want to recreate a password). For example:
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.