IAM resource classes are incompatible with root sessions

[dhx-mike-palandra]

Describe the bug

Suppose we have a boto3 session object corresponding to a root user. Let's name it root_session:

root_user = root_session.resource('iam').CurrentUser()

I've noticed two different behaviors:

1. root_user.user_name is None: this happens because, for reasons not clear to me (might have to do with lack of account alias), the underlying response from GetUser does not contain an UserName field. Since root_user.user is also None, it seems as if there's no way to delete the root user's login profile from this resource class.

2. root_user.user_name is not None: this doesn't work out either. The user_name value may be passed down to API calls which expect no username for root users. AFAICT, any explicit username value would be considered that of an IAM user. Due to the strict session policies for root tasks, you get something like this:

    next(root_user.user.access_keys.all())
    Traceback (most recent call last):
    ...
    botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the ListAccessKeys operation: User: arn:aws:iam::123412341234:root is not authorized to perform: iam:ListAccessKeys on resource: user myAccountUserName with an explicit deny in an identity-based policy
   

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

In either case outlined above, I expect a functional CurrentUser object that may be used to audit or delete root user credentials depending on the session policy in effect.

Current Behavior

Please see bug description.

Reproduction Steps

Please see bug description.

Possible Solution

No response

Additional Information/Context

No response

SDK version used

1.37.9

Environment details (OS name and version, etc.)

cpe:/o:fedoraproject:fedora:41