2014/10/23 - AWS Identity and Access Management - 7 new 6 updated api methods
Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC).
The OIDC provider that you create with this operation can be used as a principal in a role's trust policy to establish a trust relationship between AWS and the OIDC provider.
When you create the IAM OIDC provider, you specify the URL of the OIDC identity provider (IdP) to trust, a list of client IDs (also known as audiences) that identify the application or applications that are allowed to authenticate using the OIDC provider, and a list of thumbprints of the server certificate(s) that the IdP uses. You get all of this information from the OIDC IdP that you want to use for access to AWS.
Request Syntax
client.create_open_id_connect_provider(
Url='string',
ClientIDList=[
'string',
],
ThumbprintList=[
'string',
]
)
string
[REQUIRED]
The URL of the identity provider. The URL must begin with "https://" and should correspond to the iss claim in the provider's OpenID Connect ID tokens. Per the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a host name, like "https://server.example.org" or "https://example.com".
You cannot register the same provider multiple times in a single AWS account. If you try to submit a URL that has already been used for an OpenID Connect provider in the AWS account, you will get an error.
list
A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that's sent as the client_id parameter on OAuth requests.)
You can register multiple client IDs with the same provider. For example, you might have multiple applications that use the same OIDC provider. You cannot register more than 100 client IDs with a single IAM OIDC provider.
There is no defined format for a client ID. The CreateOpenIDConnectProviderRequest action accepts client IDs up to 255 characters long.
(string) --
list
[REQUIRED]
A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s). Typically this list includes only one entry. However, IAM lets you have up to five thumbprints for an OIDC provider. This lets you maintain multiple thumbprints if the identity provider is rotating certificates.
The server certificate thumbprint is the hex-encoded SHA-1 hash value of the X.509 certificate used by the domain where the OpenID Connect provider makes its keys available. It is always a 40-character string.
You must provide at least one thumbprint when creating an IAM OIDC provider. For example, if the OIDC provider is server.example.com and the provider stores its keys at "https://keys.server.example.com/openid-connect", the thumbprint string would be the hex-encoded SHA-1 hash value of the certificate used by https://keys.server.example.com.
(string) --
Contains a thumbprint for an identity provider's server certificate.
The identity provider's server certificate thumbprint is the hex-encoded SHA-1 hash value of the self-signed X.509 certificate used by the domain where the OpenID Connect provider makes its keys available. It is always a 40-character string.
dict
Response Syntax
{
'OpenIDConnectProviderArn': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the CreateOpenIDConnectProvider action.
OpenIDConnectProviderArn (string) --
The Amazon Resource Name (ARN) of the IAM OpenID Connect provider that was created. For more information, see OpenIDConnectProviderListEntry.
Replaces the existing list of server certificate thumbprints with a new list.
The list that you pass with this action completely replaces the existing list of thumbprints. (The lists are not merged.)
Typically, you need to update a thumbprint only when the identity provider's certificate changes, which occurs rarely. However, if the provider's certificate does change, any attempt to assume an IAM role that specifies the IAM provider as a principal will fail until the certificate thumbprint is updated.
Request Syntax
client.update_open_id_connect_provider_thumbprint(
OpenIDConnectProviderArn='string',
ThumbprintList=[
'string',
]
)
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM OpenID Connect (OIDC) provider to update the thumbprint for. You can get a list of OIDC provider ARNs by using the ListOpenIDConnectProviders action.
list
[REQUIRED]
A list of certificate thumbprints that are associated with the specified IAM OpenID Connect provider. For more information, see CreateOpenIDConnectProvider.
(string) --
Contains a thumbprint for an identity provider's server certificate.
The identity provider's server certificate thumbprint is the hex-encoded SHA-1 hash value of the self-signed X.509 certificate used by the domain where the OpenID Connect provider makes its keys available. It is always a 40-character string.
None
Adds a new client ID (also known as audience) to the list of client IDs already registered for the specified IAM OpenID Connect provider.
This action is idempotent; it does not fail or return an error if you add an existing client ID to the provider.
Request Syntax
client.add_client_id_to_open_id_connect_provider(
OpenIDConnectProviderArn='string',
ClientID='string'
)
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM OpenID Connect (OIDC) provider to add the client ID to. You can get a list of OIDC provider ARNs by using the ListOpenIDConnectProviders action.
string
[REQUIRED]
The client ID (also known as audience) to add to the IAM OpenID Connect provider.
None
Deletes an IAM OpenID Connect identity provider.
Deleting an OIDC provider does not update any roles that reference the provider as a principal in their trust policies. Any attempt to assume a role that references a provider that has been deleted will fail.
This action is idempotent; it does not fail or return an error if you call the action for a provider that was already deleted.
Request Syntax
client.delete_open_id_connect_provider(
OpenIDConnectProviderArn='string'
)
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM OpenID Connect provider to delete. You can get a list of OpenID Connect provider ARNs by using the ListOpenIDConnectProviders action.
None
Lists information about the OpenID Connect providers in the AWS account.
Request Syntax
client.list_open_id_connect_providers()
dict
Response Syntax
{
'OpenIDConnectProviderList': [
{
'Arn': 'string'
},
]
}
Response Structure
(dict) --
Contains the result of a successful invocation of the ListOpenIDConnectProviders action.
OpenIDConnectProviderList (list) --
The list of IAM OpenID Connect providers in the AWS account.
(dict) --
Contains the Amazon Resource Name (ARN) for an IAM OpenID Connect provider.
Arn (string) --
An Amazon Resource Name (ARN) for an IAM OpenID Connect provider. The ARNs are in the following format (strings in ALL-CAPS are replaceable):
arn:aws:iam::ACCOUNT-ID:oidc/PROVIDER-URL-WITHOUT-HTTPS://
The following example shows an ARN that might be returned by CreateOpenIDConnectProvider:
arn:aws:iam::123456789012:oidc/server.example.com
Returns information about the specified OpenID Connect provider.
Request Syntax
client.get_open_id_connect_provider(
OpenIDConnectProviderArn='string'
)
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM OpenID Connect (OIDC) provider to get information for. You can get a list of OIDC provider ARNs by using the ListOpenIDConnectProviders action.
dict
Response Syntax
{
'Url': 'string',
'ClientIDList': [
'string',
],
'ThumbprintList': [
'string',
],
'CreateDate': datetime(2015, 1, 1)
}
Response Structure
(dict) --
Contains the result of a successful invocation of the GetOpenIDConnectProvider action.
Url (string) --
The URL that the IAM OpenID Connect provider is associated with. For more information, see CreateOpenIDConnectProvider.
ClientIDList (list) --
A list of client IDs (also known as audiences) that are associated with the specified IAM OpenID Connect provider. For more information, see CreateOpenIDConnectProvider.
(string) --
ThumbprintList (list) --
A list of certificate thumbprints that are associated with the specified IAM OpenID Connect provider. For more information, see CreateOpenIDConnectProvider.
(string) --
Contains a thumbprint for an identity provider's server certificate.
The identity provider's server certificate thumbprint is the hex-encoded SHA-1 hash value of the self-signed X.509 certificate used by the domain where the OpenID Connect provider makes its keys available. It is always a 40-character string.
CreateDate (datetime) --
The date and time when the IAM OpenID Connect provider entity was created in the AWS account.
Removes the specified client ID (also known as audience) from the list of client IDs registered for the specified IAM OpenID Connect provider.
This action is idempotent; it does not fail or return an error if you try to remove a client ID that was removed previously.
Request Syntax
client.remove_client_id_from_open_id_connect_provider(
OpenIDConnectProviderArn='string',
ClientID='string'
)
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM OpenID Connect (OIDC) provider to remove the client ID from. You can get a list of OIDC provider ARNs by using the ListOpenIDConnectProviders action.
string
[REQUIRED]
The client ID (also known as audience) to remove from the IAM OpenID Connect provider. For more information about client IDs, see CreateOpenIDConnectProvider.
None
{'User': {'PasswordLastUsed': 'timestamp'}}
Creates a new user for your AWS account.
For information about limitations on the number of users you can create, see Limitations on IAM Entities in the Using IAM guide.
Request Syntax
client.create_user(
Path='string',
UserName='string'
)
string
The path for the user name. For more information about paths, see IAM Identifiers in the Using IAM guide.
This parameter is optional. If it is not included, it defaults to a slash (/).
string
[REQUIRED]
The name of the user to create.
dict
Response Syntax
{
'User': {
'Path': 'string',
'UserName': 'string',
'UserId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1),
'PasswordLastUsed': datetime(2015, 1, 1)
}
}
Response Structure
(dict) --
Contains the result of a successful invocation of the CreateUser action.
User (dict) --
Information about the user.
Path (string) --
The path to the user. For more information about paths, see IAM Identifiers in the Using IAM guide.
UserName (string) --
The friendly name identifying the user.
UserId (string) --
The stable and unique string identifying the user. For more information about IDs, see IAM Identifiers in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) that identifies the user. For more information about ARNs and how to use ARNs in policies, see IAM Identifiers in the Using IAM guide.
CreateDate (datetime) --
The date and time, in ISO 8601 date-time format, when the user was created.
PasswordLastUsed (datetime) --
The date and time, in ISO 8601 date-time format, when the user's password was last used to sign in to an AWS website. For a list of AWS websites that capture a user's last sign-in time, see the Credential Reports topic in the Using IAM guide. If a password is used more than once in a five-minute span, only the first use is returned in this field. When the user does not have a password, this field is null (not present). When a user's password exists but has never been used, or when there is no sign-in data associated with the user, this field is null (not present).
This value is returned only in the GetUser and ListUsers actions.
{'VirtualMFADevice': {'User': {'PasswordLastUsed': 'timestamp'}}}
Creates a new virtual MFA device for the AWS account. After creating the virtual MFA, use EnableMFADevice to attach the MFA device to an IAM user. For more information about creating and working with virtual MFA devices, go to Using a Virtual MFA Device in the Using IAM guide.
For information about limits on the number of MFA devices you can create, see Limitations on Entities in the Using IAM guide.
Warning
The seed information contained in the QR code and the Base32 string should be treated like any other secret access information, such as your AWS access keys or your passwords. After you provision your virtual device, you should ensure that the information is destroyed following secure procedures.
Request Syntax
client.create_virtual_mfa_device(
Path='string',
VirtualMFADeviceName='string'
)
string
The path for the virtual MFA device. For more information about paths, see IAM Identifiers in the Using IAM guide.
This parameter is optional. If it is not included, it defaults to a slash (/).
string
[REQUIRED]
The name of the virtual MFA device. Use with path to uniquely identify a virtual MFA device.
dict
Response Syntax
{
'VirtualMFADevice': {
'SerialNumber': 'string',
'Base32StringSeed': b'bytes',
'QRCodePNG': b'bytes',
'User': {
'Path': 'string',
'UserName': 'string',
'UserId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1),
'PasswordLastUsed': datetime(2015, 1, 1)
},
'EnableDate': datetime(2015, 1, 1)
}
}
Response Structure
(dict) --
Contains the result of a successful invocation of the CreateVirtualMFADevice action.
VirtualMFADevice (dict) --
A newly created virtual MFA device.
SerialNumber (string) --
The serial number associated with VirtualMFADevice .
Base32StringSeed (bytes) --
The Base32 seed defined as specified in RFC3548. The Base32StringSeed is Base64-encoded.
QRCodePNG (bytes) --
A QR code PNG image that encodes otpauth://totp/$virtualMFADeviceName@$AccountName?secret=$Base32String where $virtualMFADeviceName is one of the create call arguments, AccountName is the user name if set (otherwise, the account ID otherwise), and Base32String is the seed in Base32 format. The Base32String value is Base64-encoded.
User (dict) --
Contains information about an IAM user entity.
This data type is used as a response element in the following actions:
CreateUser
GetUser
ListUsers
Path (string) --
The path to the user. For more information about paths, see IAM Identifiers in the Using IAM guide.
UserName (string) --
The friendly name identifying the user.
UserId (string) --
The stable and unique string identifying the user. For more information about IDs, see IAM Identifiers in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) that identifies the user. For more information about ARNs and how to use ARNs in policies, see IAM Identifiers in the Using IAM guide.
CreateDate (datetime) --
The date and time, in ISO 8601 date-time format, when the user was created.
PasswordLastUsed (datetime) --
The date and time, in ISO 8601 date-time format, when the user's password was last used to sign in to an AWS website. For a list of AWS websites that capture a user's last sign-in time, see the Credential Reports topic in the Using IAM guide. If a password is used more than once in a five-minute span, only the first use is returned in this field. When the user does not have a password, this field is null (not present). When a user's password exists but has never been used, or when there is no sign-in data associated with the user, this field is null (not present).
This value is returned only in the GetUser and ListUsers actions.
EnableDate (datetime) --
The date and time on which the virtual MFA device was enabled.
{'Users': {'PasswordLastUsed': 'timestamp'}}
Returns a list of users that are in the specified group. You can paginate the results using the MaxItems and Marker parameters.
Request Syntax
client.get_group(
GroupName='string',
Marker='string',
MaxItems=123
)
string
[REQUIRED]
The name of the group.
string
Use this only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
integer
Use this only when paginating results to indicate the maximum number of groups you want in the response. If there are additional groups beyond the maximum you specify, the IsTruncated response element is true . This parameter is optional. If you do not include it, it defaults to 100.
dict
Response Syntax
{
'Group': {
'Path': 'string',
'GroupName': 'string',
'GroupId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1)
},
'Users': [
{
'Path': 'string',
'UserName': 'string',
'UserId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1),
'PasswordLastUsed': datetime(2015, 1, 1)
},
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the GetGroup action.
Group (dict) --
Information about the group.
Path (string) --
The path to the group. For more information about paths, see IAM Identifiers in the Using IAM guide.
GroupName (string) --
The name that identifies the group.
GroupId (string) --
The stable and unique string identifying the group. For more information about IDs, see IAM Identifiers in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the group. For more information about ARNs and how to use them in policies, see IAM Identifiers in the Using IAM guide.
CreateDate (datetime) --
The date when the group was created.
Users (list) --
A list of users in the group.
(dict) --
Contains information about an IAM user entity.
This data type is used as a response element in the following actions:
CreateUser
GetUser
ListUsers
Path (string) --
The path to the user. For more information about paths, see IAM Identifiers in the Using IAM guide.
UserName (string) --
The friendly name identifying the user.
UserId (string) --
The stable and unique string identifying the user. For more information about IDs, see IAM Identifiers in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) that identifies the user. For more information about ARNs and how to use ARNs in policies, see IAM Identifiers in the Using IAM guide.
CreateDate (datetime) --
The date and time, in ISO 8601 date-time format, when the user was created.
PasswordLastUsed (datetime) --
The date and time, in ISO 8601 date-time format, when the user's password was last used to sign in to an AWS website. For a list of AWS websites that capture a user's last sign-in time, see the Credential Reports topic in the Using IAM guide. If a password is used more than once in a five-minute span, only the first use is returned in this field. When the user does not have a password, this field is null (not present). When a user's password exists but has never been used, or when there is no sign-in data associated with the user, this field is null (not present).
This value is returned only in the GetUser and ListUsers actions.
IsTruncated (boolean) --
A flag that indicates whether there are more user names to list. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more user names in the list.
Marker (string) --
If IsTruncated is true , then this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
{'User': {'PasswordLastUsed': 'timestamp'}}
Retrieves information about the specified user, including the user's creation date, path, unique ID, and ARN.
If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID used to sign the request.
Request Syntax
client.get_user(
UserName='string'
)
string
The name of the user to get information about.
This parameter is optional. If it is not included, it defaults to the user making the request.
dict
Response Syntax
{
'User': {
'Path': 'string',
'UserName': 'string',
'UserId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1),
'PasswordLastUsed': datetime(2015, 1, 1)
}
}
Response Structure
(dict) --
Contains the result of a successful invocation of the GetUser action.
User (dict) --
Information about the user.
Path (string) --
The path to the user. For more information about paths, see IAM Identifiers in the Using IAM guide.
UserName (string) --
The friendly name identifying the user.
UserId (string) --
The stable and unique string identifying the user. For more information about IDs, see IAM Identifiers in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) that identifies the user. For more information about ARNs and how to use ARNs in policies, see IAM Identifiers in the Using IAM guide.
CreateDate (datetime) --
The date and time, in ISO 8601 date-time format, when the user was created.
PasswordLastUsed (datetime) --
The date and time, in ISO 8601 date-time format, when the user's password was last used to sign in to an AWS website. For a list of AWS websites that capture a user's last sign-in time, see the Credential Reports topic in the Using IAM guide. If a password is used more than once in a five-minute span, only the first use is returned in this field. When the user does not have a password, this field is null (not present). When a user's password exists but has never been used, or when there is no sign-in data associated with the user, this field is null (not present).
This value is returned only in the GetUser and ListUsers actions.
{'Users': {'PasswordLastUsed': 'timestamp'}}
Lists the IAM users that have the specified path prefix. If no path prefix is specified, the action returns all users in the AWS account. If there are none, the action returns an empty list.
You can paginate the results using the MaxItems and Marker parameters.
Request Syntax
client.list_users(
PathPrefix='string',
Marker='string',
MaxItems=123
)
string
The path prefix for filtering the results. For example: /division_abc/subdivision_xyz/ , which would get all user names whose path starts with /division_abc/subdivision_xyz/ .
This parameter is optional. If it is not included, it defaults to a slash (/), listing all user names.
string
Use this parameter only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
integer
Use this parameter only when paginating results to indicate the maximum number of user names you want in the response. If there are additional user names beyond the maximum you specify, the IsTruncated response element is true . This parameter is optional. If you do not include it, it defaults to 100.
dict
Response Syntax
{
'Users': [
{
'Path': 'string',
'UserName': 'string',
'UserId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1),
'PasswordLastUsed': datetime(2015, 1, 1)
},
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the ListUsers action.
Users (list) --
A list of users.
(dict) --
Contains information about an IAM user entity.
This data type is used as a response element in the following actions:
CreateUser
GetUser
ListUsers
Path (string) --
The path to the user. For more information about paths, see IAM Identifiers in the Using IAM guide.
UserName (string) --
The friendly name identifying the user.
UserId (string) --
The stable and unique string identifying the user. For more information about IDs, see IAM Identifiers in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) that identifies the user. For more information about ARNs and how to use ARNs in policies, see IAM Identifiers in the Using IAM guide.
CreateDate (datetime) --
The date and time, in ISO 8601 date-time format, when the user was created.
PasswordLastUsed (datetime) --
The date and time, in ISO 8601 date-time format, when the user's password was last used to sign in to an AWS website. For a list of AWS websites that capture a user's last sign-in time, see the Credential Reports topic in the Using IAM guide. If a password is used more than once in a five-minute span, only the first use is returned in this field. When the user does not have a password, this field is null (not present). When a user's password exists but has never been used, or when there is no sign-in data associated with the user, this field is null (not present).
This value is returned only in the GetUser and ListUsers actions.
IsTruncated (boolean) --
A flag that indicates whether there are more user names to list. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more users in the list.
Marker (string) --
If IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
{'VirtualMFADevices': {'User': {'PasswordLastUsed': 'timestamp'}}}
Lists the virtual MFA devices under the AWS account by assignment status. If you do not specify an assignment status, the action returns a list of all virtual MFA devices. Assignment status can be Assigned , Unassigned , or Any .
You can paginate the results using the MaxItems and Marker parameters.
Request Syntax
client.list_virtual_mfa_devices(
AssignmentStatus='Assigned'|'Unassigned'|'Any',
Marker='string',
MaxItems=123
)
string
The status (unassigned or assigned) of the devices to list. If you do not specify an AssignmentStatus , the action defaults to Any which lists both assigned and unassigned virtual MFA devices.
string
Use this parameter only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
integer
Use this parameter only when paginating results to indicate the maximum number of MFA devices you want in the response. If there are additional MFA devices beyond the maximum you specify, the IsTruncated response element is true . This parameter is optional. If you do not include it, it defaults to 100.
dict
Response Syntax
{
'VirtualMFADevices': [
{
'SerialNumber': 'string',
'Base32StringSeed': b'bytes',
'QRCodePNG': b'bytes',
'User': {
'Path': 'string',
'UserName': 'string',
'UserId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1),
'PasswordLastUsed': datetime(2015, 1, 1)
},
'EnableDate': datetime(2015, 1, 1)
},
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the ListVirtualMFADevices action.
VirtualMFADevices (list) --
The list of virtual MFA devices in the current account that match the AssignmentStatus value that was passed in the request.
(dict) --
Contains information about a virtual MFA device.
SerialNumber (string) --
The serial number associated with VirtualMFADevice .
Base32StringSeed (bytes) --
The Base32 seed defined as specified in RFC3548. The Base32StringSeed is Base64-encoded.
QRCodePNG (bytes) --
A QR code PNG image that encodes otpauth://totp/$virtualMFADeviceName@$AccountName?secret=$Base32String where $virtualMFADeviceName is one of the create call arguments, AccountName is the user name if set (otherwise, the account ID otherwise), and Base32String is the seed in Base32 format. The Base32String value is Base64-encoded.
User (dict) --
Contains information about an IAM user entity.
This data type is used as a response element in the following actions:
CreateUser
GetUser
ListUsers
Path (string) --
The path to the user. For more information about paths, see IAM Identifiers in the Using IAM guide.
UserName (string) --
The friendly name identifying the user.
UserId (string) --
The stable and unique string identifying the user. For more information about IDs, see IAM Identifiers in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) that identifies the user. For more information about ARNs and how to use ARNs in policies, see IAM Identifiers in the Using IAM guide.
CreateDate (datetime) --
The date and time, in ISO 8601 date-time format, when the user was created.
PasswordLastUsed (datetime) --
The date and time, in ISO 8601 date-time format, when the user's password was last used to sign in to an AWS website. For a list of AWS websites that capture a user's last sign-in time, see the Credential Reports topic in the Using IAM guide. If a password is used more than once in a five-minute span, only the first use is returned in this field. When the user does not have a password, this field is null (not present). When a user's password exists but has never been used, or when there is no sign-in data associated with the user, this field is null (not present).
This value is returned only in the GetUser and ListUsers actions.
EnableDate (datetime) --
The date and time on which the virtual MFA device was enabled.
IsTruncated (boolean) --
A flag that indicates whether there are more items to list. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items the list.
Marker (string) --
If IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.