feat(pam): add AWS IAM CLI access

[saifsmailbox98]

Context

Adds AWS IAM CLI access. Running infisical pam access folder/account for an AWS IAM account writes temporary STS credentials to ~/.aws/credentials under a named profile (infisical-pam/<folder>/<account>). Credentials are cleaned up on Ctrl+C or session expiry. Same pattern as Kubernetes kubeconfig management.

Companion PR: Infisical/infisical#7054

Screenshots

Steps to verify the change

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Updated CLAUDE.md files (if needed)
• Read the contributing guide

[linear]

PAM-261

[infisical-review-police]

💬 Discussion in Slack: #pr-review-cli-285-feat-pam-add-aws-iam-cli-access

Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel.

[greptile-apps]

Greptile Summary

This PR adds AWS IAM CLI access to the PAM module, writing temporary STS credentials to ~/.aws/credentials under a named profile (infisical-pam/<folder>/<account>) and cleaning them up on signal or session expiry. It follows the same pattern as the existing Kubernetes kubeconfig management.

• aws-iam-access.go handles credential delivery: validates metadata fields, checks expiry before writing, writes the credentials file with 0o600 permissions, prints a session info banner, then waits for either a signal or the expiry timer before cleaning up the profile.
• access.go removes the previous stub error and routes aws-iam account types to the new handler.

Confidence Score: 5/5

The change is safe to merge; previous blocking issues identified in review have been resolved and the remaining concerns are minor hardening items that do not affect correctness under normal use.

The core logic is sound: credentials are validated and expiry-checked before being written, file permissions are set unconditionally, and cleanup runs on both signal and timer paths. The open items — silent chmod failure, lack of file locking for concurrent sessions, and unvalidated INI section names — are edge-case hardening concerns that do not affect typical single-session use.

packages/pam/local/aws-iam-access.go — silent chmod failure, profile name sanitization, and concurrent-cleanup race are worth a follow-up pass.

Important Files Changed

Filename	Overview
packages/pam/local/aws-iam-access.go	New file implementing AWS IAM credential delivery via ~/.aws/credentials; previous review comments have been addressed, but silent chmod failure, unvalidated INI section names from user input, and lack of file locking for concurrent sessions remain.
packages/pam/local/access.go	One-line change routing the aws-iam account type to the new startAWSAccess handler instead of the previous stub error; no issues.

_{Reviews (3): Last reviewed commit: "fix(pam): check credential expiry before..." | Re-trigger Greptile}

[veria-ai]

PR overview

All previously flagged issues have been addressed. No open security concerns remain on this pull request.

Security review

No open security issues remain on this pull request.

Fixed/addressed: 1 · PR risk: 0/10

[saifsmailbox98]

@greptile review

[saifsmailbox98]

@greptile review