ibm 1.85.0-beta0, Oct 29 25

ibm 1.85.0-beta0 published on Wednesday, Oct 29, 2025 by ibm-cloud

ibm.getIamAccountSettings

Start a Neo task

Explain and create an ibm.getIamAccountSettings resource

ibm 1.85.0-beta0 published on Wednesday, Oct 29, 2025 by ibm-cloud

ibm-cloud/terraform-provider-ibm

Example Usage

Example coming soon!

Example coming soon!

Example coming soon!

Example coming soon!

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IbmFunctions;
import com.pulumi.ibm.inputs.GetIamAccountSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var iamAccountSettings = IbmFunctions.getIamAccountSettings(GetIamAccountSettingsArgs.builder()
            .accountId(ibm_iam_account_settings.iam_account_settings_instance().account_id())
            .build());

    }
}

variables:
  iamAccountSettings:
    fn::invoke:
      function: ibm:getIamAccountSettings
      arguments:
        accountId: ${ibm_iam_account_settings.iam_account_settings_instance.account_id}

Using getIamAccountSettings

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getIamAccountSettings(args: GetIamAccountSettingsArgs, opts?: InvokeOptions): Promise<GetIamAccountSettingsResult>
function getIamAccountSettingsOutput(args: GetIamAccountSettingsOutputArgs, opts?: InvokeOptions): Output<GetIamAccountSettingsResult>

def get_iam_account_settings(id: Optional[str] = None,
                             include_history: Optional[bool] = None,
                             resolve_user_mfa: Optional[bool] = None,
                             opts: Optional[InvokeOptions] = None) -> GetIamAccountSettingsResult
def get_iam_account_settings_output(id: Optional[pulumi.Input[str]] = None,
                             include_history: Optional[pulumi.Input[bool]] = None,
                             resolve_user_mfa: Optional[pulumi.Input[bool]] = None,
                             opts: Optional[InvokeOptions] = None) -> Output[GetIamAccountSettingsResult]

func LookupIamAccountSettings(ctx *Context, args *LookupIamAccountSettingsArgs, opts ...InvokeOption) (*LookupIamAccountSettingsResult, error)
func LookupIamAccountSettingsOutput(ctx *Context, args *LookupIamAccountSettingsOutputArgs, opts ...InvokeOption) LookupIamAccountSettingsResultOutput

> Note: This function is named LookupIamAccountSettings in the Go SDK.

public static class GetIamAccountSettings 
{
    public static Task<GetIamAccountSettingsResult> InvokeAsync(GetIamAccountSettingsArgs args, InvokeOptions? opts = null)
    public static Output<GetIamAccountSettingsResult> Invoke(GetIamAccountSettingsInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetIamAccountSettingsResult> getIamAccountSettings(GetIamAccountSettingsArgs args, InvokeOptions options)
public static Output<GetIamAccountSettingsResult> getIamAccountSettings(GetIamAccountSettingsArgs args, InvokeOptions options)

fn::invoke:
  function: ibm:index/getIamAccountSettings:getIamAccountSettings
  arguments:
    # arguments dictionary

The following arguments are supported:

Id string

The unique identifier of the iam_account_settings.

IncludeHistory bool

Defines if the entity history is included in the response.

Constraints: The default value is false.

ResolveUserMfa bool

Enrich MFA exemptions with user PI.

Constraints: The default value is false.

Id string

The unique identifier of the iam_account_settings.

IncludeHistory bool

Defines if the entity history is included in the response.

Constraints: The default value is false.

ResolveUserMfa bool

Enrich MFA exemptions with user PI.

Constraints: The default value is false.

id String

The unique identifier of the iam_account_settings.

includeHistory Boolean

Defines if the entity history is included in the response.

Constraints: The default value is false.

resolveUserMfa Boolean

Enrich MFA exemptions with user PI.

Constraints: The default value is false.

id string

The unique identifier of the iam_account_settings.

includeHistory boolean

Defines if the entity history is included in the response.

Constraints: The default value is false.

resolveUserMfa boolean

Enrich MFA exemptions with user PI.

Constraints: The default value is false.

id str

The unique identifier of the iam_account_settings.

include_history bool

Defines if the entity history is included in the response.

Constraints: The default value is false.

resolve_user_mfa bool

Enrich MFA exemptions with user PI.

Constraints: The default value is false.

id String

The unique identifier of the iam_account_settings.

includeHistory Boolean

Defines if the entity history is included in the response.

Constraints: The default value is false.

resolveUserMfa Boolean

Enrich MFA exemptions with user PI.

Constraints: The default value is false.

getIamAccountSettings Result

The following output properties are available:

AccountId string

AllowedIpAddresses string

(String) Defines the IP addresses and subnets from which IAM tokens can be created for the account.

EntityTag string

(String) The version of an account settings.

Histories List<GetIamAccountSettingsHistory>

(String) The history of an account settings. Nested history blocks have the following structure.

Nested schema for history:

Id string

The unique identifier of the iam_account_settings.

MaxSessionsPerIdentity string

(String) Defines the max allowed sessions per identity required by the account. Valid values: * Any whole number greater than 0 * NOT_SET - To unset account setting and use service default.

Mfa string

(String) MFA trait definitions as follows: * NONE - No MFA trait set * NONE_NO_ROPC- No MFA, disable CLI logins with only a password * TOTP - For all non-federated IBMId users * TOTP4ALL - For all users * LEVEL1 - Email-based MFA for all users * LEVEL2 - TOTP-based MFA for all users * LEVEL3 - U2F MFA for all users.

Constraints: Allowable values are: NONE, NONE_NO_ROPC, TOTP, TOTP4ALL, LEVEL1, LEVEL2, LEVEL3.

RestrictCreatePlatformApikey string

(String) Defines whether or not creating the resource is access controlled. Valid values: * RESTRICTED - only users assigned the 'Service ID creator' role on the IAM Identity Service can create service IDs, including the account owner * NOT_RESTRICTED - all members of an account can create service IDs * NOT_SET - to 'unset' a previous set value.

Constraints: The default value is NOT_SET. Allowable values are: RESTRICTED, NOT_RESTRICTED, NOT_SET.

RestrictCreateServiceId string

Constraints: The default value is NOT_SET. Allowable values are: RESTRICTED, NOT_RESTRICTED, NOT_SET.

RestrictUserDomains List<GetIamAccountSettingsRestrictUserDomain>

(List) Defines if account invitations are restricted to specified domains. To remove an entry for a realm_id, perform an update (PUT) request with only the realm_id set.

Nested schema for restrict_user_domains:

RestrictUserListVisibility string

(String) Defines whether or not user visibility is access controlled. Valid values: * RESTRICTED - users can view only specific types of users in the account, such as those the user has invited to the account, or descendants of those users based on the classic infrastructure hierarchy * NOT_RESTRICTED - any user in the account can view other users from the Users page in IBM Cloud console.

Constraints: The default value is NOT_RESTRICTED. Allowable values are: NOT_RESTRICTED, RESTRICTED.

SessionExpirationInSeconds string

(String) Defines the session expiration in seconds for the account. Valid values: * Any whole number between between '900' and '86400' * NOT_SET - To unset account setting and use service default.

Constraints: The default value is 86400.

SessionInvalidationInSeconds string

(String) Defines the period of time in seconds in which a session will be invalidated due to inactivity. Valid values: * Any whole number between '900' and '7200' * NOT_SET - To unset account setting and use service default.

Constraints: The default value is 7200.

SystemAccessTokenExpirationInSeconds string

(String) Defines the access token expiration in seconds. Valid values: * Any whole number between '900' and '3600' * NOT_SET - To unset account setting and use service default.

Constraints: The default value is 3600.

SystemRefreshTokenExpirationInSeconds string

(String) Defines the refresh token expiration in seconds. Valid values: * Any whole number between '900' and '259200' * NOT_SET - To unset account setting and use service default.

Constraints: The default value is 259200.

UserMfas List<GetIamAccountSettingsUserMfa>

(List) List of users that are exempted from the MFA requirement of the account.

Nested schema for user_mfa:

IncludeHistory bool

ResolveUserMfa bool

AccountId string

AllowedIpAddresses string

(String) Defines the IP addresses and subnets from which IAM tokens can be created for the account.

EntityTag string

(String) The version of an account settings.

Histories []GetIamAccountSettingsHistory

(String) The history of an account settings. Nested history blocks have the following structure.

Nested schema for history:

Id string

The unique identifier of the iam_account_settings.

MaxSessionsPerIdentity string

(String) Defines the max allowed sessions per identity required by the account. Valid values: * Any whole number greater than 0 * NOT_SET - To unset account setting and use service default.

Mfa string

Constraints: Allowable values are: NONE, NONE_NO_ROPC, TOTP, TOTP4ALL, LEVEL1, LEVEL2, LEVEL3.

RestrictCreatePlatformApikey string

Constraints: The default value is NOT_SET. Allowable values are: RESTRICTED, NOT_RESTRICTED, NOT_SET.

RestrictCreateServiceId string

Constraints: The default value is NOT_SET. Allowable values are: RESTRICTED, NOT_RESTRICTED, NOT_SET.

RestrictUserDomains []GetIamAccountSettingsRestrictUserDomain

(List) Defines if account invitations are restricted to specified domains. To remove an entry for a realm_id, perform an update (PUT) request with only the realm_id set.

Nested schema for restrict_user_domains:

RestrictUserListVisibility string

Constraints: The default value is NOT_RESTRICTED. Allowable values are: NOT_RESTRICTED, RESTRICTED.

SessionExpirationInSeconds string

(String) Defines the session expiration in seconds for the account. Valid values: * Any whole number between between '900' and '86400' * NOT_SET - To unset account setting and use service default.

Constraints: The default value is 86400.

SessionInvalidationInSeconds string

Constraints: The default value is 7200.

SystemAccessTokenExpirationInSeconds string

(String) Defines the access token expiration in seconds. Valid values: * Any whole number between '900' and '3600' * NOT_SET - To unset account setting and use service default.

Constraints: The default value is 3600.

SystemRefreshTokenExpirationInSeconds string

(String) Defines the refresh token expiration in seconds. Valid values: * Any whole number between '900' and '259200' * NOT_SET - To unset account setting and use service default.

Constraints: The default value is 259200.

UserMfas []GetIamAccountSettingsUserMfa

(List) List of users that are exempted from the MFA requirement of the account.

Nested schema for user_mfa:

IncludeHistory bool

ResolveUserMfa bool

accountId String

allowedIpAddresses String

(String) Defines the IP addresses and subnets from which IAM tokens can be created for the account.

entityTag String

(String) The version of an account settings.

histories List<GetIamAccountSettingsHistory>

(String) The history of an account settings. Nested history blocks have the following structure.

Nested schema for history:

id String

The unique identifier of the iam_account_settings.

maxSessionsPerIdentity String

(String) Defines the max allowed sessions per identity required by the account. Valid values: * Any whole number greater than 0 * NOT_SET - To unset account setting and use service default.

mfa String

Constraints: Allowable values are: NONE, NONE_NO_ROPC, TOTP, TOTP4ALL, LEVEL1, LEVEL2, LEVEL3.

restrictCreatePlatformApikey String

Constraints: The default value is NOT_SET. Allowable values are: RESTRICTED, NOT_RESTRICTED, NOT_SET.

restrictCreateServiceId String

Constraints: The default value is NOT_SET. Allowable values are: RESTRICTED, NOT_RESTRICTED, NOT_SET.

restrictUserDomains List<GetIamAccountSettingsRestrictUserDomain>

(List) Defines if account invitations are restricted to specified domains. To remove an entry for a realm_id, perform an update (PUT) request with only the realm_id set.

Nested schema for restrict_user_domains:

restrictUserListVisibility String

Constraints: The default value is NOT_RESTRICTED. Allowable values are: NOT_RESTRICTED, RESTRICTED.

sessionExpirationInSeconds String

(String) Defines the session expiration in seconds for the account. Valid values: * Any whole number between between '900' and '86400' * NOT_SET - To unset account setting and use service default.

Constraints: The default value is 86400.

sessionInvalidationInSeconds String

Constraints: The default value is 7200.

systemAccessTokenExpirationInSeconds String

(String) Defines the access token expiration in seconds. Valid values: * Any whole number between '900' and '3600' * NOT_SET - To unset account setting and use service default.

Constraints: The default value is 3600.

systemRefreshTokenExpirationInSeconds String

(String) Defines the refresh token expiration in seconds. Valid values: * Any whole number between '900' and '259200' * NOT_SET - To unset account setting and use service default.

Constraints: The default value is 259200.

userMfas List<GetIamAccountSettingsUserMfa>

(List) List of users that are exempted from the MFA requirement of the account.

Nested schema for user_mfa:

includeHistory Boolean

resolveUserMfa Boolean

accountId string

allowedIpAddresses string

(String) Defines the IP addresses and subnets from which IAM tokens can be created for the account.

entityTag string

(String) The version of an account settings.

histories GetIamAccountSettingsHistory[]

(String) The history of an account settings. Nested history blocks have the following structure.

Nested schema for history:

id string

The unique identifier of the iam_account_settings.

maxSessionsPerIdentity string

(String) Defines the max allowed sessions per identity required by the account. Valid values: * Any whole number greater than 0 * NOT_SET - To unset account setting and use service default.

mfa string

Constraints: Allowable values are: NONE, NONE_NO_ROPC, TOTP, TOTP4ALL, LEVEL1, LEVEL2, LEVEL3.

restrictCreatePlatformApikey string

Constraints: The default value is NOT_SET. Allowable values are: RESTRICTED, NOT_RESTRICTED, NOT_SET.

restrictCreateServiceId string

Constraints: The default value is NOT_SET. Allowable values are: RESTRICTED, NOT_RESTRICTED, NOT_SET.

restrictUserDomains GetIamAccountSettingsRestrictUserDomain[]

(List) Defines if account invitations are restricted to specified domains. To remove an entry for a realm_id, perform an update (PUT) request with only the realm_id set.

Nested schema for restrict_user_domains:

restrictUserListVisibility string

Constraints: The default value is NOT_RESTRICTED. Allowable values are: NOT_RESTRICTED, RESTRICTED.

sessionExpirationInSeconds string

(String) Defines the session expiration in seconds for the account. Valid values: * Any whole number between between '900' and '86400' * NOT_SET - To unset account setting and use service default.

Constraints: The default value is 86400.

sessionInvalidationInSeconds string

Constraints: The default value is 7200.

systemAccessTokenExpirationInSeconds string

(String) Defines the access token expiration in seconds. Valid values: * Any whole number between '900' and '3600' * NOT_SET - To unset account setting and use service default.

Constraints: The default value is 3600.

systemRefreshTokenExpirationInSeconds string

(String) Defines the refresh token expiration in seconds. Valid values: * Any whole number between '900' and '259200' * NOT_SET - To unset account setting and use service default.

Constraints: The default value is 259200.

userMfas GetIamAccountSettingsUserMfa[]

(List) List of users that are exempted from the MFA requirement of the account.

Nested schema for user_mfa:

includeHistory boolean

resolveUserMfa boolean

account_id str

allowed_ip_addresses str

(String) Defines the IP addresses and subnets from which IAM tokens can be created for the account.

entity_tag str

(String) The version of an account settings.

histories Sequence[GetIamAccountSettingsHistory]

(String) The history of an account settings. Nested history blocks have the following structure.

Nested schema for history:

id str

The unique identifier of the iam_account_settings.

max_sessions_per_identity str

(String) Defines the max allowed sessions per identity required by the account. Valid values: * Any whole number greater than 0 * NOT_SET - To unset account setting and use service default.

mfa str

Constraints: Allowable values are: NONE, NONE_NO_ROPC, TOTP, TOTP4ALL, LEVEL1, LEVEL2, LEVEL3.

restrict_create_platform_apikey str

Constraints: The default value is NOT_SET. Allowable values are: RESTRICTED, NOT_RESTRICTED, NOT_SET.

restrict_create_service_id str

Constraints: The default value is NOT_SET. Allowable values are: RESTRICTED, NOT_RESTRICTED, NOT_SET.

restrict_user_domains Sequence[GetIamAccountSettingsRestrictUserDomain]

(List) Defines if account invitations are restricted to specified domains. To remove an entry for a realm_id, perform an update (PUT) request with only the realm_id set.

Nested schema for restrict_user_domains:

restrict_user_list_visibility str

Constraints: The default value is NOT_RESTRICTED. Allowable values are: NOT_RESTRICTED, RESTRICTED.

session_expiration_in_seconds str

(String) Defines the session expiration in seconds for the account. Valid values: * Any whole number between between '900' and '86400' * NOT_SET - To unset account setting and use service default.

Constraints: The default value is 86400.

session_invalidation_in_seconds str

Constraints: The default value is 7200.

system_access_token_expiration_in_seconds str

(String) Defines the access token expiration in seconds. Valid values: * Any whole number between '900' and '3600' * NOT_SET - To unset account setting and use service default.

Constraints: The default value is 3600.

system_refresh_token_expiration_in_seconds str

(String) Defines the refresh token expiration in seconds. Valid values: * Any whole number between '900' and '259200' * NOT_SET - To unset account setting and use service default.

Constraints: The default value is 259200.

user_mfas Sequence[GetIamAccountSettingsUserMfa]

(List) List of users that are exempted from the MFA requirement of the account.

Nested schema for user_mfa:

include_history bool

resolve_user_mfa bool

accountId String

allowedIpAddresses String

(String) Defines the IP addresses and subnets from which IAM tokens can be created for the account.

entityTag String

(String) The version of an account settings.

histories List<Property Map>

(String) The history of an account settings. Nested history blocks have the following structure.

Nested schema for history:

id String

The unique identifier of the iam_account_settings.

maxSessionsPerIdentity String

(String) Defines the max allowed sessions per identity required by the account. Valid values: * Any whole number greater than 0 * NOT_SET - To unset account setting and use service default.

mfa String

Constraints: Allowable values are: NONE, NONE_NO_ROPC, TOTP, TOTP4ALL, LEVEL1, LEVEL2, LEVEL3.

restrictCreatePlatformApikey String

Constraints: The default value is NOT_SET. Allowable values are: RESTRICTED, NOT_RESTRICTED, NOT_SET.

restrictCreateServiceId String

Constraints: The default value is NOT_SET. Allowable values are: RESTRICTED, NOT_RESTRICTED, NOT_SET.

restrictUserDomains List<Property Map>

(List) Defines if account invitations are restricted to specified domains. To remove an entry for a realm_id, perform an update (PUT) request with only the realm_id set.

Nested schema for restrict_user_domains:

restrictUserListVisibility String

Constraints: The default value is NOT_RESTRICTED. Allowable values are: NOT_RESTRICTED, RESTRICTED.

sessionExpirationInSeconds String

(String) Defines the session expiration in seconds for the account. Valid values: * Any whole number between between '900' and '86400' * NOT_SET - To unset account setting and use service default.

Constraints: The default value is 86400.

sessionInvalidationInSeconds String

Constraints: The default value is 7200.

systemAccessTokenExpirationInSeconds String

(String) Defines the access token expiration in seconds. Valid values: * Any whole number between '900' and '3600' * NOT_SET - To unset account setting and use service default.

Constraints: The default value is 3600.

systemRefreshTokenExpirationInSeconds String

(String) Defines the refresh token expiration in seconds. Valid values: * Any whole number between '900' and '259200' * NOT_SET - To unset account setting and use service default.

Constraints: The default value is 259200.

userMfas List<Property Map>

(List) List of users that are exempted from the MFA requirement of the account.

Nested schema for user_mfa:

includeHistory Boolean

resolveUserMfa Boolean

Supporting Types

GetIamAccountSettingsHistory

Action string: (String) Action of the history entry.
IamId string: (String) The iam_id of the user.
IamIdAccount string: (String) Account of the identity which triggered the action.
Message string: (String) Message which summarizes the executed action.
Params List<string>: (List) Params of the history entry.
Timestamp string: (String) Timestamp when the action was triggered.

Action string: (String) Action of the history entry.
IamId string: (String) The iam_id of the user.
IamIdAccount string: (String) Account of the identity which triggered the action.
Message string: (String) Message which summarizes the executed action.
Params []string: (List) Params of the history entry.
Timestamp string: (String) Timestamp when the action was triggered.

action String: (String) Action of the history entry.
iamId String: (String) The iam_id of the user.
iamIdAccount String: (String) Account of the identity which triggered the action.
message String: (String) Message which summarizes the executed action.
params List<String>: (List) Params of the history entry.
timestamp String: (String) Timestamp when the action was triggered.

action string: (String) Action of the history entry.
iamId string: (String) The iam_id of the user.
iamIdAccount string: (String) Account of the identity which triggered the action.
message string: (String) Message which summarizes the executed action.
params string[]: (List) Params of the history entry.
timestamp string: (String) Timestamp when the action was triggered.

action str: (String) Action of the history entry.
iam_id str: (String) The iam_id of the user.
iam_id_account str: (String) Account of the identity which triggered the action.
message str: (String) Message which summarizes the executed action.
params Sequence[str]: (List) Params of the history entry.
timestamp str: (String) Timestamp when the action was triggered.

action String: (String) Action of the history entry.
iamId String: (String) The iam_id of the user.
iamIdAccount String: (String) Account of the identity which triggered the action.
message String: (String) Message which summarizes the executed action.
params List<String>: (List) Params of the history entry.
timestamp String: (String) Timestamp when the action was triggered.

GetIamAccountSettingsRestrictUserDomain

InvitationEmailAllowPatterns List<string>: (List) The list of allowed email patterns. Wildcard syntax is supported, '*' represents any sequence of zero or more characters in the string, except for '.' and '@'. The sequence ends if a '.' or '@' was found. '**' represents any sequence of zero or more characters in the string - without limit.
RealmId string: (String) The realm that the restrictions apply to.
RestrictInvitation bool: (Boolean) When true invites will only be possible to the domain patterns provided, otherwise invites are unrestricted.

InvitationEmailAllowPatterns []string: (List) The list of allowed email patterns. Wildcard syntax is supported, '*' represents any sequence of zero or more characters in the string, except for '.' and '@'. The sequence ends if a '.' or '@' was found. '**' represents any sequence of zero or more characters in the string - without limit.
RealmId string: (String) The realm that the restrictions apply to.
RestrictInvitation bool: (Boolean) When true invites will only be possible to the domain patterns provided, otherwise invites are unrestricted.

invitationEmailAllowPatterns List<String>: (List) The list of allowed email patterns. Wildcard syntax is supported, '*' represents any sequence of zero or more characters in the string, except for '.' and '@'. The sequence ends if a '.' or '@' was found. '**' represents any sequence of zero or more characters in the string - without limit.
realmId String: (String) The realm that the restrictions apply to.
restrictInvitation Boolean: (Boolean) When true invites will only be possible to the domain patterns provided, otherwise invites are unrestricted.

invitationEmailAllowPatterns string[]: (List) The list of allowed email patterns. Wildcard syntax is supported, '*' represents any sequence of zero or more characters in the string, except for '.' and '@'. The sequence ends if a '.' or '@' was found. '**' represents any sequence of zero or more characters in the string - without limit.
realmId string: (String) The realm that the restrictions apply to.
restrictInvitation boolean: (Boolean) When true invites will only be possible to the domain patterns provided, otherwise invites are unrestricted.

invitation_email_allow_patterns Sequence[str]: (List) The list of allowed email patterns. Wildcard syntax is supported, '*' represents any sequence of zero or more characters in the string, except for '.' and '@'. The sequence ends if a '.' or '@' was found. '**' represents any sequence of zero or more characters in the string - without limit.
realm_id str: (String) The realm that the restrictions apply to.
restrict_invitation bool: (Boolean) When true invites will only be possible to the domain patterns provided, otherwise invites are unrestricted.

invitationEmailAllowPatterns List<String>: (List) The list of allowed email patterns. Wildcard syntax is supported, '*' represents any sequence of zero or more characters in the string, except for '.' and '@'. The sequence ends if a '.' or '@' was found. '**' represents any sequence of zero or more characters in the string - without limit.
realmId String: (String) The realm that the restrictions apply to.
restrictInvitation Boolean: (Boolean) When true invites will only be possible to the domain patterns provided, otherwise invites are unrestricted.