diff --git a/README.md b/README.md
index ef7034c..8d48e69 100644
--- a/README.md
+++ b/README.md
@@ -22,10 +22,10 @@ policies to them.  We recommend creating your Users account via the
 
    ```hcl
    users = {
-     "firstname1.lastname1" = { "require_mfa" = false, "self_managed" = true },
-     "firstname2.lastname2" = { "require_mfa" = true, "self_managed" = true },
-     "firstname3.lastname3" = { "require_mfa" = false, "self_managed" = true },
-     "service-account1"     = { "require_mfa" = false, "self_managed" = false },
+     "firstname1.lastname1" = { "console_access" = true, "require_mfa" = false, "self_managed" = true },
+     "firstname2.lastname2" = { "console_access" = true, "require_mfa" = true, "self_managed" = true },
+     "firstname3.lastname3" = { "console_access" = false, "require_mfa" = false, "self_managed" = true },
+     "service-account1"     = { "console_access" = false, "require_mfa" = false, "self_managed" = false },
    }
    ```
 
@@ -70,7 +70,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | aws\_region | The AWS region where the non-global resources are to be provisioned (e.g. "us-east-1"). | `string` | `"us-east-1"` | no |
 | tags | Tags to apply to all AWS resources created. | `map(string)` | `{}` | no |
-| users | A map whose keys are the usernames of each non-admin user and whose values are a map containing supported user attributes.  The currently-supported attributes are "require\_mfa" (boolean) and "self\_managed" (boolean).  Example: { "firstname1.lastname1" = { "require\_mfa" = false, "self\_managed" = true }, "firstname2.lastname2" = { "require\_mfa" = true, "self\_managed" = true }, "firstname3.lastname3" = { "require\_mfa" = false, "self\_managed" = true }, "service-account1" = { "require\_mfa" = false, "self\_managed" = false } } | `map(object({ require_mfa = bool, self_managed = bool }))` | n/a | yes |
+| users | A map whose keys are the usernames of each non-admin user and whose values are a map containing supported user attributes.  The currently-supported attributes are "console\_access" (boolean), "require\_mfa" (boolean), and "self\_managed" (boolean).  Example: { "firstname1.lastname1" = { "console\_access" = true, "require\_mfa" = false, "self\_managed" = true }, "firstname2.lastname2" = { "console\_access" = true, "require\_mfa" = true, "self\_managed" = true }, "firstname3.lastname3" = { "console\_access" = false, "require\_mfa" = false, "self\_managed" = true }, "service-account1" = { "console\_access" = false, "require\_mfa" = false, "self\_managed" = false } } | `map(object({ console_access = bool, require_mfa = bool, self_managed = bool }))` | n/a | yes |
 
 ## Outputs ##
 
diff --git a/users.tf b/users.tf
index 6664530..8d160c6 100644
--- a/users.tf
+++ b/users.tf
@@ -12,7 +12,8 @@ resource "aws_iam_user" "users" {
 resource "aws_iam_user_login_profile" "users" {
   provider = aws.users
 
-  for_each = toset(keys(var.users))
+  # for_each = toset(keys(var.users))
+  for_each = { for k, v in var.users : k => v if v["console_access"] }
 
   password_reset_required = true
   user                    = aws_iam_user.users[each.key].name
diff --git a/variables.tf b/variables.tf
index 0c7afd0..a72a3d1 100644
--- a/variables.tf
+++ b/variables.tf
@@ -5,9 +5,9 @@
 # ------------------------------------------------------------------------------
 
 variable "users" {
-  description = "A map whose keys are the usernames of each non-admin user and whose values are a map containing supported user attributes.  The currently-supported attributes are \"require_mfa\" (boolean) and \"self_managed\" (boolean).  Example: { \"firstname1.lastname1\" = { \"require_mfa\" = false, \"self_managed\" = true }, \"firstname2.lastname2\" = { \"require_mfa\" = true, \"self_managed\" = true }, \"firstname3.lastname3\" = { \"require_mfa\" = false, \"self_managed\" = true }, \"service-account1\" = { \"require_mfa\" = false, \"self_managed\" = false } }"
+  description = "A map whose keys are the usernames of each non-admin user and whose values are a map containing supported user attributes.  The currently-supported attributes are \"console_access\" (boolean), \"require_mfa\" (boolean), and \"self_managed\" (boolean).  Example: { \"firstname1.lastname1\" = { \"console_access\" = true, \"require_mfa\" = false, \"self_managed\" = true }, \"firstname2.lastname2\" = { \"console_access\" = true, \"require_mfa\" = true, \"self_managed\" = true }, \"firstname3.lastname3\" = { \"console_access\" = false, \"require_mfa\" = false, \"self_managed\" = true }, \"service-account1\" = { \"console_access\" = false, \"require_mfa\" = false, \"self_managed\" = false } }"
   nullable    = false
-  type        = map(object({ require_mfa = bool, self_managed = bool }))
+  type        = map(object({ console_access = bool, require_mfa = bool, self_managed = bool }))
 }
 
 # ------------------------------------------------------------------------------