Permissions Boundary Not Included in ListUsers Operation

[ncc-erik-steringer]

I am calling the ListUsers operation to list out the IAM Users in my account. Among the elements in the response, I was looking for PermissionsBoundary. Per my reading of the documentation, it seems like it should be present in the response data:

• https://botocore.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.list_users
• https://botocore.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Paginator.ListUsers

When I call ListUsers, with or without pagination, the response did not include PermissionsBoundary for the IAM User I set it for. I do see the element when I call GetUser for that same user.

This is with version 1.13.27 installed via pip, Python 3.5, Ubuntu 16.04.

[ncc-erik-steringer]

I think this is because the IAM API isn't including the data in the response, contrary to the documentation. Here's what I used to reproduce:

import botocore
import botocore.session
import botocore.hooks

def postcall(*args, **kwargs):
   print(kwargs['http_response'].text)

h = botocore.hooks.HierarchicalEmitter()
h.register(event_name='after-call.*', handler=postcall)

session = botocore.session.Session(profile='...', event_hooks=h)

iamclient = session.create_client('iam')
response = iamclient.list_users()

After calling list_users(), the raw XML response from IAM was dumped to stdout due to the hook. Looking for my user with boundaries, the boundary element is not included.

[kapilt]

its sort of related to how all the sdks get constructed from the service team descriptions and models. the model thats being provided for user is the same across those two api calls, however the list api call doesn't include the full representation. the service team could have used a separate model that would have been included in the list operation, but in this case they reused same model across both, however its only on the get user operation that the full model response is included. obviously this can cause some confusion around the docs, but afaics its really on the service team to include in their api metadata a correct model for a given operation, the sdks just consume and expose that metadata for a given language implementation.

[ncc-erik-steringer]

Okay, then the solution seems to be to pivot to using iam:GetUser for each IAM User I want this data on.

[swetashre]

@ncc-erik-steringer - Thank you for your post. I can confirm that list_users operation does not return PermissionsBoundary. @kapilt thank you for such a detailed description. Boto3 documentation is generated from the api reference and the service team has used the same model of User for both the operation. I will contact the service team about the issue and see what we can do to remove this confusion.

[chizou]

To add to this, the botocore documentation also says a list of Tags is returned but the API docs don't reflect that.

[github-actions]

Greetings! It looks like this issue hasn’t been active in longer than one year. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.