2019-06-30 15:57:50 +00:00
import json
2016-10-17 22:09:46 +00:00
2016-07-20 22:12:02 +00:00
import boto3
2020-04-29 20:49:14 +00:00
import csv
2021-12-05 23:52:12 +00:00
import sure # noqa # pylint: disable=unused-import
2016-11-11 22:05:02 +00:00
from botocore . exceptions import ClientError
2019-10-18 18:37:35 +00:00
2022-01-18 15:18:57 +00:00
from moto import mock_config , mock_iam , settings
2019-12-17 02:05:29 +00:00
from moto . core import ACCOUNT_ID
2020-04-29 20:49:14 +00:00
from moto . iam . models import aws_managed_policies
2020-04-30 14:42:22 +00:00
from moto . backends import get_backend
2020-10-06 05:54:49 +00:00
import pytest
2014-03-27 23:12:53 +00:00
2018-11-27 16:12:41 +00:00
from datetime import datetime
2019-11-11 08:21:42 +00:00
from uuid import uuid4
2021-07-26 06:40:39 +00:00
from urllib import parse
2016-10-17 22:09:46 +00:00
2022-07-27 16:19:34 +00:00
from moto . s3 . responses import DEFAULT_REGION_NAME
2014-03-27 23:12:53 +00:00
2018-10-25 01:00:52 +00:00
MOCK_CERT = """ -----BEGIN CERTIFICATE-----
MIIBpzCCARACCQCY5yOdxCTrGjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQKDAxt
b3RvIHRlc3RpbmcwIBcNMTgxMTA1MTkwNTIwWhgPMjI5MjA4MTkxOTA1MjBaMBcx
FTATBgNVBAoMDG1vdG8gdGVzdGluZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA1Jn3g2h7LD3FLqdpcYNbFXCS4V4eDpuTCje9vKFcC3pi / 01147 X3zdfPy8Mt
ZhKxcREOwm4NXykh23P9KW7fBovpNwnbYsbPqj8Hf1ZaClrgku1arTVhEnKjx8zO
vaR / bVLCss4uE0E0VM1tJn / QGQsfthFsjuHtwx8uIWz35tUCAwEAATANBgkqhkiG
9 w0BAQsFAAOBgQBWdOQ7bDc2nWkUhFjZoNIZrqjyNdjlMUndpwREVD7FQ / DuxJMj
FyDHrtlrS80dPUQWNYHw + + oACDpWO01LGLPPrGmuO / 7 cOdojPEd852q5gd + 7 W9xt
8 vUH + pBa6IBLbvBp + szli51V3TLSWcoyy4ceJNQU2vCkTLoFdS0RLd / 7 tQ ==
- - - - - END CERTIFICATE - - - - - """
2019-06-30 15:57:50 +00:00
MOCK_POLICY = """
{
" Version " : " 2012-10-17 " ,
" Statement " :
{
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
" Resource " : " arn:aws:s3:::example_bucket "
}
}
"""
MOCK_POLICY_2 = """
{
" Version " : " 2012-10-17 " ,
" Id " : " 2 " ,
" Statement " :
{
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
" Resource " : " arn:aws:s3:::example_bucket "
}
}
"""
MOCK_POLICY_3 = """
{
" Version " : " 2012-10-17 " ,
" Id " : " 3 " ,
" Statement " :
{
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
" Resource " : " arn:aws:s3:::example_bucket "
}
}
"""
2018-10-25 01:00:52 +00:00
2021-09-22 19:42:42 +00:00
@mock_iam
2022-04-18 20:44:56 +00:00
def test_get_role__should_throw__when_role_does_not_exist ( ) :
2021-09-22 19:42:42 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
with pytest . raises ( ClientError ) as ex :
conn . get_role ( RoleName = " unexisting_role " )
err = ex . value . response [ " Error " ]
err [ " Code " ] . should . equal ( " NoSuchEntity " )
err [ " Message " ] . should . contain ( " not found " )
@mock_iam
2022-04-18 20:44:56 +00:00
def test_get_instance_profile__should_throw__when_instance_profile_does_not_exist ( ) :
2021-09-22 19:42:42 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
with pytest . raises ( ClientError ) as ex :
conn . get_instance_profile ( InstanceProfileName = " unexisting_instance_profile " )
err = ex . value . response [ " Error " ]
err [ " Code " ] . should . equal ( " NoSuchEntity " )
err [ " Message " ] . should . contain ( " not found " )
@mock_iam
2022-04-18 20:44:56 +00:00
def test_create_role_and_instance_profile ( ) :
2021-09-22 19:42:42 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_instance_profile ( InstanceProfileName = " my-profile " , Path = " my-path " )
conn . create_role (
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Path = " /my-path/ "
)
conn . add_role_to_instance_profile (
InstanceProfileName = " my-profile " , RoleName = " my-role "
)
role = conn . get_role ( RoleName = " my-role " ) [ " Role " ]
role [ " Path " ] . should . equal ( " /my-path/ " )
role [ " AssumeRolePolicyDocument " ] . should . equal ( " some policy " )
profile = conn . get_instance_profile ( InstanceProfileName = " my-profile " ) [
" InstanceProfile "
]
profile [ " Path " ] . should . equal ( " my-path " )
profile [ " Roles " ] . should . have . length_of ( 1 )
role_from_profile = profile [ " Roles " ] [ 0 ]
role_from_profile [ " RoleId " ] . should . equal ( role [ " RoleId " ] )
role_from_profile [ " RoleName " ] . should . equal ( " my-role " )
conn . list_roles ( ) [ " Roles " ] [ 0 ] [ " RoleName " ] . should . equal ( " my-role " )
# Test with an empty path:
profile = conn . create_instance_profile ( InstanceProfileName = " my-other-profile " )
profile [ " InstanceProfile " ] [ " Path " ] . should . equal ( " / " )
2019-11-14 22:07:04 +00:00
@mock_iam
def test_create_instance_profile_should_throw_when_name_is_not_unique ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_instance_profile ( InstanceProfileName = " unique-instance-profile " )
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-11-14 22:07:04 +00:00
conn . create_instance_profile ( InstanceProfileName = " unique-instance-profile " )
2021-09-22 19:42:42 +00:00
@mock_iam
2022-04-18 20:44:56 +00:00
def test_remove_role_from_instance_profile ( ) :
2021-09-22 19:42:42 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_instance_profile ( InstanceProfileName = " my-profile " , Path = " my-path " )
conn . create_role (
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Path = " /my-path/ "
)
conn . add_role_to_instance_profile (
InstanceProfileName = " my-profile " , RoleName = " my-role "
)
profile = conn . get_instance_profile ( InstanceProfileName = " my-profile " ) [
" InstanceProfile "
]
profile [ " Roles " ] . should . have . length_of ( 1 )
conn . remove_role_from_instance_profile (
InstanceProfileName = " my-profile " , RoleName = " my-role "
)
profile = conn . get_instance_profile ( InstanceProfileName = " my-profile " ) [
" InstanceProfile "
]
profile [ " Roles " ] . should . have . length_of ( 0 )
2020-05-27 17:22:06 +00:00
@mock_iam ( )
def test_delete_instance_profile ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_role (
2022-03-10 14:39:59 +00:00
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Path = " /my-path/ "
2020-05-27 17:22:06 +00:00
)
conn . create_instance_profile ( InstanceProfileName = " my-profile " )
conn . add_role_to_instance_profile (
InstanceProfileName = " my-profile " , RoleName = " my-role "
)
2020-10-06 05:54:49 +00:00
with pytest . raises ( conn . exceptions . DeleteConflictException ) :
2020-05-27 17:22:06 +00:00
conn . delete_instance_profile ( InstanceProfileName = " my-profile " )
conn . remove_role_from_instance_profile (
InstanceProfileName = " my-profile " , RoleName = " my-role "
)
conn . delete_instance_profile ( InstanceProfileName = " my-profile " )
2020-10-06 05:54:49 +00:00
with pytest . raises ( conn . exceptions . NoSuchEntityException ) :
2021-10-18 19:44:29 +00:00
conn . get_instance_profile ( InstanceProfileName = " my-profile " )
2020-05-27 17:22:06 +00:00
2017-07-24 05:31:58 +00:00
@mock_iam ( )
def test_get_login_profile ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_user ( UserName = " my-user " )
conn . create_login_profile ( UserName = " my-user " , Password = " my-pass " )
2017-07-24 05:31:58 +00:00
2019-10-31 15:44:26 +00:00
response = conn . get_login_profile ( UserName = " my-user " )
response [ " LoginProfile " ] [ " UserName " ] . should . equal ( " my-user " )
2017-07-24 05:31:58 +00:00
@mock_iam ( )
def test_update_login_profile ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_user ( UserName = " my-user " )
conn . create_login_profile ( UserName = " my-user " , Password = " my-pass " )
response = conn . get_login_profile ( UserName = " my-user " )
response [ " LoginProfile " ] . get ( " PasswordResetRequired " ) . should . equal ( None )
2017-07-24 05:31:58 +00:00
2019-10-31 15:44:26 +00:00
conn . update_login_profile (
UserName = " my-user " , Password = " new-pass " , PasswordResetRequired = True
)
response = conn . get_login_profile ( UserName = " my-user " )
response [ " LoginProfile " ] . get ( " PasswordResetRequired " ) . should . equal ( True )
2017-07-24 05:31:58 +00:00
2017-05-18 17:37:00 +00:00
@mock_iam ( )
def test_delete_role ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2017-05-18 17:37:00 +00:00
2020-10-06 05:54:49 +00:00
with pytest . raises ( conn . exceptions . NoSuchEntityException ) :
2017-05-18 17:37:00 +00:00
conn . delete_role ( RoleName = " my-role " )
2019-10-22 13:27:49 +00:00
# Test deletion failure with a managed policy
2019-10-31 15:44:26 +00:00
conn . create_role (
2022-03-10 14:39:59 +00:00
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Path = " /my-path/ "
2019-10-31 15:44:26 +00:00
)
response = conn . create_policy (
PolicyName = " my-managed-policy " , PolicyDocument = MOCK_POLICY
)
conn . attach_role_policy ( PolicyArn = response [ " Policy " ] [ " Arn " ] , RoleName = " my-role " )
2020-10-06 05:54:49 +00:00
with pytest . raises ( conn . exceptions . DeleteConflictException ) :
2019-10-22 13:27:49 +00:00
conn . delete_role ( RoleName = " my-role " )
2019-10-31 15:44:26 +00:00
conn . detach_role_policy ( PolicyArn = response [ " Policy " ] [ " Arn " ] , RoleName = " my-role " )
conn . delete_policy ( PolicyArn = response [ " Policy " ] [ " Arn " ] )
2017-05-18 17:37:00 +00:00
conn . delete_role ( RoleName = " my-role " )
2020-10-06 05:54:49 +00:00
with pytest . raises ( conn . exceptions . NoSuchEntityException ) :
2019-10-22 13:27:49 +00:00
conn . get_role ( RoleName = " my-role " )
2017-05-18 17:37:00 +00:00
2019-10-22 13:27:49 +00:00
# Test deletion failure with an inline policy
2019-10-31 15:44:26 +00:00
conn . create_role (
2022-03-10 14:39:59 +00:00
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Path = " /my-path/ "
2019-10-31 15:44:26 +00:00
)
conn . put_role_policy (
2022-03-10 14:39:59 +00:00
RoleName = " my-role " , PolicyName = " my-role-policy " , PolicyDocument = MOCK_POLICY
2019-10-31 15:44:26 +00:00
)
2020-10-06 05:54:49 +00:00
with pytest . raises ( conn . exceptions . DeleteConflictException ) :
2019-10-22 13:27:49 +00:00
conn . delete_role ( RoleName = " my-role " )
conn . delete_role_policy ( RoleName = " my-role " , PolicyName = " my-role-policy " )
2019-10-22 14:28:59 +00:00
conn . delete_role ( RoleName = " my-role " )
2020-10-06 05:54:49 +00:00
with pytest . raises ( conn . exceptions . NoSuchEntityException ) :
2019-10-22 13:27:49 +00:00
conn . get_role ( RoleName = " my-role " )
2017-05-18 17:37:00 +00:00
2019-10-22 13:27:49 +00:00
# Test deletion failure with attachment to an instance profile
2019-10-31 15:44:26 +00:00
conn . create_role (
2022-03-10 14:39:59 +00:00
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Path = " /my-path/ "
2019-10-31 15:44:26 +00:00
)
2019-10-22 14:28:59 +00:00
conn . create_instance_profile ( InstanceProfileName = " my-profile " )
2019-10-31 15:44:26 +00:00
conn . add_role_to_instance_profile (
InstanceProfileName = " my-profile " , RoleName = " my-role "
)
2020-10-06 05:54:49 +00:00
with pytest . raises ( conn . exceptions . DeleteConflictException ) :
2019-10-22 13:27:49 +00:00
conn . delete_role ( RoleName = " my-role " )
2019-10-31 15:44:26 +00:00
conn . remove_role_from_instance_profile (
InstanceProfileName = " my-profile " , RoleName = " my-role "
)
2017-05-18 17:37:00 +00:00
conn . delete_role ( RoleName = " my-role " )
2020-10-06 05:54:49 +00:00
with pytest . raises ( conn . exceptions . NoSuchEntityException ) :
2017-05-18 17:37:00 +00:00
conn . get_role ( RoleName = " my-role " )
2019-10-22 14:28:59 +00:00
# Test deletion with no conflicts
2019-10-31 15:44:26 +00:00
conn . create_role (
2022-03-10 14:39:59 +00:00
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Path = " /my-path/ "
2019-10-31 15:44:26 +00:00
)
2019-10-22 14:28:59 +00:00
conn . delete_role ( RoleName = " my-role " )
2020-10-06 05:54:49 +00:00
with pytest . raises ( conn . exceptions . NoSuchEntityException ) :
2017-05-18 17:37:00 +00:00
conn . get_role ( RoleName = " my-role " )
2021-09-22 19:42:42 +00:00
@mock_iam
2022-04-18 20:44:56 +00:00
def test_list_instance_profiles ( ) :
2021-09-22 19:42:42 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_instance_profile ( InstanceProfileName = " my-profile " , Path = " my-path " )
conn . create_role (
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Path = " /my-path/ "
)
conn . add_role_to_instance_profile (
InstanceProfileName = " my-profile " , RoleName = " my-role "
)
profiles = conn . list_instance_profiles ( ) [ " InstanceProfiles " ]
len ( profiles ) . should . equal ( 1 )
profiles [ 0 ] [ " InstanceProfileName " ] . should . equal ( " my-profile " )
profiles [ 0 ] [ " Roles " ] [ 0 ] [ " RoleName " ] . should . equal ( " my-role " )
@mock_iam
2022-04-18 20:44:56 +00:00
def test_list_instance_profiles_for_role ( ) :
2021-09-22 19:42:42 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_role (
2022-03-10 14:39:59 +00:00
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Path = " my-path "
2021-09-22 19:42:42 +00:00
)
conn . create_role (
2022-03-10 14:39:59 +00:00
RoleName = " my-role2 " , AssumeRolePolicyDocument = " some policy2 " , Path = " my-path2 "
2021-09-22 19:42:42 +00:00
)
profile_name_list = [ " my-profile " , " my-profile2 " ]
profile_path_list = [ " my-path " , " my-path2 " ]
for profile_count in range ( 0 , 2 ) :
conn . create_instance_profile (
InstanceProfileName = profile_name_list [ profile_count ] ,
Path = profile_path_list [ profile_count ] ,
)
for profile_count in range ( 0 , 2 ) :
conn . add_role_to_instance_profile (
InstanceProfileName = profile_name_list [ profile_count ] , RoleName = " my-role "
)
profile_dump = conn . list_instance_profiles_for_role ( RoleName = " my-role " )
profile_list = profile_dump [ " InstanceProfiles " ]
for profile_count in range ( 0 , len ( profile_list ) ) :
profile_name_list . remove ( profile_list [ profile_count ] [ " InstanceProfileName " ] )
profile_path_list . remove ( profile_list [ profile_count ] [ " Path " ] )
profile_list [ profile_count ] [ " Roles " ] [ 0 ] [ " RoleName " ] . should . equal ( " my-role " )
profile_name_list . should . have . length_of ( 0 )
profile_path_list . should . have . length_of ( 0 )
profile_dump2 = conn . list_instance_profiles_for_role ( RoleName = " my-role2 " )
profile_list = profile_dump2 [ " InstanceProfiles " ]
profile_list . should . have . length_of ( 0 )
@mock_iam
2022-04-18 20:44:56 +00:00
def test_list_role_policies ( ) :
2021-09-22 19:42:42 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_role (
2022-03-10 14:39:59 +00:00
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Path = " my-path "
2021-09-22 19:42:42 +00:00
)
conn . put_role_policy (
RoleName = " my-role " , PolicyName = " test policy " , PolicyDocument = MOCK_POLICY
)
role = conn . list_role_policies ( RoleName = " my-role " )
role [ " PolicyNames " ] . should . equal ( [ " test policy " ] )
conn . put_role_policy (
RoleName = " my-role " , PolicyName = " test policy 2 " , PolicyDocument = MOCK_POLICY
)
role = conn . list_role_policies ( RoleName = " my-role " )
role [ " PolicyNames " ] . should . have . length_of ( 2 )
conn . delete_role_policy ( RoleName = " my-role " , PolicyName = " test policy " )
role = conn . list_role_policies ( RoleName = " my-role " )
role [ " PolicyNames " ] . should . equal ( [ " test policy 2 " ] )
with pytest . raises ( ClientError ) as ex :
conn . delete_role_policy ( RoleName = " my-role " , PolicyName = " test policy " )
err = ex . value . response [ " Error " ]
err [ " Code " ] . should . equal ( " NoSuchEntity " )
err [ " Message " ] . should . equal (
" The role policy with name test policy cannot be found. "
)
@mock_iam
2022-04-18 20:44:56 +00:00
def test_put_role_policy ( ) :
2021-09-22 19:42:42 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_role (
2022-03-10 14:39:59 +00:00
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Path = " my-path "
2021-09-22 19:42:42 +00:00
)
conn . put_role_policy (
RoleName = " my-role " , PolicyName = " test policy " , PolicyDocument = MOCK_POLICY
)
policy = conn . get_role_policy ( RoleName = " my-role " , PolicyName = " test policy " )
policy [ " PolicyName " ] . should . equal ( " test policy " )
policy [ " PolicyDocument " ] . should . equal ( json . loads ( MOCK_POLICY ) )
2019-07-07 19:45:51 +00:00
@mock_iam
def test_get_role_policy ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-07-07 19:45:51 +00:00
conn . create_role (
2022-03-10 14:39:59 +00:00
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Path = " my-path "
2019-10-31 15:44:26 +00:00
)
2020-10-06 05:54:49 +00:00
with pytest . raises ( conn . exceptions . NoSuchEntityException ) :
2019-07-07 19:45:51 +00:00
conn . get_role_policy ( RoleName = " my-role " , PolicyName = " does-not-exist " )
2021-09-22 19:42:42 +00:00
@mock_iam
2022-07-30 03:25:56 +00:00
def test_update_assume_role_invalid_policy ( ) :
2021-09-22 19:42:42 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_role (
2022-03-10 14:39:59 +00:00
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Path = " my-path "
2021-09-22 19:42:42 +00:00
)
2022-07-30 03:25:56 +00:00
with pytest . raises ( ClientError ) as ex :
conn . update_assume_role_policy ( RoleName = " my-role " , PolicyDocument = " new policy " )
err = ex . value . response [ " Error " ]
err [ " Code " ] . should . equal ( " MalformedPolicyDocument " )
err [ " Message " ] . should . contain ( " Syntax errors in policy. " )
@mock_iam
def test_update_assume_role_valid_policy ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_role (
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Path = " my-path "
)
policy_document = """
{
" Version " : " 2012-10-17 " ,
" Statement " : [
{
" Effect " : " Allow " ,
" Principal " : {
" Service " : [ " ec2.amazonaws.com " ]
} ,
" Action " : [ " sts:AssumeRole " ]
}
]
}
"""
conn . update_assume_role_policy ( RoleName = " my-role " , PolicyDocument = policy_document )
2021-09-22 19:42:42 +00:00
role = conn . get_role ( RoleName = " my-role " ) [ " Role " ]
2022-07-30 03:25:56 +00:00
role [ " AssumeRolePolicyDocument " ] [ " Statement " ] [ 0 ] [ " Action " ] [ 0 ] . should . equal (
" sts:AssumeRole "
)
@mock_iam
def test_update_assume_role_invalid_policy_bad_action ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_role (
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Path = " my-path "
)
policy_document = """
{
" Version " : " 2012-10-17 " ,
" Statement " : [
{
" Effect " : " Allow " ,
" Principal " : {
" Service " : [ " ec2.amazonaws.com " ]
} ,
" Action " : [ " sts:BadAssumeRole " ]
}
]
}
"""
with pytest . raises ( ClientError ) as ex :
conn . update_assume_role_policy (
RoleName = " my-role " , PolicyDocument = policy_document
)
err = ex . value . response [ " Error " ]
err [ " Code " ] . should . equal ( " MalformedPolicyDocument " )
err [ " Message " ] . should . contain (
" Trust Policy statement actions can only be sts:AssumeRole, "
" sts:AssumeRoleWithSAML, and sts:AssumeRoleWithWebIdentity "
)
@mock_iam
def test_update_assume_role_invalid_policy_with_resource ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_role (
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Path = " my-path "
)
policy_document = """
{
" Version " : " 2012-10-17 " ,
" Statement " : [
{
" Effect " : " Allow " ,
" Principal " : {
" Service " : [ " ec2.amazonaws.com " ]
} ,
" Action " : [ " sts:AssumeRole " ] ,
" Resource " : " arn:aws:s3:::example_bucket "
}
]
}
"""
with pytest . raises ( ClientError ) as ex :
conn . update_assume_role_policy (
RoleName = " my-role " , PolicyDocument = policy_document
)
err = ex . value . response [ " Error " ]
err [ " Code " ] . should . equal ( " MalformedPolicyDocument " )
err [ " Message " ] . should . contain ( " Has prohibited field Resource. " )
2021-09-22 19:42:42 +00:00
2018-07-13 14:41:22 +00:00
@mock_iam
def test_create_policy ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2018-07-13 14:41:22 +00:00
response = conn . create_policy (
2019-10-31 15:44:26 +00:00
PolicyName = " TestCreatePolicy " , PolicyDocument = MOCK_POLICY
)
response [ " Policy " ] [ " Arn " ] . should . equal (
2019-12-16 00:22:26 +00:00
" arn:aws:iam:: {} :policy/TestCreatePolicy " . format ( ACCOUNT_ID )
2019-10-31 15:44:26 +00:00
)
2018-07-13 14:41:22 +00:00
2019-11-05 18:57:38 +00:00
@mock_iam
def test_create_policy_already_exists ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2021-10-18 19:44:29 +00:00
conn . create_policy ( PolicyName = " TestCreatePolicy " , PolicyDocument = MOCK_POLICY )
2020-10-06 05:54:49 +00:00
with pytest . raises ( conn . exceptions . EntityAlreadyExistsException ) as ex :
2021-10-18 19:44:29 +00:00
conn . create_policy ( PolicyName = " TestCreatePolicy " , PolicyDocument = MOCK_POLICY )
2020-10-06 06:04:09 +00:00
ex . value . response [ " Error " ] [ " Code " ] . should . equal ( " EntityAlreadyExists " )
ex . value . response [ " ResponseMetadata " ] [ " HTTPStatusCode " ] . should . equal ( 409 )
ex . value . response [ " Error " ] [ " Message " ] . should . contain ( " TestCreatePolicy " )
2019-11-05 18:57:38 +00:00
2019-10-17 08:28:19 +00:00
@mock_iam
def test_delete_policy ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
response = conn . create_policy (
PolicyName = " TestCreatePolicy " , PolicyDocument = MOCK_POLICY
)
[
pol [ " PolicyName " ] for pol in conn . list_policies ( Scope = " Local " ) [ " Policies " ]
] . should . equal ( [ " TestCreatePolicy " ] )
conn . delete_policy ( PolicyArn = response [ " Policy " ] [ " Arn " ] )
assert conn . list_policies ( Scope = " Local " ) [ " Policies " ] . should . be . empty
2019-10-17 08:28:19 +00:00
2017-05-15 21:56:30 +00:00
@mock_iam
def test_create_policy_versions ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2017-05-15 21:56:30 +00:00
conn . create_policy_version (
2019-12-17 02:25:20 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestCreatePolicyVersion " . format (
ACCOUNT_ID
) ,
2019-10-31 15:44:26 +00:00
PolicyDocument = ' { " some " : " policy " } ' ,
)
conn . create_policy ( PolicyName = " TestCreatePolicyVersion " , PolicyDocument = MOCK_POLICY )
2017-05-15 21:56:30 +00:00
version = conn . create_policy_version (
2019-12-16 00:22:26 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestCreatePolicyVersion " . format ( ACCOUNT_ID ) ,
2019-06-30 15:57:50 +00:00
PolicyDocument = MOCK_POLICY ,
2019-10-31 15:44:26 +00:00
SetAsDefault = True ,
)
version . get ( " PolicyVersion " ) . get ( " Document " ) . should . equal ( json . loads ( MOCK_POLICY ) )
version . get ( " PolicyVersion " ) . get ( " VersionId " ) . should . equal ( " v2 " )
version . get ( " PolicyVersion " ) . get ( " IsDefaultVersion " ) . should . be . ok
2019-04-16 19:29:48 +00:00
conn . delete_policy_version (
2019-12-16 00:22:26 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestCreatePolicyVersion " . format ( ACCOUNT_ID ) ,
2019-10-31 15:44:26 +00:00
VersionId = " v1 " ,
)
2019-04-16 19:29:48 +00:00
version = conn . create_policy_version (
2019-12-16 00:22:26 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestCreatePolicyVersion " . format ( ACCOUNT_ID ) ,
2019-10-31 15:44:26 +00:00
PolicyDocument = MOCK_POLICY ,
)
version . get ( " PolicyVersion " ) . get ( " VersionId " ) . should . equal ( " v3 " )
version . get ( " PolicyVersion " ) . get ( " IsDefaultVersion " ) . shouldnt . be . ok
2019-06-29 16:15:01 +00:00
@mock_iam
def test_create_many_policy_versions ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-06-29 16:15:01 +00:00
conn . create_policy (
2019-10-31 15:44:26 +00:00
PolicyName = " TestCreateManyPolicyVersions " , PolicyDocument = MOCK_POLICY
)
2019-06-29 16:15:01 +00:00
for _ in range ( 0 , 4 ) :
conn . create_policy_version (
2019-12-17 02:25:20 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestCreateManyPolicyVersions " . format (
ACCOUNT_ID
) ,
2019-10-31 15:44:26 +00:00
PolicyDocument = MOCK_POLICY ,
)
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-06-29 16:15:01 +00:00
conn . create_policy_version (
2019-12-17 02:25:20 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestCreateManyPolicyVersions " . format (
ACCOUNT_ID
) ,
2019-10-31 15:44:26 +00:00
PolicyDocument = MOCK_POLICY ,
)
2019-06-29 16:15:01 +00:00
@mock_iam
def test_set_default_policy_version ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-06-29 16:15:01 +00:00
conn . create_policy (
2019-10-31 15:44:26 +00:00
PolicyName = " TestSetDefaultPolicyVersion " , PolicyDocument = MOCK_POLICY
)
2019-06-29 16:15:01 +00:00
conn . create_policy_version (
2019-12-17 02:25:20 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestSetDefaultPolicyVersion " . format (
ACCOUNT_ID
) ,
2019-07-02 10:24:19 +00:00
PolicyDocument = MOCK_POLICY_2 ,
2019-10-31 15:44:26 +00:00
SetAsDefault = True ,
)
2019-06-29 16:15:01 +00:00
conn . create_policy_version (
2019-12-17 02:25:20 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestSetDefaultPolicyVersion " . format (
ACCOUNT_ID
) ,
2019-07-02 10:24:19 +00:00
PolicyDocument = MOCK_POLICY_3 ,
2019-10-31 15:44:26 +00:00
SetAsDefault = True ,
)
2019-06-29 16:15:01 +00:00
versions = conn . list_policy_versions (
2019-12-17 02:25:20 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestSetDefaultPolicyVersion " . format (
ACCOUNT_ID
)
2019-10-31 15:44:26 +00:00
)
versions . get ( " Versions " ) [ 0 ] . get ( " Document " ) . should . equal ( json . loads ( MOCK_POLICY ) )
versions . get ( " Versions " ) [ 0 ] . get ( " IsDefaultVersion " ) . shouldnt . be . ok
versions . get ( " Versions " ) [ 1 ] . get ( " Document " ) . should . equal ( json . loads ( MOCK_POLICY_2 ) )
versions . get ( " Versions " ) [ 1 ] . get ( " IsDefaultVersion " ) . shouldnt . be . ok
versions . get ( " Versions " ) [ 2 ] . get ( " Document " ) . should . equal ( json . loads ( MOCK_POLICY_3 ) )
versions . get ( " Versions " ) [ 2 ] . get ( " IsDefaultVersion " ) . should . be . ok
2017-05-15 21:56:30 +00:00
2020-10-01 09:24:03 +00:00
conn . set_default_policy_version (
PolicyArn = " arn:aws:iam:: {} :policy/TestSetDefaultPolicyVersion " . format (
ACCOUNT_ID
) ,
VersionId = " v1 " ,
)
versions = conn . list_policy_versions (
PolicyArn = " arn:aws:iam:: {} :policy/TestSetDefaultPolicyVersion " . format (
ACCOUNT_ID
)
)
versions . get ( " Versions " ) [ 0 ] . get ( " Document " ) . should . equal ( json . loads ( MOCK_POLICY ) )
versions . get ( " Versions " ) [ 0 ] . get ( " IsDefaultVersion " ) . should . be . ok
versions . get ( " Versions " ) [ 1 ] . get ( " Document " ) . should . equal ( json . loads ( MOCK_POLICY_2 ) )
versions . get ( " Versions " ) [ 1 ] . get ( " IsDefaultVersion " ) . shouldnt . be . ok
versions . get ( " Versions " ) [ 2 ] . get ( " Document " ) . should . equal ( json . loads ( MOCK_POLICY_3 ) )
versions . get ( " Versions " ) [ 2 ] . get ( " IsDefaultVersion " ) . shouldnt . be . ok
# Set default version for non-existing policy
conn . set_default_policy_version . when . called_with (
PolicyArn = " arn:aws:iam:: {} :policy/TestNonExistingPolicy " . format ( ACCOUNT_ID ) ,
VersionId = " v1 " ,
) . should . throw (
ClientError ,
" Policy arn:aws:iam:: {} :policy/TestNonExistingPolicy not found " . format (
ACCOUNT_ID
) ,
)
# Set default version for incorrect version
conn . set_default_policy_version . when . called_with (
PolicyArn = " arn:aws:iam:: {} :policy/TestSetDefaultPolicyVersion " . format (
ACCOUNT_ID
) ,
VersionId = " wrong_version_id " ,
) . should . throw (
ClientError ,
2021-10-18 09:21:18 +00:00
r " Value ' wrong_version_id ' at ' versionId ' failed to satisfy constraint: Member must satisfy regular expression pattern: v[1-9][0-9]*( \ .[A-Za-z0-9-]*)? " ,
2020-10-01 09:24:03 +00:00
)
# Set default version for non-existing version
conn . set_default_policy_version . when . called_with (
PolicyArn = " arn:aws:iam:: {} :policy/TestSetDefaultPolicyVersion " . format (
ACCOUNT_ID
) ,
VersionId = " v4 " ,
) . should . throw (
ClientError ,
" Policy arn:aws:iam:: {} :policy/TestSetDefaultPolicyVersion version v4 does not exist or is not attachable. " . format (
ACCOUNT_ID
) ,
)
2019-01-30 02:09:31 +00:00
2018-08-07 20:59:15 +00:00
@mock_iam
def test_get_policy ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2021-10-18 19:44:29 +00:00
conn . create_policy ( PolicyName = " TestGetPolicy " , PolicyDocument = MOCK_POLICY )
2019-12-17 02:25:20 +00:00
policy = conn . get_policy (
PolicyArn = " arn:aws:iam:: {} :policy/TestGetPolicy " . format ( ACCOUNT_ID )
)
2019-10-31 15:44:26 +00:00
policy [ " Policy " ] [ " Arn " ] . should . equal (
2019-12-16 00:22:26 +00:00
" arn:aws:iam:: {} :policy/TestGetPolicy " . format ( ACCOUNT_ID )
2019-10-31 15:44:26 +00:00
)
2019-06-06 12:36:39 +00:00
@mock_iam
def test_get_aws_managed_policy ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
managed_policy_arn = " arn:aws:iam::aws:policy/IAMUserChangePassword "
managed_policy_create_date = datetime . strptime (
" 2016-11-15T00:25:16+00:00 " , " % Y- % m- %d T % H: % M: % S+00:00 "
)
policy = conn . get_policy ( PolicyArn = managed_policy_arn )
policy [ " Policy " ] [ " Arn " ] . should . equal ( managed_policy_arn )
policy [ " Policy " ] [ " CreateDate " ] . replace ( tzinfo = None ) . should . equal (
managed_policy_create_date
)
2017-05-15 21:56:30 +00:00
2018-08-07 21:24:15 +00:00
2017-05-15 21:56:30 +00:00
@mock_iam
def test_get_policy_version ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_policy ( PolicyName = " TestGetPolicyVersion " , PolicyDocument = MOCK_POLICY )
2017-05-15 21:56:30 +00:00
version = conn . create_policy_version (
2019-12-16 00:22:26 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestGetPolicyVersion " . format ( ACCOUNT_ID ) ,
2019-10-31 15:44:26 +00:00
PolicyDocument = MOCK_POLICY ,
)
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2017-05-15 21:56:30 +00:00
conn . get_policy_version (
2019-12-16 00:22:26 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestGetPolicyVersion " . format ( ACCOUNT_ID ) ,
2019-10-31 15:44:26 +00:00
VersionId = " v2-does-not-exist " ,
)
2017-05-15 21:56:30 +00:00
retrieved = conn . get_policy_version (
2019-12-16 00:22:26 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestGetPolicyVersion " . format ( ACCOUNT_ID ) ,
2019-10-31 15:44:26 +00:00
VersionId = version . get ( " PolicyVersion " ) . get ( " VersionId " ) ,
)
retrieved . get ( " PolicyVersion " ) . get ( " Document " ) . should . equal ( json . loads ( MOCK_POLICY ) )
retrieved . get ( " PolicyVersion " ) . get ( " IsDefaultVersion " ) . shouldnt . be . ok
2017-05-15 21:56:30 +00:00
2019-06-06 12:36:39 +00:00
@mock_iam
def test_get_aws_managed_policy_version ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
managed_policy_arn = (
" arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole "
)
managed_policy_version_create_date = datetime . strptime (
" 2015-04-09T15:03:43+00:00 " , " % Y- % m- %d T % H: % M: % S+00:00 "
)
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-06-06 12:36:39 +00:00
conn . get_policy_version (
2019-10-31 15:44:26 +00:00
PolicyArn = managed_policy_arn , VersionId = " v2-does-not-exist "
)
retrieved = conn . get_policy_version ( PolicyArn = managed_policy_arn , VersionId = " v1 " )
retrieved [ " PolicyVersion " ] [ " CreateDate " ] . replace ( tzinfo = None ) . should . equal (
managed_policy_version_create_date
)
retrieved [ " PolicyVersion " ] [ " Document " ] . should . be . an ( dict )
2019-06-06 12:36:39 +00:00
@mock_iam
2021-02-23 15:16:07 +00:00
def test_get_aws_managed_policy_v6_version ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
managed_policy_arn = " arn:aws:iam::aws:policy/job-function/SystemAdministrator "
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-06-06 12:36:39 +00:00
conn . get_policy_version (
2019-10-31 15:44:26 +00:00
PolicyArn = managed_policy_arn , VersionId = " v2-does-not-exist "
)
2021-02-23 15:16:07 +00:00
retrieved = conn . get_policy_version ( PolicyArn = managed_policy_arn , VersionId = " v6 " )
retrieved [ " PolicyVersion " ] [ " CreateDate " ] . replace ( tzinfo = None ) . should . be . an ( datetime )
2019-10-31 15:44:26 +00:00
retrieved [ " PolicyVersion " ] [ " Document " ] . should . be . an ( dict )
2019-06-06 12:36:39 +00:00
2017-05-15 21:56:30 +00:00
@mock_iam
def test_list_policy_versions ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2017-05-15 21:56:30 +00:00
versions = conn . list_policy_versions (
2019-12-16 00:22:26 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestListPolicyVersions " . format ( ACCOUNT_ID )
2019-10-31 15:44:26 +00:00
)
conn . create_policy ( PolicyName = " TestListPolicyVersions " , PolicyDocument = MOCK_POLICY )
2018-08-07 21:24:15 +00:00
versions = conn . list_policy_versions (
2019-12-16 00:22:26 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestListPolicyVersions " . format ( ACCOUNT_ID )
2019-10-31 15:44:26 +00:00
)
versions . get ( " Versions " ) [ 0 ] . get ( " VersionId " ) . should . equal ( " v1 " )
versions . get ( " Versions " ) [ 0 ] . get ( " IsDefaultVersion " ) . should . be . ok
2019-05-21 16:44:06 +00:00
2017-05-15 21:56:30 +00:00
conn . create_policy_version (
2019-12-16 00:22:26 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestListPolicyVersions " . format ( ACCOUNT_ID ) ,
2019-10-31 15:44:26 +00:00
PolicyDocument = MOCK_POLICY_2 ,
)
2018-08-07 21:24:15 +00:00
conn . create_policy_version (
2019-12-16 00:22:26 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestListPolicyVersions " . format ( ACCOUNT_ID ) ,
2019-10-31 15:44:26 +00:00
PolicyDocument = MOCK_POLICY_3 ,
)
2017-05-15 21:56:30 +00:00
versions = conn . list_policy_versions (
2019-12-16 00:22:26 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestListPolicyVersions " . format ( ACCOUNT_ID )
2019-10-31 15:44:26 +00:00
)
versions . get ( " Versions " ) [ 1 ] . get ( " Document " ) . should . equal ( json . loads ( MOCK_POLICY_2 ) )
versions . get ( " Versions " ) [ 1 ] . get ( " IsDefaultVersion " ) . shouldnt . be . ok
versions . get ( " Versions " ) [ 2 ] . get ( " Document " ) . should . equal ( json . loads ( MOCK_POLICY_3 ) )
versions . get ( " Versions " ) [ 2 ] . get ( " IsDefaultVersion " ) . shouldnt . be . ok
2017-05-15 21:56:30 +00:00
@mock_iam
def test_delete_policy_version ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_policy ( PolicyName = " TestDeletePolicyVersion " , PolicyDocument = MOCK_POLICY )
2017-05-15 21:56:30 +00:00
conn . create_policy_version (
2019-12-16 00:22:26 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestDeletePolicyVersion " . format ( ACCOUNT_ID ) ,
2019-10-31 15:44:26 +00:00
PolicyDocument = MOCK_POLICY ,
)
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2017-05-15 21:56:30 +00:00
conn . delete_policy_version (
2019-12-17 02:25:20 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestDeletePolicyVersion " . format (
ACCOUNT_ID
) ,
2019-10-31 15:44:26 +00:00
VersionId = " v2-nope-this-does-not-exist " ,
)
2017-05-15 21:56:30 +00:00
conn . delete_policy_version (
2019-12-16 00:22:26 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestDeletePolicyVersion " . format ( ACCOUNT_ID ) ,
2019-10-31 15:44:26 +00:00
VersionId = " v2 " ,
)
2017-05-15 21:56:30 +00:00
versions = conn . list_policy_versions (
2019-12-16 00:22:26 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestDeletePolicyVersion " . format ( ACCOUNT_ID )
2019-10-31 15:44:26 +00:00
)
len ( versions . get ( " Versions " ) ) . should . equal ( 1 )
2017-05-15 21:56:30 +00:00
2019-06-29 16:15:01 +00:00
@mock_iam
def test_delete_default_policy_version ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_policy ( PolicyName = " TestDeletePolicyVersion " , PolicyDocument = MOCK_POLICY )
2019-06-29 16:15:01 +00:00
conn . create_policy_version (
2019-12-16 00:22:26 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestDeletePolicyVersion " . format ( ACCOUNT_ID ) ,
2019-10-31 15:44:26 +00:00
PolicyDocument = MOCK_POLICY_2 ,
)
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-06-29 16:15:01 +00:00
conn . delete_policy_version (
2019-12-17 02:25:20 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/TestDeletePolicyVersion " . format (
ACCOUNT_ID
) ,
2019-10-31 15:44:26 +00:00
VersionId = " v1 " ,
)
2019-06-29 16:15:01 +00:00
2021-11-03 20:58:40 +00:00
@mock_iam ( )
def test_create_policy_with_tags ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_policy (
PolicyName = " TestCreatePolicyWithTags1 " ,
PolicyDocument = MOCK_POLICY ,
Tags = [
{ " Key " : " somekey " , " Value " : " somevalue " } ,
{ " Key " : " someotherkey " , " Value " : " someothervalue " } ,
] ,
Description = " testing " ,
)
# Get policy:
policy = conn . get_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format (
ACCOUNT_ID , " TestCreatePolicyWithTags1 "
)
) [ " Policy " ]
assert len ( policy [ " Tags " ] ) == 2
assert policy [ " Tags " ] [ 0 ] [ " Key " ] == " somekey "
assert policy [ " Tags " ] [ 0 ] [ " Value " ] == " somevalue "
assert policy [ " Tags " ] [ 1 ] [ " Key " ] == " someotherkey "
assert policy [ " Tags " ] [ 1 ] [ " Value " ] == " someothervalue "
assert policy [ " Description " ] == " testing "
@mock_iam ( )
def test_create_policy_with_empty_tag_value ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
# Empty is good:
conn . create_policy (
PolicyName = " TestCreatePolicyWithTags2 " ,
PolicyDocument = MOCK_POLICY ,
Tags = [ { " Key " : " somekey " , " Value " : " " } ] ,
)
tags = conn . list_policy_tags (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format (
ACCOUNT_ID , " TestCreatePolicyWithTags2 "
)
)
assert len ( tags [ " Tags " ] ) == 1
assert tags [ " Tags " ] [ 0 ] [ " Key " ] == " somekey "
assert tags [ " Tags " ] [ 0 ] [ " Value " ] == " "
@mock_iam ( )
def test_create_policy_with_too_many_tags ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
# With more than 50 tags:
with pytest . raises ( ClientError ) as ce :
too_many_tags = list (
map ( lambda x : { " Key " : str ( x ) , " Value " : str ( x ) } , range ( 0 , 51 ) )
)
conn . create_policy (
PolicyName = " TestCreatePolicyWithTags3 " ,
PolicyDocument = MOCK_POLICY ,
Tags = too_many_tags ,
)
assert (
" failed to satisfy constraint: Member must have length less than or equal to 50. "
in ce . value . response [ " Error " ] [ " Message " ]
)
@mock_iam ( )
def test_create_policy_with_duplicate_tag ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
# With a duplicate tag:
with pytest . raises ( ClientError ) as ce :
conn . create_policy (
PolicyName = " TestCreatePolicyWithTags3 " ,
PolicyDocument = MOCK_POLICY ,
Tags = [ { " Key " : " 0 " , " Value " : " " } , { " Key " : " 0 " , " Value " : " " } ] ,
)
assert (
" Duplicate tag keys found. Please note that Tag keys are case insensitive. "
in ce . value . response [ " Error " ] [ " Message " ]
)
@mock_iam ( )
def test_create_policy_with_duplicate_tag_different_casing ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
# Duplicate tag with different casing:
with pytest . raises ( ClientError ) as ce :
conn . create_policy (
PolicyName = " TestCreatePolicyWithTags3 " ,
PolicyDocument = MOCK_POLICY ,
Tags = [ { " Key " : " a " , " Value " : " " } , { " Key " : " A " , " Value " : " " } ] ,
)
assert (
" Duplicate tag keys found. Please note that Tag keys are case insensitive. "
in ce . value . response [ " Error " ] [ " Message " ]
)
@mock_iam ( )
def test_create_policy_with_tag_containing_large_key ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
# With a really big key:
with pytest . raises ( ClientError ) as ce :
conn . create_policy (
PolicyName = " TestCreatePolicyWithTags3 " ,
PolicyDocument = MOCK_POLICY ,
Tags = [ { " Key " : " 0 " * 129 , " Value " : " " } ] ,
)
assert (
" Member must have length less than or equal to 128. "
in ce . value . response [ " Error " ] [ " Message " ]
)
@mock_iam ( )
def test_create_policy_with_tag_containing_large_value ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
# With a really big value:
with pytest . raises ( ClientError ) as ce :
conn . create_policy (
PolicyName = " TestCreatePolicyWithTags3 " ,
PolicyDocument = MOCK_POLICY ,
Tags = [ { " Key " : " 0 " , " Value " : " 0 " * 257 } ] ,
)
assert (
" Member must have length less than or equal to 256. "
in ce . value . response [ " Error " ] [ " Message " ]
)
@mock_iam ( )
def test_create_policy_with_tag_containing_invalid_character ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
# With an invalid character:
with pytest . raises ( ClientError ) as ce :
conn . create_policy (
PolicyName = " TestCreatePolicyWithTags3 " ,
PolicyDocument = MOCK_POLICY ,
Tags = [ { " Key " : " NOWAY! " , " Value " : " " } ] ,
)
assert (
" Member must satisfy regular expression pattern: [ \\ p {L} \\ p {Z} \\ p {N} _.:/=+ \\ -@]+ "
in ce . value . response [ " Error " ] [ " Message " ]
)
@mock_iam ( )
def test_create_policy_with_no_tags ( ) :
""" Tests both the tag_policy and get_policy_tags capability """
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_policy ( PolicyName = " TestTagPolicy " , PolicyDocument = MOCK_POLICY )
# Get without tags:
policy = conn . get_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " )
) [ " Policy " ]
assert not policy . get ( " Tags " )
@mock_iam ( )
def test_get_policy_with_tags ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_policy ( PolicyName = " TestTagPolicy " , PolicyDocument = MOCK_POLICY )
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
Tags = [
{ " Key " : " somekey " , " Value " : " somevalue " } ,
{ " Key " : " someotherkey " , " Value " : " someothervalue " } ,
] ,
)
# Get policy:
policy = conn . get_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " )
) [ " Policy " ]
assert len ( policy [ " Tags " ] ) == 2
assert policy [ " Tags " ] [ 0 ] [ " Key " ] == " somekey "
assert policy [ " Tags " ] [ 0 ] [ " Value " ] == " somevalue "
assert policy [ " Tags " ] [ 1 ] [ " Key " ] == " someotherkey "
assert policy [ " Tags " ] [ 1 ] [ " Value " ] == " someothervalue "
@mock_iam ( )
def test_list_policy_tags ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_policy ( PolicyName = " TestTagPolicy " , PolicyDocument = MOCK_POLICY )
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
Tags = [
{ " Key " : " somekey " , " Value " : " somevalue " } ,
{ " Key " : " someotherkey " , " Value " : " someothervalue " } ,
] ,
)
# List_policy_tags:
tags = conn . list_policy_tags (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " )
)
assert len ( tags [ " Tags " ] ) == 2
assert tags [ " Tags " ] [ 0 ] [ " Key " ] == " somekey "
assert tags [ " Tags " ] [ 0 ] [ " Value " ] == " somevalue "
assert tags [ " Tags " ] [ 1 ] [ " Key " ] == " someotherkey "
assert tags [ " Tags " ] [ 1 ] [ " Value " ] == " someothervalue "
assert not tags [ " IsTruncated " ]
assert not tags . get ( " Marker " )
@mock_iam ( )
def test_list_policy_tags_pagination ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_policy ( PolicyName = " TestTagPolicy " , PolicyDocument = MOCK_POLICY )
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
Tags = [
{ " Key " : " somekey " , " Value " : " somevalue " } ,
{ " Key " : " someotherkey " , " Value " : " someothervalue " } ,
] ,
)
# Test pagination:
tags = conn . list_policy_tags (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
MaxItems = 1 ,
)
assert len ( tags [ " Tags " ] ) == 1
assert tags [ " IsTruncated " ]
assert tags [ " Tags " ] [ 0 ] [ " Key " ] == " somekey "
assert tags [ " Tags " ] [ 0 ] [ " Value " ] == " somevalue "
assert tags [ " Marker " ] == " 1 "
tags = conn . list_policy_tags (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
Marker = tags [ " Marker " ] ,
)
assert len ( tags [ " Tags " ] ) == 1
assert tags [ " Tags " ] [ 0 ] [ " Key " ] == " someotherkey "
assert tags [ " Tags " ] [ 0 ] [ " Value " ] == " someothervalue "
assert not tags [ " IsTruncated " ]
assert not tags . get ( " Marker " )
@mock_iam ( )
def test_updating_existing_tag ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_policy ( PolicyName = " TestTagPolicy " , PolicyDocument = MOCK_POLICY )
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
Tags = [
{ " Key " : " somekey " , " Value " : " somevalue " } ,
{ " Key " : " someotherkey " , " Value " : " someothervalue " } ,
] ,
)
# Test updating an existing tag:
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
Tags = [ { " Key " : " somekey " , " Value " : " somenewvalue " } ] ,
)
tags = conn . list_policy_tags (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " )
)
assert len ( tags [ " Tags " ] ) == 2
assert tags [ " Tags " ] [ 0 ] [ " Key " ] == " somekey "
assert tags [ " Tags " ] [ 0 ] [ " Value " ] == " somenewvalue "
@mock_iam ( )
def test_updating_existing_tag_with_empty_value ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_policy ( PolicyName = " TestTagPolicy " , PolicyDocument = MOCK_POLICY )
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
Tags = [
{ " Key " : " somekey " , " Value " : " somevalue " } ,
{ " Key " : " someotherkey " , " Value " : " someothervalue " } ,
] ,
)
# Empty is good:
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
Tags = [ { " Key " : " somekey " , " Value " : " " } ] ,
)
tags = conn . list_policy_tags (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " )
)
assert len ( tags [ " Tags " ] ) == 2
assert tags [ " Tags " ] [ 0 ] [ " Key " ] == " somekey "
assert tags [ " Tags " ] [ 0 ] [ " Value " ] == " "
@mock_iam ( )
def test_updating_existing_tagged_policy_with_too_many_tags ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_policy ( PolicyName = " TestTagPolicy " , PolicyDocument = MOCK_POLICY )
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
Tags = [
{ " Key " : " somekey " , " Value " : " somevalue " } ,
{ " Key " : " someotherkey " , " Value " : " someothervalue " } ,
] ,
)
# With more than 50 tags:
with pytest . raises ( ClientError ) as ce :
too_many_tags = list (
map ( lambda x : { " Key " : str ( x ) , " Value " : str ( x ) } , range ( 0 , 51 ) )
)
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
Tags = too_many_tags ,
)
assert (
" failed to satisfy constraint: Member must have length less than or equal to 50. "
in ce . value . response [ " Error " ] [ " Message " ]
)
@mock_iam ( )
def test_updating_existing_tagged_policy_with_duplicate_tag ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_policy ( PolicyName = " TestTagPolicy " , PolicyDocument = MOCK_POLICY )
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
Tags = [
{ " Key " : " somekey " , " Value " : " somevalue " } ,
{ " Key " : " someotherkey " , " Value " : " someothervalue " } ,
] ,
)
# With a duplicate tag:
with pytest . raises ( ClientError ) as ce :
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
Tags = [ { " Key " : " 0 " , " Value " : " " } , { " Key " : " 0 " , " Value " : " " } ] ,
)
assert (
" Duplicate tag keys found. Please note that Tag keys are case insensitive. "
in ce . value . response [ " Error " ] [ " Message " ]
)
@mock_iam ( )
def test_updating_existing_tagged_policy_with_duplicate_tag_different_casing ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_policy ( PolicyName = " TestTagPolicy " , PolicyDocument = MOCK_POLICY )
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
Tags = [
{ " Key " : " somekey " , " Value " : " somevalue " } ,
{ " Key " : " someotherkey " , " Value " : " someothervalue " } ,
] ,
)
# Duplicate tag with different casing:
with pytest . raises ( ClientError ) as ce :
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
Tags = [ { " Key " : " a " , " Value " : " " } , { " Key " : " A " , " Value " : " " } ] ,
)
assert (
" Duplicate tag keys found. Please note that Tag keys are case insensitive. "
in ce . value . response [ " Error " ] [ " Message " ]
)
@mock_iam ( )
def test_updating_existing_tagged_policy_with_large_key ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_policy ( PolicyName = " TestTagPolicy " , PolicyDocument = MOCK_POLICY )
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
Tags = [
{ " Key " : " somekey " , " Value " : " somevalue " } ,
{ " Key " : " someotherkey " , " Value " : " someothervalue " } ,
] ,
)
# With a really big key:
with pytest . raises ( ClientError ) as ce :
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
Tags = [ { " Key " : " 0 " * 129 , " Value " : " " } ] ,
)
assert (
" Member must have length less than or equal to 128. "
in ce . value . response [ " Error " ] [ " Message " ]
)
@mock_iam ( )
def test_updating_existing_tagged_policy_with_large_value ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_policy ( PolicyName = " TestTagPolicy " , PolicyDocument = MOCK_POLICY )
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
Tags = [
{ " Key " : " somekey " , " Value " : " somevalue " } ,
{ " Key " : " someotherkey " , " Value " : " someothervalue " } ,
] ,
)
# With a really big value:
with pytest . raises ( ClientError ) as ce :
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
Tags = [ { " Key " : " 0 " , " Value " : " 0 " * 257 } ] ,
)
assert (
" Member must have length less than or equal to 256. "
in ce . value . response [ " Error " ] [ " Message " ]
)
@mock_iam ( )
def test_updating_existing_tagged_policy_with_invalid_character ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_policy ( PolicyName = " TestTagPolicy " , PolicyDocument = MOCK_POLICY )
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
Tags = [
{ " Key " : " somekey " , " Value " : " somevalue " } ,
{ " Key " : " someotherkey " , " Value " : " someothervalue " } ,
] ,
)
# With an invalid character:
with pytest . raises ( ClientError ) as ce :
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestTagPolicy " ) ,
Tags = [ { " Key " : " NOWAY! " , " Value " : " " } ] ,
)
assert (
" Member must satisfy regular expression pattern: [ \\ p {L} \\ p {Z} \\ p {N} _.:/=+ \\ -@]+ "
in ce . value . response [ " Error " ] [ " Message " ]
)
@mock_iam ( )
def test_tag_non_existant_policy ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
# With a policy that doesn't exist:
with pytest . raises ( ClientError ) :
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " NotAPolicy " ) ,
Tags = [ { " Key " : " some " , " Value " : " value " } ] ,
)
@mock_iam
def test_untag_policy ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_policy ( PolicyName = " TestUnTagPolicy " , PolicyDocument = MOCK_POLICY )
# With proper tag values:
conn . tag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestUnTagPolicy " ) ,
Tags = [
{ " Key " : " somekey " , " Value " : " somevalue " } ,
{ " Key " : " someotherkey " , " Value " : " someothervalue " } ,
] ,
)
# Remove them:
conn . untag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestUnTagPolicy " ) ,
TagKeys = [ " somekey " ] ,
)
tags = conn . list_policy_tags (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestUnTagPolicy " )
)
assert len ( tags [ " Tags " ] ) == 1
assert tags [ " Tags " ] [ 0 ] [ " Key " ] == " someotherkey "
assert tags [ " Tags " ] [ 0 ] [ " Value " ] == " someothervalue "
# And again:
conn . untag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestUnTagPolicy " ) ,
TagKeys = [ " someotherkey " ] ,
)
tags = conn . list_policy_tags (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestUnTagPolicy " )
)
assert not tags [ " Tags " ]
# Test removing tags with invalid values:
# With more than 50 tags:
with pytest . raises ( ClientError ) as ce :
conn . untag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestUnTagPolicy " ) ,
TagKeys = [ str ( x ) for x in range ( 0 , 51 ) ] ,
)
assert (
" failed to satisfy constraint: Member must have length less than or equal to 50. "
in ce . value . response [ " Error " ] [ " Message " ]
)
assert " tagKeys " in ce . value . response [ " Error " ] [ " Message " ]
# With a really big key:
with pytest . raises ( ClientError ) as ce :
conn . untag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestUnTagPolicy " ) ,
TagKeys = [ " 0 " * 129 ] ,
)
assert (
" Member must have length less than or equal to 128. "
in ce . value . response [ " Error " ] [ " Message " ]
)
assert " tagKeys " in ce . value . response [ " Error " ] [ " Message " ]
# With an invalid character:
with pytest . raises ( ClientError ) as ce :
conn . untag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " TestUnTagPolicy " ) ,
TagKeys = [ " NOWAY! " ] ,
)
assert (
" Member must satisfy regular expression pattern: [ \\ p {L} \\ p {Z} \\ p {N} _.:/=+ \\ -@]+ "
in ce . value . response [ " Error " ] [ " Message " ]
)
assert " tagKeys " in ce . value . response [ " Error " ] [ " Message " ]
# With a policy that doesn't exist:
with pytest . raises ( ClientError ) :
conn . untag_policy (
PolicyArn = " arn:aws:iam:: {} :policy/ {} " . format ( ACCOUNT_ID , " NotAPolicy " ) ,
TagKeys = [ " somevalue " ] ,
)
2021-09-22 19:42:42 +00:00
@mock_iam
def test_create_user_boto ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
u = conn . create_user ( UserName = " my-user " ) [ " User " ]
u [ " Path " ] . should . equal ( " / " )
u [ " UserName " ] . should . equal ( " my-user " )
u . should . have . key ( " UserId " )
u [ " Arn " ] . should . equal ( " arn:aws:iam:: {} :user/my-user " . format ( ACCOUNT_ID ) )
u [ " CreateDate " ] . should . be . a ( datetime )
with pytest . raises ( ClientError ) as ex :
conn . create_user ( UserName = " my-user " )
err = ex . value . response [ " Error " ]
err [ " Code " ] . should . equal ( " EntityAlreadyExists " )
err [ " Message " ] . should . equal ( " User my-user already exists " )
@mock_iam
2022-04-18 20:44:56 +00:00
def test_get_user ( ) :
2021-09-22 19:42:42 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
with pytest . raises ( ClientError ) as ex :
conn . get_user ( UserName = " my-user " )
err = ex . value . response [ " Error " ]
err [ " Code " ] . should . equal ( " NoSuchEntity " )
err [ " Message " ] . should . equal ( " The user with name my-user cannot be found. " )
conn . create_user ( UserName = " my-user " )
u = conn . get_user ( UserName = " my-user " ) [ " User " ]
u [ " Path " ] . should . equal ( " / " )
u [ " UserName " ] . should . equal ( " my-user " )
u . should . have . key ( " UserId " )
u [ " Arn " ] . should . equal ( " arn:aws:iam:: {} :user/my-user " . format ( ACCOUNT_ID ) )
u [ " CreateDate " ] . should . be . a ( datetime )
2019-03-12 16:27:37 +00:00
@mock_iam ( )
def test_update_user ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2020-10-06 05:54:49 +00:00
with pytest . raises ( conn . exceptions . NoSuchEntityException ) :
2019-10-31 15:44:26 +00:00
conn . update_user ( UserName = " my-user " )
conn . create_user ( UserName = " my-user " )
conn . update_user ( UserName = " my-user " , NewPath = " /new-path/ " , NewUserName = " new-user " )
response = conn . get_user ( UserName = " new-user " )
response [ " User " ] . get ( " Path " ) . should . equal ( " /new-path/ " )
2020-10-06 05:54:49 +00:00
with pytest . raises ( conn . exceptions . NoSuchEntityException ) :
2019-10-31 15:44:26 +00:00
conn . get_user ( UserName = " my-user " )
2019-03-12 16:27:37 +00:00
2021-09-22 19:42:42 +00:00
@mock_iam
2022-04-18 20:44:56 +00:00
def test_get_current_user ( ) :
2021-09-22 19:42:42 +00:00
""" If no user is specific, IAM returns the current user """
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
user = conn . get_user ( ) [ " User " ]
user [ " UserName " ] . should . equal ( " default_user " )
2016-07-20 22:12:02 +00:00
@mock_iam ( )
def test_list_users ( ) :
2019-10-31 15:44:26 +00:00
path_prefix = " / "
2016-07-20 22:12:02 +00:00
max_items = 10
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_user ( UserName = " my-user " )
2016-07-25 15:59:57 +00:00
response = conn . list_users ( PathPrefix = path_prefix , MaxItems = max_items )
2019-10-31 15:44:26 +00:00
user = response [ " Users " ] [ 0 ]
user [ " UserName " ] . should . equal ( " my-user " )
user [ " Path " ] . should . equal ( " / " )
2019-12-16 00:22:26 +00:00
user [ " Arn " ] . should . equal ( " arn:aws:iam:: {} :user/my-user " . format ( ACCOUNT_ID ) )
2021-06-18 20:52:15 +00:00
response [ " IsTruncated " ] . should . equal ( False )
2016-07-25 15:59:57 +00:00
2020-07-27 14:32:41 +00:00
conn . create_user ( UserName = " my-user-1 " , Path = " myUser " )
response = conn . list_users ( PathPrefix = " my " )
user = response [ " Users " ] [ 0 ]
user [ " UserName " ] . should . equal ( " my-user-1 " )
user [ " Path " ] . should . equal ( " myUser " )
2014-08-20 18:56:30 +00:00
2017-04-13 21:09:23 +00:00
@mock_iam ( )
def test_user_policies ( ) :
2019-10-31 15:44:26 +00:00
policy_name = " UserManagedPolicy "
user_name = " my-user "
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2017-04-13 21:09:23 +00:00
conn . create_user ( UserName = user_name )
conn . put_user_policy (
2019-10-31 15:44:26 +00:00
UserName = user_name , PolicyName = policy_name , PolicyDocument = MOCK_POLICY
2017-04-13 21:09:23 +00:00
)
2019-10-31 15:44:26 +00:00
policy_doc = conn . get_user_policy ( UserName = user_name , PolicyName = policy_name )
policy_doc [ " PolicyDocument " ] . should . equal ( json . loads ( MOCK_POLICY ) )
2017-04-13 21:09:23 +00:00
policies = conn . list_user_policies ( UserName = user_name )
2019-10-31 15:44:26 +00:00
len ( policies [ " PolicyNames " ] ) . should . equal ( 1 )
policies [ " PolicyNames " ] [ 0 ] . should . equal ( policy_name )
2017-04-13 21:09:23 +00:00
2019-10-31 15:44:26 +00:00
conn . delete_user_policy ( UserName = user_name , PolicyName = policy_name )
2017-04-13 21:09:23 +00:00
policies = conn . list_user_policies ( UserName = user_name )
2019-10-31 15:44:26 +00:00
len ( policies [ " PolicyNames " ] ) . should . equal ( 0 )
2017-04-13 21:09:23 +00:00
2021-09-22 19:42:42 +00:00
@mock_iam
def test_create_login_profile_with_unknown_user ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
with pytest . raises ( ClientError ) as ex :
conn . create_login_profile ( UserName = " my-user " , Password = " my-pass " )
err = ex . value . response [ " Error " ]
err [ " Code " ] . should . equal ( " NoSuchEntity " )
err [ " Message " ] . should . equal ( " The user with name my-user cannot be found. " )
@mock_iam
def test_delete_login_profile_with_unknown_user ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
with pytest . raises ( ClientError ) as ex :
conn . delete_login_profile ( UserName = " my-user " )
err = ex . value . response [ " Error " ]
err [ " Code " ] . should . equal ( " NoSuchEntity " )
err [ " Message " ] . should . equal ( " The user with name my-user cannot be found. " )
@mock_iam
def test_delete_nonexistent_login_profile ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_user ( UserName = " my-user " )
with pytest . raises ( ClientError ) as ex :
conn . delete_login_profile ( UserName = " my-user " )
err = ex . value . response [ " Error " ]
err [ " Code " ] . should . equal ( " NoSuchEntity " )
err [ " Message " ] . should . equal ( " Login profile for my-user not found " )
@mock_iam
2022-04-18 20:44:56 +00:00
def test_delete_login_profile ( ) :
2021-09-22 19:42:42 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_user ( UserName = " my-user " )
conn . create_login_profile ( UserName = " my-user " , Password = " my-pass " )
conn . delete_login_profile ( UserName = " my-user " )
conn . get_login_profile . when . called_with ( UserName = " my-user " ) . should . throw (
ClientError
)
2020-01-27 17:04:22 +00:00
@mock_iam
2014-08-19 21:30:11 +00:00
def test_create_access_key ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-10-31 15:44:26 +00:00
conn . create_access_key ( UserName = " my-user " )
conn . create_user ( UserName = " my-user " )
access_key = conn . create_access_key ( UserName = " my-user " ) [ " AccessKey " ]
(
datetime . utcnow ( ) - access_key [ " CreateDate " ] . replace ( tzinfo = None )
) . seconds . should . be . within ( 0 , 10 )
2019-07-04 18:04:27 +00:00
access_key [ " AccessKeyId " ] . should . have . length_of ( 20 )
2019-07-04 18:20:08 +00:00
access_key [ " SecretAccessKey " ] . should . have . length_of ( 40 )
2019-07-04 18:04:27 +00:00
assert access_key [ " AccessKeyId " ] . startswith ( " AKIA " )
2020-01-27 17:04:22 +00:00
conn = boto3 . client (
" iam " ,
region_name = " us-east-1 " ,
aws_access_key_id = access_key [ " AccessKeyId " ] ,
aws_secret_access_key = access_key [ " SecretAccessKey " ] ,
)
access_key = conn . create_access_key ( ) [ " AccessKey " ]
(
datetime . utcnow ( ) - access_key [ " CreateDate " ] . replace ( tzinfo = None )
) . seconds . should . be . within ( 0 , 10 )
access_key [ " AccessKeyId " ] . should . have . length_of ( 20 )
access_key [ " SecretAccessKey " ] . should . have . length_of ( 40 )
assert access_key [ " AccessKeyId " ] . startswith ( " AKIA " )
2014-08-19 21:30:11 +00:00
2022-07-27 16:19:34 +00:00
@mock_iam
def test_limit_access_key_per_user ( ) :
conn = boto3 . client ( " iam " , region_name = DEFAULT_REGION_NAME )
user_name = " test-user "
conn . create_user ( UserName = user_name )
conn . create_access_key ( UserName = user_name )
conn . create_access_key ( UserName = user_name )
with pytest . raises ( ClientError ) as ex :
conn . create_access_key ( UserName = user_name )
err = ex . value . response [ " Error " ]
err [ " Code " ] . should . equal ( " LimitExceeded " )
err [ " Message " ] . should . equal ( " Cannot exceed quota for AccessKeysPerUser: 2 " )
2020-01-27 17:04:22 +00:00
@mock_iam
def test_list_access_keys ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_user ( UserName = " my-user " )
response = conn . list_access_keys ( UserName = " my-user " )
2020-10-06 05:54:49 +00:00
assert response [ " AccessKeyMetadata " ] == [ ]
2020-01-27 17:04:22 +00:00
access_key = conn . create_access_key ( UserName = " my-user " ) [ " AccessKey " ]
response = conn . list_access_keys ( UserName = " my-user " )
2020-10-06 06:46:05 +00:00
assert sorted ( response [ " AccessKeyMetadata " ] [ 0 ] . keys ( ) ) == sorted (
[ " Status " , " CreateDate " , " UserName " , " AccessKeyId " ]
)
2020-01-27 17:04:22 +00:00
conn = boto3 . client (
" iam " ,
region_name = " us-east-1 " ,
aws_access_key_id = access_key [ " AccessKeyId " ] ,
aws_secret_access_key = access_key [ " SecretAccessKey " ] ,
)
response = conn . list_access_keys ( )
2020-10-06 06:46:05 +00:00
assert sorted ( response [ " AccessKeyMetadata " ] [ 0 ] . keys ( ) ) == sorted (
[ " Status " , " CreateDate " , " UserName " , " AccessKeyId " ]
)
2020-01-27 17:04:22 +00:00
@mock_iam
def test_delete_access_key ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_user ( UserName = " my-user " )
key = conn . create_access_key ( UserName = " my-user " ) [ " AccessKey " ]
conn . delete_access_key ( AccessKeyId = key [ " AccessKeyId " ] , UserName = " my-user " )
key = conn . create_access_key ( UserName = " my-user " ) [ " AccessKey " ]
conn . delete_access_key ( AccessKeyId = key [ " AccessKeyId " ] )
2017-03-27 18:08:57 +00:00
@mock_iam ( )
def test_mfa_devices ( ) :
# Test enable device
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_user ( UserName = " my-user " )
2017-03-27 18:08:57 +00:00
conn . enable_mfa_device (
2019-10-31 15:44:26 +00:00
UserName = " my-user " ,
SerialNumber = " 123456789 " ,
AuthenticationCode1 = " 234567 " ,
AuthenticationCode2 = " 987654 " ,
2017-03-27 18:08:57 +00:00
)
# Test list mfa devices
2019-10-31 15:44:26 +00:00
response = conn . list_mfa_devices ( UserName = " my-user " )
device = response [ " MFADevices " ] [ 0 ]
device [ " SerialNumber " ] . should . equal ( " 123456789 " )
2017-03-27 18:08:57 +00:00
# Test deactivate mfa device
2019-10-31 15:44:26 +00:00
conn . deactivate_mfa_device ( UserName = " my-user " , SerialNumber = " 123456789 " )
response = conn . list_mfa_devices ( UserName = " my-user " )
len ( response [ " MFADevices " ] ) . should . equal ( 0 )
2017-03-27 18:08:57 +00:00
2019-10-20 20:39:57 +00:00
@mock_iam
def test_create_virtual_mfa_device ( ) :
2019-10-31 15:44:26 +00:00
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
response = client . create_virtual_mfa_device ( VirtualMFADeviceName = " test-device " )
device = response [ " VirtualMFADevice " ]
2019-10-20 20:39:57 +00:00
2019-12-17 02:25:20 +00:00
device [ " SerialNumber " ] . should . equal (
" arn:aws:iam:: {} :mfa/test-device " . format ( ACCOUNT_ID )
)
2019-10-31 15:44:26 +00:00
device [ " Base32StringSeed " ] . decode ( " ascii " ) . should . match ( " [A-Z234567] " )
2022-04-18 20:44:56 +00:00
device [ " QRCodePNG " ] . should_not . equal ( " " )
2019-10-20 20:39:57 +00:00
response = client . create_virtual_mfa_device (
2019-10-31 15:44:26 +00:00
Path = " / " , VirtualMFADeviceName = " test-device-2 "
2019-10-20 20:39:57 +00:00
)
2019-10-31 15:44:26 +00:00
device = response [ " VirtualMFADevice " ]
2019-10-20 20:39:57 +00:00
2019-12-17 02:25:20 +00:00
device [ " SerialNumber " ] . should . equal (
" arn:aws:iam:: {} :mfa/test-device-2 " . format ( ACCOUNT_ID )
)
2019-10-31 15:44:26 +00:00
device [ " Base32StringSeed " ] . decode ( " ascii " ) . should . match ( " [A-Z234567] " )
2022-04-18 20:44:56 +00:00
device [ " QRCodePNG " ] . should_not . equal ( " " )
2019-10-20 20:39:57 +00:00
response = client . create_virtual_mfa_device (
2019-10-31 15:44:26 +00:00
Path = " /test/ " , VirtualMFADeviceName = " test-device "
2019-10-20 20:39:57 +00:00
)
2019-10-31 15:44:26 +00:00
device = response [ " VirtualMFADevice " ]
2019-10-20 20:39:57 +00:00
2019-10-31 15:44:26 +00:00
device [ " SerialNumber " ] . should . equal (
2019-12-16 00:22:26 +00:00
" arn:aws:iam:: {} :mfa/test/test-device " . format ( ACCOUNT_ID )
2019-10-31 15:44:26 +00:00
)
device [ " Base32StringSeed " ] . decode ( " ascii " ) . should . match ( " [A-Z234567] " )
2022-04-18 20:44:56 +00:00
device [ " QRCodePNG " ] . should_not . equal ( " " )
device [ " QRCodePNG " ] . should . be . a ( bytes )
2019-10-20 20:39:57 +00:00
@mock_iam
def test_create_virtual_mfa_device_errors ( ) :
2019-10-31 15:44:26 +00:00
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
client . create_virtual_mfa_device ( VirtualMFADeviceName = " test-device " )
2019-10-20 20:39:57 +00:00
client . create_virtual_mfa_device . when . called_with (
2019-10-31 15:44:26 +00:00
VirtualMFADeviceName = " test-device "
2019-10-20 20:39:57 +00:00
) . should . throw (
2022-03-10 14:39:59 +00:00
ClientError , " MFADevice entity at the same path and name already exists. "
2019-10-20 20:39:57 +00:00
)
client . create_virtual_mfa_device . when . called_with (
2019-10-31 15:44:26 +00:00
Path = " test " , VirtualMFADeviceName = " test-device "
2019-10-20 20:39:57 +00:00
) . should . throw (
ClientError ,
2019-10-31 15:44:26 +00:00
" The specified value for path is invalid. "
" It must begin and end with / and contain only alphanumeric characters and/or / characters. " ,
2019-10-20 20:39:57 +00:00
)
client . create_virtual_mfa_device . when . called_with (
2019-10-31 15:44:26 +00:00
Path = " /test//test/ " , VirtualMFADeviceName = " test-device "
2019-10-20 20:39:57 +00:00
) . should . throw (
ClientError ,
2019-10-31 15:44:26 +00:00
" The specified value for path is invalid. "
" It must begin and end with / and contain only alphanumeric characters and/or / characters. " ,
2019-10-20 20:39:57 +00:00
)
2019-10-31 15:44:26 +00:00
too_long_path = " / {} / " . format ( " b " * 511 )
2019-10-20 20:39:57 +00:00
client . create_virtual_mfa_device . when . called_with (
2019-10-31 15:44:26 +00:00
Path = too_long_path , VirtualMFADeviceName = " test-device "
2019-10-20 20:39:57 +00:00
) . should . throw (
ClientError ,
2019-10-31 15:44:26 +00:00
" 1 validation error detected: "
2019-10-20 20:39:57 +00:00
' Value " {} " at " path " failed to satisfy constraint: '
2019-10-31 15:44:26 +00:00
" Member must have length less than or equal to 512 " ,
2019-10-20 20:39:57 +00:00
)
2019-10-20 21:03:20 +00:00
@mock_iam
def test_delete_virtual_mfa_device ( ) :
2019-10-31 15:44:26 +00:00
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
response = client . create_virtual_mfa_device ( VirtualMFADeviceName = " test-device " )
serial_number = response [ " VirtualMFADevice " ] [ " SerialNumber " ]
2019-10-20 21:03:20 +00:00
2019-10-31 15:44:26 +00:00
client . delete_virtual_mfa_device ( SerialNumber = serial_number )
2019-10-20 21:03:20 +00:00
2019-10-21 19:48:50 +00:00
response = client . list_virtual_mfa_devices ( )
2019-10-31 15:44:26 +00:00
response [ " VirtualMFADevices " ] . should . have . length_of ( 0 )
2022-04-18 20:44:56 +00:00
response [ " IsTruncated " ] . should . equal ( False )
2019-10-21 19:48:50 +00:00
2019-10-20 21:03:20 +00:00
@mock_iam
def test_delete_virtual_mfa_device_errors ( ) :
2019-10-31 15:44:26 +00:00
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-10-20 21:03:20 +00:00
2019-12-16 00:22:26 +00:00
serial_number = " arn:aws:iam:: {} :mfa/not-existing " . format ( ACCOUNT_ID )
2019-10-20 21:03:20 +00:00
client . delete_virtual_mfa_device . when . called_with (
SerialNumber = serial_number
) . should . throw (
ClientError ,
2019-10-31 15:44:26 +00:00
" VirtualMFADevice with serial number {0} doesn ' t exist. " . format ( serial_number ) ,
2019-10-20 21:03:20 +00:00
)
2019-10-21 19:48:50 +00:00
@mock_iam
def test_list_virtual_mfa_devices ( ) :
2019-10-31 15:44:26 +00:00
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
response = client . create_virtual_mfa_device ( VirtualMFADeviceName = " test-device " )
serial_number_1 = response [ " VirtualMFADevice " ] [ " SerialNumber " ]
2019-10-21 19:48:50 +00:00
response = client . create_virtual_mfa_device (
2019-10-31 15:44:26 +00:00
Path = " /test/ " , VirtualMFADeviceName = " test-device "
2019-10-21 19:48:50 +00:00
)
2019-10-31 15:44:26 +00:00
serial_number_2 = response [ " VirtualMFADevice " ] [ " SerialNumber " ]
2019-10-21 19:48:50 +00:00
response = client . list_virtual_mfa_devices ( )
2019-10-31 15:44:26 +00:00
response [ " VirtualMFADevices " ] . should . equal (
[ { " SerialNumber " : serial_number_1 } , { " SerialNumber " : serial_number_2 } ]
2019-10-21 19:48:50 +00:00
)
2022-04-18 20:44:56 +00:00
response [ " IsTruncated " ] . should . equal ( False )
2019-10-21 19:48:50 +00:00
2019-10-31 15:44:26 +00:00
response = client . list_virtual_mfa_devices ( AssignmentStatus = " Assigned " )
2019-10-21 19:48:50 +00:00
2019-10-31 15:44:26 +00:00
response [ " VirtualMFADevices " ] . should . have . length_of ( 0 )
2022-04-18 20:44:56 +00:00
response [ " IsTruncated " ] . should . equal ( False )
2019-10-21 19:48:50 +00:00
2019-10-31 15:44:26 +00:00
response = client . list_virtual_mfa_devices ( AssignmentStatus = " Unassigned " )
2019-10-21 19:48:50 +00:00
2019-10-31 15:44:26 +00:00
response [ " VirtualMFADevices " ] . should . equal (
[ { " SerialNumber " : serial_number_1 } , { " SerialNumber " : serial_number_2 } ]
2019-10-21 19:48:50 +00:00
)
2022-04-18 20:44:56 +00:00
response [ " IsTruncated " ] . should . equal ( False )
2019-10-21 19:48:50 +00:00
2019-10-31 15:44:26 +00:00
response = client . list_virtual_mfa_devices ( AssignmentStatus = " Any " , MaxItems = 1 )
response [ " VirtualMFADevices " ] . should . equal ( [ { " SerialNumber " : serial_number_1 } ] )
2022-04-18 20:44:56 +00:00
response [ " IsTruncated " ] . should . equal ( True )
2019-10-31 15:44:26 +00:00
response [ " Marker " ] . should . equal ( " 1 " )
2019-10-21 19:48:50 +00:00
response = client . list_virtual_mfa_devices (
2019-10-31 15:44:26 +00:00
AssignmentStatus = " Any " , Marker = response [ " Marker " ]
2019-10-21 19:48:50 +00:00
)
2019-10-31 15:44:26 +00:00
response [ " VirtualMFADevices " ] . should . equal ( [ { " SerialNumber " : serial_number_2 } ] )
2022-04-18 20:44:56 +00:00
response [ " IsTruncated " ] . should . equal ( False )
2019-10-21 19:48:50 +00:00
@mock_iam
def test_list_virtual_mfa_devices_errors ( ) :
2019-10-31 15:44:26 +00:00
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
client . create_virtual_mfa_device ( VirtualMFADeviceName = " test-device " )
2019-10-21 19:48:50 +00:00
2019-10-31 15:44:26 +00:00
client . list_virtual_mfa_devices . when . called_with ( Marker = " 100 " ) . should . throw (
ClientError , " Invalid Marker. "
2019-10-21 19:48:50 +00:00
)
2019-10-21 20:51:00 +00:00
@mock_iam
def test_enable_virtual_mfa_device ( ) :
2019-10-31 15:44:26 +00:00
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
response = client . create_virtual_mfa_device ( VirtualMFADeviceName = " test-device " )
serial_number = response [ " VirtualMFADevice " ] [ " SerialNumber " ]
2021-02-01 11:37:54 +00:00
tags = [ { " Key " : " key " , " Value " : " value " } ]
2019-10-21 20:51:00 +00:00
2021-02-01 11:37:54 +00:00
client . create_user ( UserName = " test-user " , Tags = tags )
2019-10-21 20:51:00 +00:00
client . enable_mfa_device (
2019-10-31 15:44:26 +00:00
UserName = " test-user " ,
2019-10-21 20:51:00 +00:00
SerialNumber = serial_number ,
2019-10-31 15:44:26 +00:00
AuthenticationCode1 = " 234567 " ,
AuthenticationCode2 = " 987654 " ,
2019-10-21 20:51:00 +00:00
)
2019-10-31 15:44:26 +00:00
response = client . list_virtual_mfa_devices ( AssignmentStatus = " Unassigned " )
2019-10-21 20:51:00 +00:00
2019-10-31 15:44:26 +00:00
response [ " VirtualMFADevices " ] . should . have . length_of ( 0 )
2022-04-18 20:44:56 +00:00
response [ " IsTruncated " ] . should . equal ( False )
2019-10-21 20:51:00 +00:00
2019-10-31 15:44:26 +00:00
response = client . list_virtual_mfa_devices ( AssignmentStatus = " Assigned " )
2019-10-21 20:51:00 +00:00
2019-10-31 15:44:26 +00:00
device = response [ " VirtualMFADevices " ] [ 0 ]
device [ " SerialNumber " ] . should . equal ( serial_number )
device [ " User " ] [ " Path " ] . should . equal ( " / " )
device [ " User " ] [ " UserName " ] . should . equal ( " test-user " )
2022-04-18 20:44:56 +00:00
device [ " User " ] [ " UserId " ] . should . match ( " [a-z0-9]+ " )
2019-12-17 02:25:20 +00:00
device [ " User " ] [ " Arn " ] . should . equal (
" arn:aws:iam:: {} :user/test-user " . format ( ACCOUNT_ID )
)
2019-10-31 15:44:26 +00:00
device [ " User " ] [ " CreateDate " ] . should . be . a ( datetime )
2021-02-01 11:37:54 +00:00
device [ " User " ] [ " Tags " ] . should . equal ( tags )
2019-10-31 15:44:26 +00:00
device [ " EnableDate " ] . should . be . a ( datetime )
2022-04-18 20:44:56 +00:00
response [ " IsTruncated " ] . should . equal ( False )
2019-10-21 20:51:00 +00:00
2019-10-31 15:44:26 +00:00
client . deactivate_mfa_device ( UserName = " test-user " , SerialNumber = serial_number )
2019-10-21 20:51:00 +00:00
2019-10-31 15:44:26 +00:00
response = client . list_virtual_mfa_devices ( AssignmentStatus = " Assigned " )
2019-10-21 20:51:00 +00:00
2019-10-31 15:44:26 +00:00
response [ " VirtualMFADevices " ] . should . have . length_of ( 0 )
2022-04-18 20:44:56 +00:00
response [ " IsTruncated " ] . should . equal ( False )
2019-10-21 20:51:00 +00:00
2019-10-31 15:44:26 +00:00
response = client . list_virtual_mfa_devices ( AssignmentStatus = " Unassigned " )
2019-10-21 20:51:00 +00:00
2019-10-31 15:44:26 +00:00
response [ " VirtualMFADevices " ] . should . equal ( [ { " SerialNumber " : serial_number } ] )
2022-04-18 20:44:56 +00:00
response [ " IsTruncated " ] . should . equal ( False )
2019-10-21 20:51:00 +00:00
2019-10-17 08:28:19 +00:00
@mock_iam ( )
def test_delete_user ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2020-10-06 05:54:49 +00:00
with pytest . raises ( conn . exceptions . NoSuchEntityException ) :
2019-10-31 15:44:26 +00:00
conn . delete_user ( UserName = " my-user " )
2019-10-22 14:28:59 +00:00
# Test deletion failure with a managed policy
2019-10-31 15:44:26 +00:00
conn . create_user ( UserName = " my-user " )
response = conn . create_policy (
PolicyName = " my-managed-policy " , PolicyDocument = MOCK_POLICY
)
conn . attach_user_policy ( PolicyArn = response [ " Policy " ] [ " Arn " ] , UserName = " my-user " )
2020-10-06 05:54:49 +00:00
with pytest . raises ( conn . exceptions . DeleteConflictException ) :
2019-10-31 15:44:26 +00:00
conn . delete_user ( UserName = " my-user " )
conn . detach_user_policy ( PolicyArn = response [ " Policy " ] [ " Arn " ] , UserName = " my-user " )
conn . delete_policy ( PolicyArn = response [ " Policy " ] [ " Arn " ] )
conn . delete_user ( UserName = " my-user " )
2020-10-06 05:54:49 +00:00
with pytest . raises ( conn . exceptions . NoSuchEntityException ) :
2019-10-31 15:44:26 +00:00
conn . get_user ( UserName = " my-user " )
2019-10-22 13:27:49 +00:00
2019-10-22 14:28:59 +00:00
# Test deletion failure with an inline policy
2019-10-31 15:44:26 +00:00
conn . create_user ( UserName = " my-user " )
2019-10-22 14:28:59 +00:00
conn . put_user_policy (
2022-03-10 14:39:59 +00:00
UserName = " my-user " , PolicyName = " my-user-policy " , PolicyDocument = MOCK_POLICY
2019-10-22 14:28:59 +00:00
)
2020-10-06 05:54:49 +00:00
with pytest . raises ( conn . exceptions . DeleteConflictException ) :
2019-10-31 15:44:26 +00:00
conn . delete_user ( UserName = " my-user " )
conn . delete_user_policy ( UserName = " my-user " , PolicyName = " my-user-policy " )
conn . delete_user ( UserName = " my-user " )
2020-10-06 05:54:49 +00:00
with pytest . raises ( conn . exceptions . NoSuchEntityException ) :
2019-10-31 15:44:26 +00:00
conn . get_user ( UserName = " my-user " )
2019-10-22 13:27:49 +00:00
2019-10-22 14:28:59 +00:00
# Test deletion with no conflicts
2019-10-31 15:44:26 +00:00
conn . create_user ( UserName = " my-user " )
conn . delete_user ( UserName = " my-user " )
2020-10-06 05:54:49 +00:00
with pytest . raises ( conn . exceptions . NoSuchEntityException ) :
2019-10-31 15:44:26 +00:00
conn . get_user ( UserName = " my-user " )
2019-10-17 08:28:19 +00:00
2018-11-01 19:51:17 +00:00
@mock_iam
2022-04-18 20:44:56 +00:00
def test_generate_credential_report ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2018-11-01 19:51:17 +00:00
result = conn . generate_credential_report ( )
2019-10-31 15:44:26 +00:00
result [ " State " ] . should . equal ( " STARTED " )
2018-11-01 19:51:17 +00:00
result = conn . generate_credential_report ( )
2019-10-31 15:44:26 +00:00
result [ " State " ] . should . equal ( " COMPLETE " )
2018-11-01 19:51:17 +00:00
2015-04-30 23:32:53 +00:00
2018-11-01 19:51:17 +00:00
@mock_iam
2022-04-18 20:44:56 +00:00
def test_get_credential_report ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_user ( UserName = " my-user " )
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2018-11-01 19:51:17 +00:00
conn . get_credential_report ( )
result = conn . generate_credential_report ( )
2019-10-31 15:44:26 +00:00
while result [ " State " ] != " COMPLETE " :
2018-11-01 19:51:17 +00:00
result = conn . generate_credential_report ( )
result = conn . get_credential_report ( )
2019-10-31 15:44:26 +00:00
report = result [ " Content " ] . decode ( " utf-8 " )
report . should . match ( r " .*my-user.* " )
2018-11-01 19:51:17 +00:00
2016-10-17 22:09:46 +00:00
2020-04-29 20:49:14 +00:00
@mock_iam
2022-04-18 20:44:56 +00:00
def test_get_credential_report_content ( ) :
2020-04-29 20:49:14 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
username = " my-user "
conn . create_user ( UserName = username )
2022-04-07 16:35:08 +00:00
conn . create_login_profile ( UserName = username , Password = " 123 " )
2020-04-29 20:49:14 +00:00
key1 = conn . create_access_key ( UserName = username ) [ " AccessKey " ]
conn . update_access_key (
UserName = username , AccessKeyId = key1 [ " AccessKeyId " ] , Status = " Inactive "
)
key1 = conn . create_access_key ( UserName = username ) [ " AccessKey " ]
2020-04-30 13:44:45 +00:00
timestamp = datetime . utcnow ( )
2020-04-30 14:42:22 +00:00
if not settings . TEST_SERVER_MODE :
iam_backend = get_backend ( " iam " ) [ " global " ]
iam_backend . users [ username ] . access_keys [ 1 ] . last_used = timestamp
2022-04-07 16:35:08 +00:00
iam_backend . users [ username ] . password_last_used = timestamp
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2020-04-29 20:49:14 +00:00
conn . get_credential_report ( )
result = conn . generate_credential_report ( )
while result [ " State " ] != " COMPLETE " :
result = conn . generate_credential_report ( )
result = conn . get_credential_report ( )
report = result [ " Content " ] . decode ( " utf-8 " )
header = report . split ( " \n " ) [ 0 ]
header . should . equal (
" user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_1_last_used_date,access_key_1_last_used_region,access_key_1_last_used_service,access_key_2_active,access_key_2_last_rotated,access_key_2_last_used_date,access_key_2_last_used_region,access_key_2_last_used_service,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated "
)
report_dict = csv . DictReader ( report . split ( " \n " ) )
user = next ( report_dict )
user [ " user " ] . should . equal ( " my-user " )
user [ " access_key_1_active " ] . should . equal ( " false " )
2020-04-30 14:42:22 +00:00
user [ " access_key_1_last_rotated " ] . should . match ( timestamp . strftime ( " % Y- % m- %d " ) )
2020-04-29 20:49:14 +00:00
user [ " access_key_1_last_used_date " ] . should . equal ( " N/A " )
user [ " access_key_2_active " ] . should . equal ( " true " )
2020-04-30 14:42:22 +00:00
if not settings . TEST_SERVER_MODE :
user [ " access_key_2_last_used_date " ] . should . match ( timestamp . strftime ( " % Y- % m- %d " ) )
2022-04-07 16:35:08 +00:00
user [ " password_last_used " ] . should . match ( timestamp . strftime ( " % Y- % m- %d " ) )
2020-04-30 14:42:22 +00:00
else :
user [ " access_key_2_last_used_date " ] . should . equal ( " N/A " )
2022-04-07 16:35:08 +00:00
user [ " password_last_used " ] . should . equal ( " no_information " )
2020-04-30 14:42:22 +00:00
@mock_iam
def test_get_access_key_last_used_when_used ( ) :
iam = boto3 . resource ( " iam " , region_name = " us-east-1 " )
client = iam . meta . client
username = " test-user "
iam . create_user ( UserName = username )
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2020-04-30 14:42:22 +00:00
client . get_access_key_last_used ( AccessKeyId = " non-existent-key-id " )
create_key_response = client . create_access_key ( UserName = username ) [ " AccessKey " ]
# Set last used date using the IAM backend. Moto currently does not have a mechanism for tracking usage of access keys
if not settings . TEST_SERVER_MODE :
timestamp = datetime . utcnow ( )
iam_backend = get_backend ( " iam " ) [ " global " ]
iam_backend . users [ username ] . access_keys [ 0 ] . last_used = timestamp
resp = client . get_access_key_last_used (
AccessKeyId = create_key_response [ " AccessKeyId " ]
)
if not settings . TEST_SERVER_MODE :
datetime . strftime (
resp [ " AccessKeyLastUsed " ] [ " LastUsedDate " ] , " % Y- % m- %d "
) . should . equal ( timestamp . strftime ( " % Y- % m- %d " ) )
else :
resp [ " AccessKeyLastUsed " ] . should_not . contain ( " LastUsedDate " )
2020-04-29 20:49:14 +00:00
2021-09-22 19:42:42 +00:00
@mock_iam
2022-04-18 20:44:56 +00:00
def test_managed_policy ( ) :
2021-09-22 19:42:42 +00:00
conn = boto3 . client ( " iam " , region_name = " us-west-1 " )
conn . create_policy (
PolicyName = " UserManagedPolicy " ,
PolicyDocument = MOCK_POLICY ,
Path = " /mypolicy/ " ,
Description = " my user managed policy " ,
)
marker = " 0 "
aws_policies = [ ]
while marker is not None :
response = conn . list_policies ( Scope = " AWS " , Marker = marker )
for policy in response [ " Policies " ] :
aws_policies . append ( policy )
marker = response . get ( " Marker " )
set ( p . name for p in aws_managed_policies ) . should . equal (
set ( p [ " PolicyName " ] for p in aws_policies )
)
user_policies = conn . list_policies ( Scope = " Local " ) [ " Policies " ]
set ( [ " UserManagedPolicy " ] ) . should . equal ( set ( p [ " PolicyName " ] for p in user_policies ) )
marker = " 0 "
all_policies = [ ]
while marker is not None :
response = conn . list_policies ( Marker = marker )
for policy in response [ " Policies " ] :
all_policies . append ( policy )
marker = response . get ( " Marker " )
set ( p [ " PolicyName " ] for p in aws_policies + user_policies ) . should . equal (
set ( p [ " PolicyName " ] for p in all_policies )
)
role_name = " my-new-role "
conn . create_role (
2022-03-10 14:39:59 +00:00
RoleName = role_name , AssumeRolePolicyDocument = " test policy " , Path = " my-path "
2021-09-22 19:42:42 +00:00
)
for policy_name in [
" AmazonElasticMapReduceRole " ,
" AWSControlTowerServiceRolePolicy " ,
] :
policy_arn = " arn:aws:iam::aws:policy/service-role/ " + policy_name
conn . attach_role_policy ( PolicyArn = policy_arn , RoleName = role_name )
rows = conn . list_policies ( OnlyAttached = True ) [ " Policies " ]
rows . should . have . length_of ( 2 )
for x in rows :
x [ " AttachmentCount " ] . should . be . greater_than ( 0 )
resp = conn . list_attached_role_policies ( RoleName = role_name )
resp [ " AttachedPolicies " ] . should . have . length_of ( 2 )
conn . detach_role_policy (
PolicyArn = " arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole " ,
RoleName = role_name ,
)
rows = conn . list_policies ( OnlyAttached = True ) [ " Policies " ]
[ r [ " PolicyName " ] for r in rows ] . should . contain ( " AWSControlTowerServiceRolePolicy " )
[ r [ " PolicyName " ] for r in rows ] . shouldnt . contain ( " AmazonElasticMapReduceRole " )
for x in rows :
x [ " AttachmentCount " ] . should . be . greater_than ( 0 )
policies = conn . list_attached_role_policies ( RoleName = role_name ) [ " AttachedPolicies " ]
[ p [ " PolicyName " ] for p in policies ] . should . contain (
" AWSControlTowerServiceRolePolicy "
)
[ p [ " PolicyName " ] for p in policies ] . shouldnt . contain ( " AmazonElasticMapReduceRole " )
with pytest . raises ( ClientError ) as ex :
conn . detach_role_policy (
PolicyArn = " arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole " ,
RoleName = role_name ,
)
err = ex . value . response [ " Error " ]
err [ " Code " ] . should . equal ( " NoSuchEntity " )
err [ " Message " ] . should . equal (
" Policy arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole was not found. "
)
with pytest . raises ( ClientError ) as ex :
conn . detach_role_policy (
PolicyArn = " arn:aws:iam::aws:policy/Nonexistent " , RoleName = role_name
)
err = ex . value . response [ " Error " ]
err [ " Code " ] . should . equal ( " NoSuchEntity " )
err [ " Message " ] . should . equal (
" Policy arn:aws:iam::aws:policy/Nonexistent was not found. "
)
2016-11-11 22:05:02 +00:00
@mock_iam
2022-04-18 20:44:56 +00:00
def test_create_login_profile__duplicate ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2016-11-11 22:05:02 +00:00
2019-10-31 15:44:26 +00:00
conn . create_user ( UserName = " my-user " )
conn . create_login_profile ( UserName = " my-user " , Password = " Password " )
2016-11-11 22:05:02 +00:00
2022-04-18 20:44:56 +00:00
with pytest . raises ( ClientError ) as exc :
conn . create_login_profile ( UserName = " my-user " , Password = " my-pass " )
err = exc . value . response [ " Error " ]
err [ " Code " ] . should . equal ( " User my-user already has password " )
err [ " Message " ] . should . equal ( None )
2017-08-12 00:57:06 +00:00
@mock_iam ( )
def test_attach_detach_user_policy ( ) :
2019-10-31 15:44:26 +00:00
iam = boto3 . resource ( " iam " , region_name = " us-east-1 " )
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
2017-08-12 00:57:06 +00:00
2019-10-31 15:44:26 +00:00
user = iam . create_user ( UserName = " test-user " )
2017-08-12 00:57:06 +00:00
2019-10-31 15:44:26 +00:00
policy_name = " UserAttachedPolicy "
policy = iam . create_policy (
PolicyName = policy_name ,
PolicyDocument = MOCK_POLICY ,
Path = " /mypolicy/ " ,
Description = " my user attached policy " ,
)
2017-08-12 00:57:06 +00:00
client . attach_user_policy ( UserName = user . name , PolicyArn = policy . arn )
resp = client . list_attached_user_policies ( UserName = user . name )
2019-10-31 15:44:26 +00:00
resp [ " AttachedPolicies " ] . should . have . length_of ( 1 )
attached_policy = resp [ " AttachedPolicies " ] [ 0 ]
attached_policy [ " PolicyArn " ] . should . equal ( policy . arn )
attached_policy [ " PolicyName " ] . should . equal ( policy_name )
2017-08-12 00:57:06 +00:00
client . detach_user_policy ( UserName = user . name , PolicyArn = policy . arn )
resp = client . list_attached_user_policies ( UserName = user . name )
2019-10-31 15:44:26 +00:00
resp [ " AttachedPolicies " ] . should . have . length_of ( 0 )
2018-01-10 23:29:08 +00:00
@mock_iam
def test_update_access_key ( ) :
2019-10-31 15:44:26 +00:00
iam = boto3 . resource ( " iam " , region_name = " us-east-1 " )
2018-01-10 23:29:08 +00:00
client = iam . meta . client
2019-10-31 15:44:26 +00:00
username = " test-user "
2018-01-10 23:29:08 +00:00
iam . create_user ( UserName = username )
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-10-31 15:44:26 +00:00
client . update_access_key (
UserName = username , AccessKeyId = " non-existent-key " , Status = " Inactive "
)
key = client . create_access_key ( UserName = username ) [ " AccessKey " ]
client . update_access_key (
UserName = username , AccessKeyId = key [ " AccessKeyId " ] , Status = " Inactive "
)
2018-01-10 23:29:08 +00:00
resp = client . list_access_keys ( UserName = username )
2019-10-31 15:44:26 +00:00
resp [ " AccessKeyMetadata " ] [ 0 ] [ " Status " ] . should . equal ( " Inactive " )
2020-01-27 17:04:22 +00:00
client . update_access_key ( AccessKeyId = key [ " AccessKeyId " ] , Status = " Active " )
resp = client . list_access_keys ( UserName = username )
resp [ " AccessKeyMetadata " ] [ 0 ] [ " Status " ] . should . equal ( " Active " )
2018-08-07 17:31:36 +00:00
2018-11-27 11:28:09 +00:00
@mock_iam
2020-04-29 20:49:14 +00:00
def test_get_access_key_last_used_when_unused ( ) :
2019-10-31 15:44:26 +00:00
iam = boto3 . resource ( " iam " , region_name = " us-east-1 " )
2018-11-27 11:28:09 +00:00
client = iam . meta . client
2019-10-31 15:44:26 +00:00
username = " test-user "
2018-11-27 11:28:09 +00:00
iam . create_user ( UserName = username )
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-10-31 15:44:26 +00:00
client . get_access_key_last_used ( AccessKeyId = " non-existent-key-id " )
create_key_response = client . create_access_key ( UserName = username ) [ " AccessKey " ]
resp = client . get_access_key_last_used (
AccessKeyId = create_key_response [ " AccessKeyId " ]
)
2020-04-29 20:49:14 +00:00
resp [ " AccessKeyLastUsed " ] . should_not . contain ( " LastUsedDate " )
resp [ " UserName " ] . should . equal ( create_key_response [ " UserName " ] )
2019-10-31 15:44:26 +00:00
2020-04-29 20:49:14 +00:00
2019-11-16 23:20:33 +00:00
@mock_iam
def test_upload_ssh_public_key ( ) :
iam = boto3 . resource ( " iam " , region_name = " us-east-1 " )
client = iam . meta . client
username = " test-user "
iam . create_user ( UserName = username )
public_key = MOCK_CERT
resp = client . upload_ssh_public_key ( UserName = username , SSHPublicKeyBody = public_key )
pubkey = resp [ " SSHPublicKey " ]
pubkey [ " SSHPublicKeyBody " ] . should . equal ( public_key )
pubkey [ " UserName " ] . should . equal ( username )
pubkey [ " SSHPublicKeyId " ] . should . have . length_of ( 20 )
assert pubkey [ " SSHPublicKeyId " ] . startswith ( " APKA " )
pubkey . should . have . key ( " Fingerprint " )
pubkey [ " Status " ] . should . equal ( " Active " )
(
datetime . utcnow ( ) - pubkey [ " UploadDate " ] . replace ( tzinfo = None )
) . seconds . should . be . within ( 0 , 10 )
@mock_iam
def test_get_ssh_public_key ( ) :
iam = boto3 . resource ( " iam " , region_name = " us-east-1 " )
client = iam . meta . client
username = " test-user "
iam . create_user ( UserName = username )
public_key = MOCK_CERT
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-11-16 23:20:33 +00:00
client . get_ssh_public_key (
2022-03-10 14:39:59 +00:00
UserName = username , SSHPublicKeyId = " xxnon-existent-keyxx " , Encoding = " SSH "
2019-11-16 23:20:33 +00:00
)
resp = client . upload_ssh_public_key ( UserName = username , SSHPublicKeyBody = public_key )
ssh_public_key_id = resp [ " SSHPublicKey " ] [ " SSHPublicKeyId " ]
resp = client . get_ssh_public_key (
UserName = username , SSHPublicKeyId = ssh_public_key_id , Encoding = " SSH "
)
resp [ " SSHPublicKey " ] [ " SSHPublicKeyBody " ] . should . equal ( public_key )
@mock_iam
def test_list_ssh_public_keys ( ) :
iam = boto3 . resource ( " iam " , region_name = " us-east-1 " )
client = iam . meta . client
username = " test-user "
iam . create_user ( UserName = username )
public_key = MOCK_CERT
resp = client . list_ssh_public_keys ( UserName = username )
resp [ " SSHPublicKeys " ] . should . have . length_of ( 0 )
resp = client . upload_ssh_public_key ( UserName = username , SSHPublicKeyBody = public_key )
ssh_public_key_id = resp [ " SSHPublicKey " ] [ " SSHPublicKeyId " ]
resp = client . list_ssh_public_keys ( UserName = username )
resp [ " SSHPublicKeys " ] . should . have . length_of ( 1 )
resp [ " SSHPublicKeys " ] [ 0 ] [ " SSHPublicKeyId " ] . should . equal ( ssh_public_key_id )
@mock_iam
def test_update_ssh_public_key ( ) :
iam = boto3 . resource ( " iam " , region_name = " us-east-1 " )
client = iam . meta . client
username = " test-user "
iam . create_user ( UserName = username )
public_key = MOCK_CERT
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-11-16 23:20:33 +00:00
client . update_ssh_public_key (
2022-03-10 14:39:59 +00:00
UserName = username , SSHPublicKeyId = " xxnon-existent-keyxx " , Status = " Inactive "
2019-11-16 23:20:33 +00:00
)
resp = client . upload_ssh_public_key ( UserName = username , SSHPublicKeyBody = public_key )
ssh_public_key_id = resp [ " SSHPublicKey " ] [ " SSHPublicKeyId " ]
resp [ " SSHPublicKey " ] [ " Status " ] . should . equal ( " Active " )
resp = client . update_ssh_public_key (
UserName = username , SSHPublicKeyId = ssh_public_key_id , Status = " Inactive "
)
resp = client . get_ssh_public_key (
UserName = username , SSHPublicKeyId = ssh_public_key_id , Encoding = " SSH "
)
resp [ " SSHPublicKey " ] [ " Status " ] . should . equal ( " Inactive " )
@mock_iam
def test_delete_ssh_public_key ( ) :
iam = boto3 . resource ( " iam " , region_name = " us-east-1 " )
client = iam . meta . client
username = " test-user "
iam . create_user ( UserName = username )
public_key = MOCK_CERT
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-11-16 23:20:33 +00:00
client . delete_ssh_public_key (
UserName = username , SSHPublicKeyId = " xxnon-existent-keyxx "
)
resp = client . upload_ssh_public_key ( UserName = username , SSHPublicKeyBody = public_key )
ssh_public_key_id = resp [ " SSHPublicKey " ] [ " SSHPublicKeyId " ]
resp = client . list_ssh_public_keys ( UserName = username )
resp [ " SSHPublicKeys " ] . should . have . length_of ( 1 )
resp = client . delete_ssh_public_key (
UserName = username , SSHPublicKeyId = ssh_public_key_id
)
resp = client . list_ssh_public_keys ( UserName = username )
resp [ " SSHPublicKeys " ] . should . have . length_of ( 0 )
2018-08-07 17:31:36 +00:00
@mock_iam
def test_get_account_authorization_details ( ) :
2019-10-31 15:44:26 +00:00
test_policy = json . dumps (
{
" Version " : " 2012-10-17 " ,
" Statement " : [
{ " Action " : " s3:ListBucket " , " Resource " : " * " , " Effect " : " Allow " }
] ,
}
)
2019-02-04 21:44:01 +00:00
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-12-16 00:22:26 +00:00
boundary = " arn:aws:iam:: {} :policy/boundary " . format ( ACCOUNT_ID )
2019-10-31 15:44:26 +00:00
conn . create_role (
RoleName = " my-role " ,
AssumeRolePolicyDocument = " some policy " ,
Path = " /my-path/ " ,
Description = " testing " ,
PermissionsBoundary = boundary ,
)
conn . create_user ( Path = " / " , UserName = " testUser " )
conn . create_group ( Path = " / " , GroupName = " testGroup " )
2018-08-07 17:31:36 +00:00
conn . create_policy (
2019-10-31 15:44:26 +00:00
PolicyName = " testPolicy " ,
Path = " / " ,
2019-02-04 21:44:01 +00:00
PolicyDocument = test_policy ,
2019-10-31 15:44:26 +00:00
Description = " Test Policy " ,
2018-08-07 17:31:36 +00:00
)
2019-02-04 21:44:01 +00:00
# Attach things to the user and group:
2019-10-31 15:44:26 +00:00
conn . put_user_policy (
UserName = " testUser " , PolicyName = " testPolicy " , PolicyDocument = test_policy
)
conn . put_group_policy (
2022-03-10 14:39:59 +00:00
GroupName = " testGroup " , PolicyName = " testPolicy " , PolicyDocument = test_policy
2019-10-31 15:44:26 +00:00
)
2019-02-04 21:44:01 +00:00
2019-10-31 15:44:26 +00:00
conn . attach_user_policy (
2019-12-17 02:25:20 +00:00
UserName = " testUser " ,
PolicyArn = " arn:aws:iam:: {} :policy/testPolicy " . format ( ACCOUNT_ID ) ,
2019-10-31 15:44:26 +00:00
)
conn . attach_group_policy (
2019-12-17 02:25:20 +00:00
GroupName = " testGroup " ,
PolicyArn = " arn:aws:iam:: {} :policy/testPolicy " . format ( ACCOUNT_ID ) ,
2019-10-31 15:44:26 +00:00
)
2019-02-04 21:44:01 +00:00
2019-10-31 15:44:26 +00:00
conn . add_user_to_group ( UserName = " testUser " , GroupName = " testGroup " )
2019-02-04 21:44:01 +00:00
# Add things to the role:
2019-10-31 15:44:26 +00:00
conn . create_instance_profile ( InstanceProfileName = " ipn " )
conn . add_role_to_instance_profile ( InstanceProfileName = " ipn " , RoleName = " my-role " )
conn . tag_role (
RoleName = " my-role " ,
Tags = [
{ " Key " : " somekey " , " Value " : " somevalue " } ,
{ " Key " : " someotherkey " , " Value " : " someothervalue " } ,
] ,
)
conn . put_role_policy (
RoleName = " my-role " , PolicyName = " test-policy " , PolicyDocument = test_policy
)
conn . attach_role_policy (
2019-12-17 02:25:20 +00:00
RoleName = " my-role " ,
PolicyArn = " arn:aws:iam:: {} :policy/testPolicy " . format ( ACCOUNT_ID ) ,
2019-10-31 15:44:26 +00:00
)
result = conn . get_account_authorization_details ( Filter = [ " Role " ] )
assert len ( result [ " RoleDetailList " ] ) == 1
assert len ( result [ " UserDetailList " ] ) == 0
assert len ( result [ " GroupDetailList " ] ) == 0
assert len ( result [ " Policies " ] ) == 0
assert len ( result [ " RoleDetailList " ] [ 0 ] [ " InstanceProfileList " ] ) == 1
assert (
result [ " RoleDetailList " ] [ 0 ] [ " InstanceProfileList " ] [ 0 ] [ " Roles " ] [ 0 ] [ " Description " ]
== " testing "
)
assert result [ " RoleDetailList " ] [ 0 ] [ " InstanceProfileList " ] [ 0 ] [ " Roles " ] [ 0 ] [
" PermissionsBoundary "
] == {
" PermissionsBoundaryType " : " PermissionsBoundaryPolicy " ,
2019-12-16 00:22:26 +00:00
" PermissionsBoundaryArn " : " arn:aws:iam:: {} :policy/boundary " . format ( ACCOUNT_ID ) ,
2019-08-21 19:24:23 +00:00
}
2019-10-31 15:44:26 +00:00
assert len ( result [ " RoleDetailList " ] [ 0 ] [ " Tags " ] ) == 2
assert len ( result [ " RoleDetailList " ] [ 0 ] [ " RolePolicyList " ] ) == 1
assert len ( result [ " RoleDetailList " ] [ 0 ] [ " AttachedManagedPolicies " ] ) == 1
assert (
result [ " RoleDetailList " ] [ 0 ] [ " AttachedManagedPolicies " ] [ 0 ] [ " PolicyName " ]
== " testPolicy "
)
2019-12-17 02:25:20 +00:00
assert result [ " RoleDetailList " ] [ 0 ] [ " AttachedManagedPolicies " ] [ 0 ] [
" PolicyArn "
] == " arn:aws:iam:: {} :policy/testPolicy " . format ( ACCOUNT_ID )
2020-06-14 08:23:52 +00:00
assert result [ " RoleDetailList " ] [ 0 ] [ " RolePolicyList " ] [ 0 ] [
" PolicyDocument "
] == json . loads ( test_policy )
2019-10-31 15:44:26 +00:00
result = conn . get_account_authorization_details ( Filter = [ " User " ] )
assert len ( result [ " RoleDetailList " ] ) == 0
assert len ( result [ " UserDetailList " ] ) == 1
assert len ( result [ " UserDetailList " ] [ 0 ] [ " GroupList " ] ) == 1
2020-06-14 08:23:52 +00:00
assert len ( result [ " UserDetailList " ] [ 0 ] [ " UserPolicyList " ] ) == 1
2019-10-31 15:44:26 +00:00
assert len ( result [ " UserDetailList " ] [ 0 ] [ " AttachedManagedPolicies " ] ) == 1
assert len ( result [ " GroupDetailList " ] ) == 0
assert len ( result [ " Policies " ] ) == 0
assert (
result [ " UserDetailList " ] [ 0 ] [ " AttachedManagedPolicies " ] [ 0 ] [ " PolicyName " ]
== " testPolicy "
)
2019-12-17 02:25:20 +00:00
assert result [ " UserDetailList " ] [ 0 ] [ " AttachedManagedPolicies " ] [ 0 ] [
" PolicyArn "
] == " arn:aws:iam:: {} :policy/testPolicy " . format ( ACCOUNT_ID )
2020-06-14 08:23:52 +00:00
assert result [ " UserDetailList " ] [ 0 ] [ " UserPolicyList " ] [ 0 ] [
" PolicyDocument "
] == json . loads ( test_policy )
2019-10-31 15:44:26 +00:00
result = conn . get_account_authorization_details ( Filter = [ " Group " ] )
assert len ( result [ " RoleDetailList " ] ) == 0
assert len ( result [ " UserDetailList " ] ) == 0
assert len ( result [ " GroupDetailList " ] ) == 1
assert len ( result [ " GroupDetailList " ] [ 0 ] [ " GroupPolicyList " ] ) == 1
assert len ( result [ " GroupDetailList " ] [ 0 ] [ " AttachedManagedPolicies " ] ) == 1
assert len ( result [ " Policies " ] ) == 0
assert (
result [ " GroupDetailList " ] [ 0 ] [ " AttachedManagedPolicies " ] [ 0 ] [ " PolicyName " ]
== " testPolicy "
)
2019-12-17 02:25:20 +00:00
assert result [ " GroupDetailList " ] [ 0 ] [ " AttachedManagedPolicies " ] [ 0 ] [
" PolicyArn "
] == " arn:aws:iam:: {} :policy/testPolicy " . format ( ACCOUNT_ID )
2020-06-14 08:23:52 +00:00
assert result [ " GroupDetailList " ] [ 0 ] [ " GroupPolicyList " ] [ 0 ] [
" PolicyDocument "
] == json . loads ( test_policy )
2019-10-31 15:44:26 +00:00
result = conn . get_account_authorization_details ( Filter = [ " LocalManagedPolicy " ] )
assert len ( result [ " RoleDetailList " ] ) == 0
assert len ( result [ " UserDetailList " ] ) == 0
assert len ( result [ " GroupDetailList " ] ) == 0
assert len ( result [ " Policies " ] ) == 1
assert len ( result [ " Policies " ] [ 0 ] [ " PolicyVersionList " ] ) == 1
2018-08-07 17:31:36 +00:00
# Check for greater than 1 since this should always be greater than one but might change.
# See iam/aws_managed_policies.py
2019-10-31 15:44:26 +00:00
result = conn . get_account_authorization_details ( Filter = [ " AWSManagedPolicy " ] )
assert len ( result [ " RoleDetailList " ] ) == 0
assert len ( result [ " UserDetailList " ] ) == 0
assert len ( result [ " GroupDetailList " ] ) == 0
assert len ( result [ " Policies " ] ) > 1
2018-08-07 17:31:36 +00:00
result = conn . get_account_authorization_details ( )
2019-10-31 15:44:26 +00:00
assert len ( result [ " RoleDetailList " ] ) == 1
assert len ( result [ " UserDetailList " ] ) == 1
assert len ( result [ " GroupDetailList " ] ) == 1
assert len ( result [ " Policies " ] ) > 1
2018-10-25 01:00:52 +00:00
@mock_iam
def test_signing_certs ( ) :
2019-10-31 15:44:26 +00:00
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
2018-10-25 01:00:52 +00:00
# Create the IAM user first:
2019-10-31 15:44:26 +00:00
client . create_user ( UserName = " testing " )
2018-10-25 01:00:52 +00:00
# Upload the cert:
2019-10-31 15:44:26 +00:00
resp = client . upload_signing_certificate (
UserName = " testing " , CertificateBody = MOCK_CERT
) [ " Certificate " ]
cert_id = resp [ " CertificateId " ]
2018-10-25 01:00:52 +00:00
2019-10-31 15:44:26 +00:00
assert resp [ " UserName " ] == " testing "
assert resp [ " Status " ] == " Active "
assert resp [ " CertificateBody " ] == MOCK_CERT
assert resp [ " CertificateId " ]
2018-10-25 01:00:52 +00:00
# Upload a the cert with an invalid body:
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) as ce :
2019-10-31 15:44:26 +00:00
client . upload_signing_certificate (
UserName = " testing " , CertificateBody = " notacert "
)
2020-10-06 06:04:09 +00:00
assert ce . value . response [ " Error " ] [ " Code " ] == " MalformedCertificate "
2018-10-25 01:00:52 +00:00
# Upload with an invalid user:
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-10-31 15:44:26 +00:00
client . upload_signing_certificate (
UserName = " notauser " , CertificateBody = MOCK_CERT
)
2018-10-25 01:00:52 +00:00
# Update:
2019-10-31 15:44:26 +00:00
client . update_signing_certificate (
UserName = " testing " , CertificateId = cert_id , Status = " Inactive "
)
2018-10-25 01:00:52 +00:00
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-10-31 15:44:26 +00:00
client . update_signing_certificate (
UserName = " notauser " , CertificateId = cert_id , Status = " Inactive "
)
2018-10-25 01:00:52 +00:00
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) as ce :
2019-10-31 15:44:26 +00:00
client . update_signing_certificate (
UserName = " testing " , CertificateId = " x " * 32 , Status = " Inactive "
)
2018-10-25 01:00:52 +00:00
2020-10-06 06:04:09 +00:00
assert ce . value . response [ " Error " ] [
2019-10-31 15:44:26 +00:00
" Message "
] == " The Certificate with id {id} cannot be found. " . format ( id = " x " * 32 )
2018-10-25 01:00:52 +00:00
# List the certs:
2019-10-31 15:44:26 +00:00
resp = client . list_signing_certificates ( UserName = " testing " ) [ " Certificates " ]
2018-10-25 01:00:52 +00:00
assert len ( resp ) == 1
2019-10-31 15:44:26 +00:00
assert resp [ 0 ] [ " CertificateBody " ] == MOCK_CERT
assert resp [ 0 ] [ " Status " ] == " Inactive " # Changed with the update call above.
2018-10-25 01:00:52 +00:00
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-10-31 15:44:26 +00:00
client . list_signing_certificates ( UserName = " notauser " )
2018-10-25 01:00:52 +00:00
# Delete:
2019-10-31 15:44:26 +00:00
client . delete_signing_certificate ( UserName = " testing " , CertificateId = cert_id )
2018-10-25 01:00:52 +00:00
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-10-31 15:44:26 +00:00
client . delete_signing_certificate ( UserName = " notauser " , CertificateId = cert_id )
2018-08-07 17:31:36 +00:00
2019-01-30 02:09:31 +00:00
2018-11-19 23:47:21 +00:00
@mock_iam ( )
def test_create_saml_provider ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2018-11-19 23:47:21 +00:00
response = conn . create_saml_provider (
2019-10-31 15:44:26 +00:00
Name = " TestSAMLProvider " , SAMLMetadataDocument = " a " * 1024
)
response [ " SAMLProviderArn " ] . should . equal (
2019-12-16 00:22:26 +00:00
" arn:aws:iam:: {} :saml-provider/TestSAMLProvider " . format ( ACCOUNT_ID )
2018-11-19 23:47:21 +00:00
)
2018-08-07 17:31:36 +00:00
2019-01-30 02:09:31 +00:00
2018-11-19 23:47:21 +00:00
@mock_iam ( )
def test_get_saml_provider ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2018-11-19 23:47:21 +00:00
saml_provider_create = conn . create_saml_provider (
2019-10-31 15:44:26 +00:00
Name = " TestSAMLProvider " , SAMLMetadataDocument = " a " * 1024
2018-11-19 23:47:21 +00:00
)
response = conn . get_saml_provider (
2019-10-31 15:44:26 +00:00
SAMLProviderArn = saml_provider_create [ " SAMLProviderArn " ]
2018-11-19 23:47:21 +00:00
)
2019-10-31 15:44:26 +00:00
response [ " SAMLMetadataDocument " ] . should . equal ( " a " * 1024 )
2018-08-07 17:31:36 +00:00
2019-01-30 02:09:31 +00:00
2018-11-19 23:47:21 +00:00
@mock_iam ( )
def test_list_saml_providers ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_saml_provider ( Name = " TestSAMLProvider " , SAMLMetadataDocument = " a " * 1024 )
2018-11-19 23:47:21 +00:00
response = conn . list_saml_providers ( )
2019-10-31 15:44:26 +00:00
response [ " SAMLProviderList " ] [ 0 ] [ " Arn " ] . should . equal (
2019-12-16 00:22:26 +00:00
" arn:aws:iam:: {} :saml-provider/TestSAMLProvider " . format ( ACCOUNT_ID )
2019-10-31 15:44:26 +00:00
)
2018-11-19 23:47:21 +00:00
2019-01-30 02:09:31 +00:00
2018-11-19 23:47:21 +00:00
@mock_iam ( )
def test_delete_saml_provider ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2018-11-19 23:47:21 +00:00
saml_provider_create = conn . create_saml_provider (
2019-10-31 15:44:26 +00:00
Name = " TestSAMLProvider " , SAMLMetadataDocument = " a " * 1024
2018-11-19 23:47:21 +00:00
)
response = conn . list_saml_providers ( )
2019-10-31 15:44:26 +00:00
len ( response [ " SAMLProviderList " ] ) . should . equal ( 1 )
conn . delete_saml_provider ( SAMLProviderArn = saml_provider_create [ " SAMLProviderArn " ] )
2018-11-19 23:47:21 +00:00
response = conn . list_saml_providers ( )
2019-10-31 15:44:26 +00:00
len ( response [ " SAMLProviderList " ] ) . should . equal ( 0 )
conn . create_user ( UserName = " testing " )
2018-12-29 01:57:47 +00:00
2019-10-31 15:44:26 +00:00
cert_id = " 123456789012345678901234 "
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) as ce :
2019-10-31 15:44:26 +00:00
conn . delete_signing_certificate ( UserName = " testing " , CertificateId = cert_id )
2018-10-25 01:00:52 +00:00
2020-10-06 06:04:09 +00:00
assert ce . value . response [ " Error " ] [
2019-10-31 15:44:26 +00:00
" Message "
] == " The Certificate with id {id} cannot be found. " . format ( id = cert_id )
2018-10-25 01:00:52 +00:00
# Verify that it's not in the list:
2019-10-31 15:44:26 +00:00
resp = conn . list_signing_certificates ( UserName = " testing " )
assert not resp [ " Certificates " ]
2019-01-30 02:09:31 +00:00
2019-11-24 18:19:09 +00:00
@mock_iam ( )
def test_create_role_defaults ( ) :
""" Tests default values """
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-12-20 02:30:43 +00:00
conn . create_role ( RoleName = " my-role " , AssumeRolePolicyDocument = " {} " )
2019-11-24 18:19:09 +00:00
# Get role:
role = conn . get_role ( RoleName = " my-role " ) [ " Role " ]
assert role [ " MaxSessionDuration " ] == 3600
assert role . get ( " Description " ) is None
2019-08-21 19:24:23 +00:00
@mock_iam ( )
def test_create_role_with_tags ( ) :
""" Tests both the tag_role and get_role_tags capability """
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_role (
RoleName = " my-role " ,
AssumeRolePolicyDocument = " {} " ,
Tags = [
{ " Key " : " somekey " , " Value " : " somevalue " } ,
{ " Key " : " someotherkey " , " Value " : " someothervalue " } ,
] ,
Description = " testing " ,
)
2019-08-21 19:24:23 +00:00
# Get role:
2019-10-31 15:44:26 +00:00
role = conn . get_role ( RoleName = " my-role " ) [ " Role " ]
assert len ( role [ " Tags " ] ) == 2
assert role [ " Tags " ] [ 0 ] [ " Key " ] == " somekey "
assert role [ " Tags " ] [ 0 ] [ " Value " ] == " somevalue "
assert role [ " Tags " ] [ 1 ] [ " Key " ] == " someotherkey "
assert role [ " Tags " ] [ 1 ] [ " Value " ] == " someothervalue "
assert role [ " Description " ] == " testing "
2019-08-21 19:24:23 +00:00
# Empty is good:
2019-10-31 15:44:26 +00:00
conn . create_role (
RoleName = " my-role2 " ,
AssumeRolePolicyDocument = " {} " ,
Tags = [ { " Key " : " somekey " , " Value " : " " } ] ,
)
tags = conn . list_role_tags ( RoleName = " my-role2 " )
assert len ( tags [ " Tags " ] ) == 1
assert tags [ " Tags " ] [ 0 ] [ " Key " ] == " somekey "
assert tags [ " Tags " ] [ 0 ] [ " Value " ] == " "
2019-08-21 19:24:23 +00:00
# Test creating tags with invalid values:
# With more than 50 tags:
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) as ce :
2019-10-31 15:44:26 +00:00
too_many_tags = list (
map ( lambda x : { " Key " : str ( x ) , " Value " : str ( x ) } , range ( 0 , 51 ) )
)
conn . create_role (
2022-03-10 14:39:59 +00:00
RoleName = " my-role3 " , AssumeRolePolicyDocument = " {} " , Tags = too_many_tags
2019-10-31 15:44:26 +00:00
)
assert (
" failed to satisfy constraint: Member must have length less than or equal to 50. "
2020-10-06 06:04:09 +00:00
in ce . value . response [ " Error " ] [ " Message " ]
2019-10-31 15:44:26 +00:00
)
2019-08-21 19:24:23 +00:00
# With a duplicate tag:
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) as ce :
2019-10-31 15:44:26 +00:00
conn . create_role (
RoleName = " my-role3 " ,
AssumeRolePolicyDocument = " {} " ,
Tags = [ { " Key " : " 0 " , " Value " : " " } , { " Key " : " 0 " , " Value " : " " } ] ,
)
assert (
" Duplicate tag keys found. Please note that Tag keys are case insensitive. "
2020-10-06 06:04:09 +00:00
in ce . value . response [ " Error " ] [ " Message " ]
2019-10-31 15:44:26 +00:00
)
2019-08-21 19:24:23 +00:00
# Duplicate tag with different casing:
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) as ce :
2019-10-31 15:44:26 +00:00
conn . create_role (
RoleName = " my-role3 " ,
AssumeRolePolicyDocument = " {} " ,
Tags = [ { " Key " : " a " , " Value " : " " } , { " Key " : " A " , " Value " : " " } ] ,
)
assert (
" Duplicate tag keys found. Please note that Tag keys are case insensitive. "
2020-10-06 06:04:09 +00:00
in ce . value . response [ " Error " ] [ " Message " ]
2019-10-31 15:44:26 +00:00
)
2019-08-21 19:24:23 +00:00
# With a really big key:
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) as ce :
2019-10-31 15:44:26 +00:00
conn . create_role (
RoleName = " my-role3 " ,
AssumeRolePolicyDocument = " {} " ,
Tags = [ { " Key " : " 0 " * 129 , " Value " : " " } ] ,
)
assert (
" Member must have length less than or equal to 128. "
2020-10-06 06:04:09 +00:00
in ce . value . response [ " Error " ] [ " Message " ]
2019-10-31 15:44:26 +00:00
)
2019-08-21 19:24:23 +00:00
# With a really big value:
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) as ce :
2019-10-31 15:44:26 +00:00
conn . create_role (
RoleName = " my-role3 " ,
AssumeRolePolicyDocument = " {} " ,
Tags = [ { " Key " : " 0 " , " Value " : " 0 " * 257 } ] ,
)
assert (
" Member must have length less than or equal to 256. "
2020-10-06 06:04:09 +00:00
in ce . value . response [ " Error " ] [ " Message " ]
2019-10-31 15:44:26 +00:00
)
2019-08-21 19:24:23 +00:00
# With an invalid character:
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) as ce :
2019-10-31 15:44:26 +00:00
conn . create_role (
RoleName = " my-role3 " ,
AssumeRolePolicyDocument = " {} " ,
Tags = [ { " Key " : " NOWAY! " , " Value " : " " } ] ,
)
assert (
" Member must satisfy regular expression pattern: [ \\ p {L} \\ p {Z} \\ p {N} _.:/=+ \\ -@]+ "
2020-10-06 06:04:09 +00:00
in ce . value . response [ " Error " ] [ " Message " ]
2019-10-31 15:44:26 +00:00
)
2019-08-21 19:24:23 +00:00
2019-01-30 02:09:31 +00:00
@mock_iam ( )
def test_tag_role ( ) :
""" Tests both the tag_role and get_role_tags capability """
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-01-30 02:09:31 +00:00
conn . create_role ( RoleName = " my-role " , AssumeRolePolicyDocument = " {} " )
# Get without tags:
2019-10-31 15:44:26 +00:00
role = conn . get_role ( RoleName = " my-role " ) [ " Role " ]
assert not role . get ( " Tags " )
2019-01-30 02:09:31 +00:00
# With proper tag values:
2019-10-31 15:44:26 +00:00
conn . tag_role (
RoleName = " my-role " ,
Tags = [
{ " Key " : " somekey " , " Value " : " somevalue " } ,
{ " Key " : " someotherkey " , " Value " : " someothervalue " } ,
] ,
)
2019-01-30 02:09:31 +00:00
# Get role:
2019-10-31 15:44:26 +00:00
role = conn . get_role ( RoleName = " my-role " ) [ " Role " ]
assert len ( role [ " Tags " ] ) == 2
assert role [ " Tags " ] [ 0 ] [ " Key " ] == " somekey "
assert role [ " Tags " ] [ 0 ] [ " Value " ] == " somevalue "
assert role [ " Tags " ] [ 1 ] [ " Key " ] == " someotherkey "
assert role [ " Tags " ] [ 1 ] [ " Value " ] == " someothervalue "
2019-01-30 02:09:31 +00:00
# Same -- but for list_role_tags:
2019-10-31 15:44:26 +00:00
tags = conn . list_role_tags ( RoleName = " my-role " )
assert len ( tags [ " Tags " ] ) == 2
assert role [ " Tags " ] [ 0 ] [ " Key " ] == " somekey "
assert role [ " Tags " ] [ 0 ] [ " Value " ] == " somevalue "
assert role [ " Tags " ] [ 1 ] [ " Key " ] == " someotherkey "
assert role [ " Tags " ] [ 1 ] [ " Value " ] == " someothervalue "
assert not tags [ " IsTruncated " ]
assert not tags . get ( " Marker " )
2019-01-30 02:09:31 +00:00
# Test pagination:
2019-10-31 15:44:26 +00:00
tags = conn . list_role_tags ( RoleName = " my-role " , MaxItems = 1 )
assert len ( tags [ " Tags " ] ) == 1
assert tags [ " IsTruncated " ]
assert tags [ " Tags " ] [ 0 ] [ " Key " ] == " somekey "
assert tags [ " Tags " ] [ 0 ] [ " Value " ] == " somevalue "
assert tags [ " Marker " ] == " 1 "
tags = conn . list_role_tags ( RoleName = " my-role " , Marker = tags [ " Marker " ] )
assert len ( tags [ " Tags " ] ) == 1
assert tags [ " Tags " ] [ 0 ] [ " Key " ] == " someotherkey "
assert tags [ " Tags " ] [ 0 ] [ " Value " ] == " someothervalue "
assert not tags [ " IsTruncated " ]
assert not tags . get ( " Marker " )
2019-01-30 02:09:31 +00:00
# Test updating an existing tag:
2019-10-31 15:44:26 +00:00
conn . tag_role (
RoleName = " my-role " , Tags = [ { " Key " : " somekey " , " Value " : " somenewvalue " } ]
)
tags = conn . list_role_tags ( RoleName = " my-role " )
assert len ( tags [ " Tags " ] ) == 2
assert tags [ " Tags " ] [ 0 ] [ " Key " ] == " somekey "
assert tags [ " Tags " ] [ 0 ] [ " Value " ] == " somenewvalue "
2019-01-30 02:09:31 +00:00
# Empty is good:
2019-10-31 15:44:26 +00:00
conn . tag_role ( RoleName = " my-role " , Tags = [ { " Key " : " somekey " , " Value " : " " } ] )
tags = conn . list_role_tags ( RoleName = " my-role " )
assert len ( tags [ " Tags " ] ) == 2
assert tags [ " Tags " ] [ 0 ] [ " Key " ] == " somekey "
assert tags [ " Tags " ] [ 0 ] [ " Value " ] == " "
2019-01-30 02:09:31 +00:00
# Test creating tags with invalid values:
# With more than 50 tags:
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) as ce :
2019-10-31 15:44:26 +00:00
too_many_tags = list (
map ( lambda x : { " Key " : str ( x ) , " Value " : str ( x ) } , range ( 0 , 51 ) )
)
conn . tag_role ( RoleName = " my-role " , Tags = too_many_tags )
assert (
" failed to satisfy constraint: Member must have length less than or equal to 50. "
2020-10-06 06:04:09 +00:00
in ce . value . response [ " Error " ] [ " Message " ]
2019-10-31 15:44:26 +00:00
)
2019-01-30 02:09:31 +00:00
# With a duplicate tag:
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) as ce :
2019-10-31 15:44:26 +00:00
conn . tag_role (
RoleName = " my-role " ,
Tags = [ { " Key " : " 0 " , " Value " : " " } , { " Key " : " 0 " , " Value " : " " } ] ,
)
assert (
" Duplicate tag keys found. Please note that Tag keys are case insensitive. "
2020-10-06 06:04:09 +00:00
in ce . value . response [ " Error " ] [ " Message " ]
2019-10-31 15:44:26 +00:00
)
2019-01-30 02:09:31 +00:00
# Duplicate tag with different casing:
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) as ce :
2019-10-31 15:44:26 +00:00
conn . tag_role (
RoleName = " my-role " ,
Tags = [ { " Key " : " a " , " Value " : " " } , { " Key " : " A " , " Value " : " " } ] ,
)
assert (
" Duplicate tag keys found. Please note that Tag keys are case insensitive. "
2020-10-06 06:04:09 +00:00
in ce . value . response [ " Error " ] [ " Message " ]
2019-10-31 15:44:26 +00:00
)
2019-01-30 02:09:31 +00:00
# With a really big key:
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) as ce :
2019-10-31 15:44:26 +00:00
conn . tag_role ( RoleName = " my-role " , Tags = [ { " Key " : " 0 " * 129 , " Value " : " " } ] )
assert (
" Member must have length less than or equal to 128. "
2020-10-06 06:04:09 +00:00
in ce . value . response [ " Error " ] [ " Message " ]
2019-10-31 15:44:26 +00:00
)
2019-01-30 02:09:31 +00:00
# With a really big value:
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) as ce :
2019-10-31 15:44:26 +00:00
conn . tag_role ( RoleName = " my-role " , Tags = [ { " Key " : " 0 " , " Value " : " 0 " * 257 } ] )
assert (
" Member must have length less than or equal to 256. "
2020-10-06 06:04:09 +00:00
in ce . value . response [ " Error " ] [ " Message " ]
2019-10-31 15:44:26 +00:00
)
2019-01-30 02:09:31 +00:00
# With an invalid character:
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) as ce :
2019-10-31 15:44:26 +00:00
conn . tag_role ( RoleName = " my-role " , Tags = [ { " Key " : " NOWAY! " , " Value " : " " } ] )
assert (
" Member must satisfy regular expression pattern: [ \\ p {L} \\ p {Z} \\ p {N} _.:/=+ \\ -@]+ "
2020-10-06 06:04:09 +00:00
in ce . value . response [ " Error " ] [ " Message " ]
2019-10-31 15:44:26 +00:00
)
2019-01-30 02:09:31 +00:00
# With a role that doesn't exist:
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-10-31 15:44:26 +00:00
conn . tag_role ( RoleName = " notarole " , Tags = [ { " Key " : " some " , " Value " : " value " } ] )
2019-01-30 02:09:31 +00:00
@mock_iam
def test_untag_role ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-01-30 02:09:31 +00:00
conn . create_role ( RoleName = " my-role " , AssumeRolePolicyDocument = " {} " )
# With proper tag values:
2019-10-31 15:44:26 +00:00
conn . tag_role (
RoleName = " my-role " ,
Tags = [
{ " Key " : " somekey " , " Value " : " somevalue " } ,
{ " Key " : " someotherkey " , " Value " : " someothervalue " } ,
] ,
)
2019-01-30 02:09:31 +00:00
# Remove them:
2019-10-31 15:44:26 +00:00
conn . untag_role ( RoleName = " my-role " , TagKeys = [ " somekey " ] )
tags = conn . list_role_tags ( RoleName = " my-role " )
assert len ( tags [ " Tags " ] ) == 1
assert tags [ " Tags " ] [ 0 ] [ " Key " ] == " someotherkey "
assert tags [ " Tags " ] [ 0 ] [ " Value " ] == " someothervalue "
2019-01-30 02:09:31 +00:00
# And again:
2019-10-31 15:44:26 +00:00
conn . untag_role ( RoleName = " my-role " , TagKeys = [ " someotherkey " ] )
tags = conn . list_role_tags ( RoleName = " my-role " )
assert not tags [ " Tags " ]
2019-01-30 02:09:31 +00:00
# Test removing tags with invalid values:
# With more than 50 tags:
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) as ce :
2019-10-31 15:44:26 +00:00
conn . untag_role ( RoleName = " my-role " , TagKeys = [ str ( x ) for x in range ( 0 , 51 ) ] )
assert (
" failed to satisfy constraint: Member must have length less than or equal to 50. "
2020-10-06 06:04:09 +00:00
in ce . value . response [ " Error " ] [ " Message " ]
2019-10-31 15:44:26 +00:00
)
2020-10-06 06:04:09 +00:00
assert " tagKeys " in ce . value . response [ " Error " ] [ " Message " ]
2019-01-30 02:09:31 +00:00
# With a really big key:
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) as ce :
2019-10-31 15:44:26 +00:00
conn . untag_role ( RoleName = " my-role " , TagKeys = [ " 0 " * 129 ] )
assert (
" Member must have length less than or equal to 128. "
2020-10-06 06:04:09 +00:00
in ce . value . response [ " Error " ] [ " Message " ]
2019-10-31 15:44:26 +00:00
)
2020-10-06 06:04:09 +00:00
assert " tagKeys " in ce . value . response [ " Error " ] [ " Message " ]
2019-01-30 02:09:31 +00:00
# With an invalid character:
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) as ce :
2019-10-31 15:44:26 +00:00
conn . untag_role ( RoleName = " my-role " , TagKeys = [ " NOWAY! " ] )
assert (
" Member must satisfy regular expression pattern: [ \\ p {L} \\ p {Z} \\ p {N} _.:/=+ \\ -@]+ "
2020-10-06 06:04:09 +00:00
in ce . value . response [ " Error " ] [ " Message " ]
2019-10-31 15:44:26 +00:00
)
2020-10-06 06:04:09 +00:00
assert " tagKeys " in ce . value . response [ " Error " ] [ " Message " ]
2019-01-30 02:09:31 +00:00
# With a role that doesn't exist:
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-10-31 15:44:26 +00:00
conn . untag_role ( RoleName = " notarole " , TagKeys = [ " somevalue " ] )
2019-02-17 20:36:53 +00:00
@mock_iam ( )
def test_update_role_description ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-02-17 20:36:53 +00:00
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-02-17 20:36:53 +00:00
conn . delete_role ( RoleName = " my-role " )
2019-10-31 15:44:26 +00:00
conn . create_role (
2022-03-10 14:39:59 +00:00
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Path = " /my-path/ "
2019-10-31 15:44:26 +00:00
)
2019-02-17 20:36:53 +00:00
response = conn . update_role_description ( RoleName = " my-role " , Description = " test " )
2019-10-31 15:44:26 +00:00
assert response [ " Role " ] [ " RoleName " ] == " my-role "
2019-02-17 20:36:53 +00:00
2019-08-21 19:24:23 +00:00
2019-02-17 23:12:27 +00:00
@mock_iam ( )
def test_update_role ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-02-17 23:12:27 +00:00
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-02-17 23:12:27 +00:00
conn . delete_role ( RoleName = " my-role " )
2019-10-31 15:44:26 +00:00
conn . create_role (
2022-03-10 14:39:59 +00:00
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Path = " /my-path/ "
2019-10-31 15:44:26 +00:00
)
2019-02-17 23:12:27 +00:00
response = conn . update_role ( RoleName = " my-role " , Description = " test " )
2019-02-18 03:37:33 +00:00
assert len ( response . keys ( ) ) == 1
2019-02-17 23:12:27 +00:00
2019-02-19 03:20:29 +00:00
2019-11-24 18:19:09 +00:00
@mock_iam ( )
def test_update_role_defaults ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-11-24 18:19:09 +00:00
conn . delete_role ( RoleName = " my-role " )
conn . create_role (
RoleName = " my-role " ,
AssumeRolePolicyDocument = " some policy " ,
Description = " test " ,
Path = " /my-path/ " ,
)
response = conn . update_role ( RoleName = " my-role " )
assert len ( response . keys ( ) ) == 1
role = conn . get_role ( RoleName = " my-role " ) [ " Role " ]
assert role [ " MaxSessionDuration " ] == 3600
assert role . get ( " Description " ) is None
2019-02-17 22:04:28 +00:00
@mock_iam ( )
def test_list_entities_for_policy ( ) :
2019-10-31 15:44:26 +00:00
test_policy = json . dumps (
{
" Version " : " 2012-10-17 " ,
" Statement " : [
{ " Action " : " s3:ListBucket " , " Resource " : " * " , " Effect " : " Allow " }
] ,
}
)
2019-02-19 03:20:29 +00:00
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_role (
2022-03-10 14:39:59 +00:00
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Path = " /my-path/ "
2019-10-31 15:44:26 +00:00
)
conn . create_user ( Path = " / " , UserName = " testUser " )
conn . create_group ( Path = " / " , GroupName = " testGroup " )
2019-02-19 03:20:29 +00:00
conn . create_policy (
2019-10-31 15:44:26 +00:00
PolicyName = " testPolicy " ,
Path = " / " ,
2019-02-19 03:20:29 +00:00
PolicyDocument = test_policy ,
2019-10-31 15:44:26 +00:00
Description = " Test Policy " ,
2019-02-19 03:20:29 +00:00
)
2019-02-17 22:04:28 +00:00
2019-02-19 03:20:29 +00:00
# Attach things to the user and group:
2019-10-31 15:44:26 +00:00
conn . put_user_policy (
UserName = " testUser " , PolicyName = " testPolicy " , PolicyDocument = test_policy
)
conn . put_group_policy (
2022-03-10 14:39:59 +00:00
GroupName = " testGroup " , PolicyName = " testPolicy " , PolicyDocument = test_policy
2019-10-31 15:44:26 +00:00
)
2019-02-17 22:04:28 +00:00
2019-10-31 15:44:26 +00:00
conn . attach_user_policy (
2019-12-17 02:25:20 +00:00
UserName = " testUser " ,
PolicyArn = " arn:aws:iam:: {} :policy/testPolicy " . format ( ACCOUNT_ID ) ,
2019-10-31 15:44:26 +00:00
)
conn . attach_group_policy (
2019-12-17 02:25:20 +00:00
GroupName = " testGroup " ,
PolicyArn = " arn:aws:iam:: {} :policy/testPolicy " . format ( ACCOUNT_ID ) ,
2019-10-31 15:44:26 +00:00
)
2019-02-17 22:04:28 +00:00
2019-10-31 15:44:26 +00:00
conn . add_user_to_group ( UserName = " testUser " , GroupName = " testGroup " )
2019-02-19 03:20:29 +00:00
# Add things to the role:
2019-10-31 15:44:26 +00:00
conn . create_instance_profile ( InstanceProfileName = " ipn " )
conn . add_role_to_instance_profile ( InstanceProfileName = " ipn " , RoleName = " my-role " )
conn . tag_role (
RoleName = " my-role " ,
Tags = [
{ " Key " : " somekey " , " Value " : " somevalue " } ,
{ " Key " : " someotherkey " , " Value " : " someothervalue " } ,
] ,
)
conn . put_role_policy (
RoleName = " my-role " , PolicyName = " test-policy " , PolicyDocument = test_policy
)
conn . attach_role_policy (
2019-12-17 02:25:20 +00:00
RoleName = " my-role " ,
PolicyArn = " arn:aws:iam:: {} :policy/testPolicy " . format ( ACCOUNT_ID ) ,
2019-10-31 15:44:26 +00:00
)
2019-02-19 03:20:29 +00:00
response = conn . list_entities_for_policy (
2019-12-17 02:25:20 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/testPolicy " . format ( ACCOUNT_ID ) ,
EntityFilter = " Role " ,
2019-02-19 03:20:29 +00:00
)
2022-02-25 11:28:42 +00:00
assert response [ " PolicyRoles " ] [ 0 ] [ " RoleName " ] == " my-role "
response [ " PolicyRoles " ] [ 0 ] . should . have . key ( " RoleId " )
2021-08-28 06:32:10 +00:00
response [ " PolicyGroups " ] . should . equal ( [ ] )
response [ " PolicyUsers " ] . should . equal ( [ ] )
2019-02-17 22:04:28 +00:00
response = conn . list_entities_for_policy (
2019-12-17 02:25:20 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/testPolicy " . format ( ACCOUNT_ID ) ,
EntityFilter = " User " ,
2019-02-17 22:04:28 +00:00
)
2022-02-25 11:28:42 +00:00
assert response [ " PolicyUsers " ] [ 0 ] [ " UserName " ] == " testUser "
response [ " PolicyUsers " ] [ 0 ] . should . have . key ( " UserId " )
2021-08-28 06:32:10 +00:00
response [ " PolicyGroups " ] . should . equal ( [ ] )
response [ " PolicyRoles " ] . should . equal ( [ ] )
2019-02-19 03:20:29 +00:00
response = conn . list_entities_for_policy (
2019-12-17 02:25:20 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/testPolicy " . format ( ACCOUNT_ID ) ,
EntityFilter = " Group " ,
2019-02-19 03:20:29 +00:00
)
2022-02-25 11:28:42 +00:00
assert response [ " PolicyGroups " ] [ 0 ] [ " GroupName " ] == " testGroup "
response [ " PolicyGroups " ] [ 0 ] . should . have . key ( " GroupId " )
2021-08-28 06:32:10 +00:00
response [ " PolicyRoles " ] . should . equal ( [ ] )
response [ " PolicyUsers " ] . should . equal ( [ ] )
2019-02-19 03:20:29 +00:00
response = conn . list_entities_for_policy (
2019-12-16 00:22:26 +00:00
PolicyArn = " arn:aws:iam:: {} :policy/testPolicy " . format ( ACCOUNT_ID ) ,
2019-10-31 15:44:26 +00:00
EntityFilter = " LocalManagedPolicy " ,
2019-02-19 03:20:29 +00:00
)
2022-02-25 11:28:42 +00:00
assert response [ " PolicyGroups " ] [ 0 ] [ " GroupName " ] == " testGroup "
assert response [ " PolicyUsers " ] [ 0 ] [ " UserName " ] == " testUser "
assert response [ " PolicyRoles " ] [ 0 ] [ " RoleName " ] == " my-role "
response [ " PolicyGroups " ] [ 0 ] . should . have . key ( " GroupId " )
response [ " PolicyUsers " ] [ 0 ] . should . have . key ( " UserId " )
response [ " PolicyRoles " ] [ 0 ] . should . have . key ( " RoleId " )
2019-02-19 03:20:29 +00:00
2021-08-28 06:32:10 +00:00
# Return everything when no entity is specified
response = conn . list_entities_for_policy (
PolicyArn = " arn:aws:iam:: {} :policy/testPolicy " . format ( ACCOUNT_ID )
)
2022-02-25 11:28:42 +00:00
response [ " PolicyGroups " ] [ 0 ] [ " GroupName " ] . should . equal ( " testGroup " )
response [ " PolicyUsers " ] [ 0 ] [ " UserName " ] . should . equal ( " testUser " )
response [ " PolicyRoles " ] [ 0 ] [ " RoleName " ] . should . equal ( " my-role " )
response [ " PolicyGroups " ] [ 0 ] . should . have . key ( " GroupId " )
response [ " PolicyUsers " ] [ 0 ] . should . have . key ( " UserId " )
response [ " PolicyRoles " ] [ 0 ] . should . have . key ( " RoleId " )
2021-08-28 06:32:10 +00:00
2019-02-19 03:20:29 +00:00
2019-04-21 23:23:00 +00:00
@mock_iam ( )
def test_create_role_no_path ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
resp = conn . create_role (
2022-03-10 14:39:59 +00:00
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Description = " test "
2019-10-31 15:44:26 +00:00
)
2019-12-17 02:25:20 +00:00
resp . get ( " Role " ) . get ( " Arn " ) . should . equal (
" arn:aws:iam:: {} :role/my-role " . format ( ACCOUNT_ID )
)
2019-10-31 15:44:26 +00:00
resp . get ( " Role " ) . should_not . have . key ( " PermissionsBoundary " )
resp . get ( " Role " ) . get ( " Description " ) . should . equal ( " test " )
2019-08-21 19:24:23 +00:00
2019-05-21 16:44:06 +00:00
@mock_iam ( )
def test_create_role_with_permissions_boundary ( ) :
2019-10-31 15:44:26 +00:00
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-12-16 00:22:26 +00:00
boundary = " arn:aws:iam:: {} :policy/boundary " . format ( ACCOUNT_ID )
2019-10-31 15:44:26 +00:00
resp = conn . create_role (
RoleName = " my-role " ,
AssumeRolePolicyDocument = " some policy " ,
Description = " test " ,
PermissionsBoundary = boundary ,
)
2019-05-21 16:44:06 +00:00
expected = {
2019-10-31 15:44:26 +00:00
" PermissionsBoundaryType " : " PermissionsBoundaryPolicy " ,
" PermissionsBoundaryArn " : boundary ,
2019-05-21 16:44:06 +00:00
}
2019-10-31 15:44:26 +00:00
resp . get ( " Role " ) . get ( " PermissionsBoundary " ) . should . equal ( expected )
resp . get ( " Role " ) . get ( " Description " ) . should . equal ( " test " )
2019-05-21 16:44:06 +00:00
2020-09-22 11:43:59 +00:00
conn . delete_role_permissions_boundary ( RoleName = " my-role " )
conn . list_roles ( ) . get ( " Roles " ) [ 0 ] . should_not . have . key ( " PermissionsBoundary " )
conn . put_role_permissions_boundary ( RoleName = " my-role " , PermissionsBoundary = boundary )
resp . get ( " Role " ) . get ( " PermissionsBoundary " ) . should . equal ( expected )
2019-10-31 15:44:26 +00:00
invalid_boundary_arn = " arn:aws:iam::123456789:not_a_boundary "
2020-09-22 11:43:59 +00:00
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2020-09-22 11:43:59 +00:00
conn . put_role_permissions_boundary (
RoleName = " my-role " , PermissionsBoundary = invalid_boundary_arn
)
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) :
2019-10-31 15:44:26 +00:00
conn . create_role (
RoleName = " bad-boundary " ,
AssumeRolePolicyDocument = " some policy " ,
Description = " test " ,
PermissionsBoundary = invalid_boundary_arn ,
)
2019-02-19 03:20:29 +00:00
2019-05-21 16:44:06 +00:00
# Ensure the PermissionsBoundary is included in role listing as well
2019-10-31 15:44:26 +00:00
conn . list_roles ( ) . get ( " Roles " ) [ 0 ] . get ( " PermissionsBoundary " ) . should . equal ( expected )
2019-10-18 15:29:15 +00:00
2019-11-11 08:21:42 +00:00
@mock_iam
def test_create_role_with_same_name_should_fail ( ) :
iam = boto3 . client ( " iam " , region_name = " us-east-1 " )
test_role_name = str ( uuid4 ( ) )
iam . create_role (
2022-03-10 14:39:59 +00:00
RoleName = test_role_name , AssumeRolePolicyDocument = " policy " , Description = " test "
2019-11-11 08:21:42 +00:00
)
# Create the role again, and verify that it fails
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) as err :
2019-11-11 08:21:42 +00:00
iam . create_role (
RoleName = test_role_name ,
AssumeRolePolicyDocument = " policy " ,
Description = " test " ,
)
2020-10-06 06:04:09 +00:00
err . value . response [ " Error " ] [ " Code " ] . should . equal ( " EntityAlreadyExists " )
err . value . response [ " Error " ] [ " Message " ] . should . equal (
2019-11-11 08:21:42 +00:00
" Role with name {0} already exists. " . format ( test_role_name )
)
2019-11-11 09:14:22 +00:00
@mock_iam
def test_create_policy_with_same_name_should_fail ( ) :
iam = boto3 . client ( " iam " , region_name = " us-east-1 " )
test_policy_name = str ( uuid4 ( ) )
2021-10-18 19:44:29 +00:00
iam . create_policy ( PolicyName = test_policy_name , PolicyDocument = MOCK_POLICY )
2019-11-11 09:14:22 +00:00
# Create the role again, and verify that it fails
2020-10-06 05:54:49 +00:00
with pytest . raises ( ClientError ) as err :
2019-11-11 09:14:22 +00:00
iam . create_policy ( PolicyName = test_policy_name , PolicyDocument = MOCK_POLICY )
2020-10-06 06:04:09 +00:00
err . value . response [ " Error " ] [ " Code " ] . should . equal ( " EntityAlreadyExists " )
err . value . response [ " Error " ] [ " Message " ] . should . equal (
2019-11-11 09:14:22 +00:00
" A policy called {0} already exists. Duplicate names are not allowed. " . format (
test_policy_name
)
)
2019-10-28 22:16:19 +00:00
@mock_iam
def test_update_account_password_policy ( ) :
2019-11-01 06:14:03 +00:00
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-10-28 22:50:17 +00:00
2019-10-28 22:16:19 +00:00
client . update_account_password_policy ( )
2019-10-28 22:50:17 +00:00
response = client . get_account_password_policy ( )
2019-11-01 06:14:03 +00:00
response [ " PasswordPolicy " ] . should . equal (
{
" AllowUsersToChangePassword " : False ,
" ExpirePasswords " : False ,
" MinimumPasswordLength " : 6 ,
" RequireLowercaseCharacters " : False ,
" RequireNumbers " : False ,
" RequireSymbols " : False ,
" RequireUppercaseCharacters " : False ,
2020-07-11 08:38:33 +00:00
" HardExpiry " : False ,
2019-11-01 06:14:03 +00:00
}
)
2019-10-28 22:50:17 +00:00
2019-10-28 22:16:19 +00:00
@mock_iam
def test_update_account_password_policy_errors ( ) :
2019-11-01 06:14:03 +00:00
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-10-28 22:16:19 +00:00
client . update_account_password_policy . when . called_with (
2022-03-10 14:39:59 +00:00
MaxPasswordAge = 1096 , MinimumPasswordLength = 129 , PasswordReusePrevention = 25
2019-10-28 22:16:19 +00:00
) . should . throw (
ClientError ,
2019-11-01 06:14:03 +00:00
" 3 validation errors detected: "
2019-10-28 22:16:19 +00:00
' Value " 129 " at " minimumPasswordLength " failed to satisfy constraint: '
2019-11-01 06:14:03 +00:00
" Member must have value less than or equal to 128; "
2019-10-28 22:16:19 +00:00
' Value " 25 " at " passwordReusePrevention " failed to satisfy constraint: '
2019-11-01 06:14:03 +00:00
" Member must have value less than or equal to 24; "
2019-10-28 22:16:19 +00:00
' Value " 1096 " at " maxPasswordAge " failed to satisfy constraint: '
2019-11-01 06:14:03 +00:00
" Member must have value less than or equal to 1095 " ,
2019-10-28 22:16:19 +00:00
)
2019-10-28 22:50:17 +00:00
@mock_iam
def test_get_account_password_policy ( ) :
2019-11-01 06:14:03 +00:00
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-10-28 22:50:17 +00:00
client . update_account_password_policy (
AllowUsersToChangePassword = True ,
HardExpiry = True ,
MaxPasswordAge = 60 ,
MinimumPasswordLength = 10 ,
PasswordReusePrevention = 3 ,
RequireLowercaseCharacters = True ,
RequireNumbers = True ,
RequireSymbols = True ,
2019-11-01 06:14:03 +00:00
RequireUppercaseCharacters = True ,
2019-10-28 22:50:17 +00:00
)
response = client . get_account_password_policy ( )
2019-11-01 06:14:03 +00:00
response [ " PasswordPolicy " ] . should . equal (
{
" AllowUsersToChangePassword " : True ,
" ExpirePasswords " : True ,
" HardExpiry " : True ,
" MaxPasswordAge " : 60 ,
" MinimumPasswordLength " : 10 ,
" PasswordReusePrevention " : 3 ,
" RequireLowercaseCharacters " : True ,
" RequireNumbers " : True ,
" RequireSymbols " : True ,
" RequireUppercaseCharacters " : True ,
}
)
2019-10-28 22:50:17 +00:00
@mock_iam
def test_get_account_password_policy_errors ( ) :
2019-11-01 06:14:03 +00:00
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-10-28 22:50:17 +00:00
client . get_account_password_policy . when . called_with ( ) . should . throw (
ClientError ,
2019-12-16 00:22:26 +00:00
" The Password Policy with domain name {} cannot be found. " . format ( ACCOUNT_ID ) ,
2019-10-28 22:50:17 +00:00
)
2019-11-01 06:00:50 +00:00
@mock_iam
def test_delete_account_password_policy ( ) :
2019-11-01 06:14:03 +00:00
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-11-01 06:00:50 +00:00
client . update_account_password_policy ( )
response = client . get_account_password_policy ( )
2019-11-01 06:14:03 +00:00
response . should . have . key ( " PasswordPolicy " ) . which . should . be . a ( dict )
2019-11-01 06:00:50 +00:00
client . delete_account_password_policy ( )
client . get_account_password_policy . when . called_with ( ) . should . throw (
ClientError ,
2019-12-16 00:22:26 +00:00
" The Password Policy with domain name {} cannot be found. " . format ( ACCOUNT_ID ) ,
2019-11-01 06:00:50 +00:00
)
2019-11-17 12:47:19 +00:00
@mock_iam
def test_get_account_summary ( ) :
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
iam = boto3 . resource ( " iam " , region_name = " us-east-1 " )
account_summary = iam . AccountSummary ( )
account_summary . summary_map . should . equal (
{
" GroupPolicySizeQuota " : 5120 ,
" InstanceProfilesQuota " : 1000 ,
" Policies " : 0 ,
" GroupsPerUserQuota " : 10 ,
" InstanceProfiles " : 0 ,
" AttachedPoliciesPerUserQuota " : 10 ,
" Users " : 0 ,
" PoliciesQuota " : 1500 ,
" Providers " : 0 ,
" AccountMFAEnabled " : 0 ,
" AccessKeysPerUserQuota " : 2 ,
" AssumeRolePolicySizeQuota " : 2048 ,
" PolicyVersionsInUseQuota " : 10000 ,
" GlobalEndpointTokenVersion " : 1 ,
" VersionsPerPolicyQuota " : 5 ,
" AttachedPoliciesPerGroupQuota " : 10 ,
" PolicySizeQuota " : 6144 ,
" Groups " : 0 ,
" AccountSigningCertificatesPresent " : 0 ,
" UsersQuota " : 5000 ,
" ServerCertificatesQuota " : 20 ,
" MFADevices " : 0 ,
" UserPolicySizeQuota " : 2048 ,
" PolicyVersionsInUse " : 0 ,
" ServerCertificates " : 0 ,
" Roles " : 0 ,
" RolesQuota " : 1000 ,
" SigningCertificatesPerUserQuota " : 2 ,
" MFADevicesInUse " : 0 ,
" RolePolicySizeQuota " : 10240 ,
" AttachedPoliciesPerRoleQuota " : 10 ,
" AccountAccessKeysPresent " : 0 ,
" GroupsQuota " : 300 ,
}
)
client . create_instance_profile ( InstanceProfileName = " test-profile " )
2019-11-21 22:53:58 +00:00
client . create_open_id_connect_provider ( Url = " https://example.com " , ThumbprintList = [ ] )
2019-11-17 12:47:19 +00:00
response_policy = client . create_policy (
PolicyName = " test-policy " , PolicyDocument = MOCK_POLICY
)
client . create_role ( RoleName = " test-role " , AssumeRolePolicyDocument = " test policy " )
client . attach_role_policy (
RoleName = " test-role " , PolicyArn = response_policy [ " Policy " ] [ " Arn " ]
)
client . create_saml_provider (
Name = " TestSAMLProvider " , SAMLMetadataDocument = " a " * 1024
)
2019-11-17 13:34:00 +00:00
client . create_group ( GroupName = " test-group " )
client . attach_group_policy (
GroupName = " test-group " , PolicyArn = response_policy [ " Policy " ] [ " Arn " ]
)
2019-11-17 12:47:19 +00:00
client . create_user ( UserName = " test-user " )
client . attach_user_policy (
UserName = " test-user " , PolicyArn = response_policy [ " Policy " ] [ " Arn " ]
)
client . enable_mfa_device (
UserName = " test-user " ,
SerialNumber = " 123456789 " ,
AuthenticationCode1 = " 234567 " ,
AuthenticationCode2 = " 987654 " ,
)
client . create_virtual_mfa_device ( VirtualMFADeviceName = " test-device " )
client . upload_server_certificate (
ServerCertificateName = " test-cert " ,
CertificateBody = " cert-body " ,
PrivateKey = " private-key " ,
)
account_summary . load ( )
account_summary . summary_map . should . equal (
{
" GroupPolicySizeQuota " : 5120 ,
" InstanceProfilesQuota " : 1000 ,
" Policies " : 1 ,
" GroupsPerUserQuota " : 10 ,
" InstanceProfiles " : 1 ,
" AttachedPoliciesPerUserQuota " : 10 ,
" Users " : 1 ,
" PoliciesQuota " : 1500 ,
" Providers " : 2 ,
" AccountMFAEnabled " : 0 ,
" AccessKeysPerUserQuota " : 2 ,
" AssumeRolePolicySizeQuota " : 2048 ,
" PolicyVersionsInUseQuota " : 10000 ,
" GlobalEndpointTokenVersion " : 1 ,
" VersionsPerPolicyQuota " : 5 ,
" AttachedPoliciesPerGroupQuota " : 10 ,
" PolicySizeQuota " : 6144 ,
" Groups " : 1 ,
" AccountSigningCertificatesPresent " : 0 ,
" UsersQuota " : 5000 ,
" ServerCertificatesQuota " : 20 ,
" MFADevices " : 1 ,
" UserPolicySizeQuota " : 2048 ,
" PolicyVersionsInUse " : 3 ,
" ServerCertificates " : 1 ,
" Roles " : 1 ,
" RolesQuota " : 1000 ,
" SigningCertificatesPerUserQuota " : 2 ,
" MFADevicesInUse " : 1 ,
" RolePolicySizeQuota " : 10240 ,
" AttachedPoliciesPerRoleQuota " : 10 ,
" AccountAccessKeysPresent " : 0 ,
" GroupsQuota " : 300 ,
}
)
2019-12-20 02:30:43 +00:00
@mock_iam ( )
def test_list_user_tags ( ) :
""" Tests both setting a tags on a user in create_user and list_user_tags """
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
conn . create_user ( UserName = " kenny-bania " )
conn . create_user (
2022-03-10 14:39:59 +00:00
UserName = " jackie-chiles " , Tags = [ { " Key " : " Sue-Allen " , " Value " : " Oh-Henry " } ]
2019-12-20 02:30:43 +00:00
)
conn . create_user (
UserName = " cosmo " ,
Tags = [
{ " Key " : " Stan " , " Value " : " The Caddy " } ,
{ " Key " : " like-a " , " Value " : " glove " } ,
] ,
)
2019-12-20 18:54:33 +00:00
response = conn . list_user_tags ( UserName = " kenny-bania " )
2021-02-01 11:37:54 +00:00
response [ " Tags " ] . should . have . length_of ( 0 )
2022-04-18 20:44:56 +00:00
response [ " IsTruncated " ] . should . equal ( False )
2019-12-20 02:30:43 +00:00
2019-12-20 18:54:33 +00:00
response = conn . list_user_tags ( UserName = " jackie-chiles " )
response [ " Tags " ] . should . equal ( [ { " Key " : " Sue-Allen " , " Value " : " Oh-Henry " } ] )
2022-04-18 20:44:56 +00:00
response [ " IsTruncated " ] . should . equal ( False )
2019-12-20 02:30:43 +00:00
2019-12-20 18:54:33 +00:00
response = conn . list_user_tags ( UserName = " cosmo " )
response [ " Tags " ] . should . equal (
2022-03-10 14:39:59 +00:00
[ { " Key " : " Stan " , " Value " : " The Caddy " } , { " Key " : " like-a " , " Value " : " glove " } ]
2019-12-20 18:54:33 +00:00
)
2022-04-18 20:44:56 +00:00
response [ " IsTruncated " ] . should . equal ( False )
2020-05-27 16:00:28 +00:00
@mock_iam ( )
def test_delete_role_with_instance_profiles_present ( ) :
iam = boto3 . client ( " iam " , region_name = " us-east-1 " )
trust_policy = """
{
" Version " : " 2012-10-17 " ,
" Statement " : [
{
" Effect " : " Allow " ,
" Principal " : {
" Service " : " ec2.amazonaws.com "
} ,
" Action " : " sts:AssumeRole "
}
]
}
"""
trust_policy = trust_policy . strip ( )
iam . create_role ( RoleName = " Role1 " , AssumeRolePolicyDocument = trust_policy )
iam . create_instance_profile ( InstanceProfileName = " IP1 " )
iam . add_role_to_instance_profile ( InstanceProfileName = " IP1 " , RoleName = " Role1 " )
iam . create_role ( RoleName = " Role2 " , AssumeRolePolicyDocument = trust_policy )
iam . delete_role ( RoleName = " Role2 " )
role_names = [ role [ " RoleName " ] for role in iam . list_roles ( ) [ " Roles " ] ]
assert " Role1 " in role_names
assert " Role2 " not in role_names
2020-07-30 14:17:35 +00:00
@mock_iam
def test_delete_account_password_policy_errors ( ) :
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
client . delete_account_password_policy . when . called_with ( ) . should . throw (
2022-03-10 14:39:59 +00:00
ClientError , " The account policy with name PasswordPolicy cannot be found. "
2020-07-30 14:17:35 +00:00
)
@mock_iam
def test_role_list_config_discovered_resources ( ) :
from moto . iam . config import role_config_query
# Without any roles
assert role_config_query . list_config_service_resources ( None , None , 100 , None ) == (
[ ] ,
None ,
)
2020-08-08 04:34:59 +00:00
# Make 3 roles
roles = [ ]
num_roles = 3
for ix in range ( 1 , num_roles + 1 ) :
this_role = role_config_query . backends [ " global " ] . create_role (
role_name = " role {} " . format ( ix ) ,
assume_role_policy_document = None ,
path = " / " ,
permissions_boundary = None ,
description = " role {} " . format ( ix ) ,
tags = [ { " Key " : " foo " , " Value " : " bar " } ] ,
max_session_duration = 3600 ,
)
2022-03-10 14:39:59 +00:00
roles . append ( { " id " : this_role . id , " name " : this_role . name } )
2020-08-08 04:34:59 +00:00
assert len ( roles ) == num_roles
2020-07-30 14:17:35 +00:00
result = role_config_query . list_config_service_resources ( None , None , 100 , None ) [ 0 ]
2020-08-08 04:34:59 +00:00
assert len ( result ) == num_roles
2020-07-30 14:17:35 +00:00
2020-08-08 04:34:59 +00:00
# The roles gets a random ID, so we can't directly test it
2020-07-30 14:17:35 +00:00
role = result [ 0 ]
assert role [ " type " ] == " AWS::IAM::Role "
2020-08-08 04:34:59 +00:00
assert role [ " id " ] in list ( map ( lambda p : p [ " id " ] , roles ) )
assert role [ " name " ] in list ( map ( lambda p : p [ " name " ] , roles ) )
2020-07-30 14:17:35 +00:00
assert role [ " region " ] == " global "
2020-08-08 04:34:59 +00:00
# test passing list of resource ids
resource_ids = role_config_query . list_config_service_resources (
[ roles [ 0 ] [ " id " ] , roles [ 1 ] [ " id " ] ] , None , 100 , None
) [ 0 ]
assert len ( resource_ids ) == 2
# test passing a single resource name
resource_name = role_config_query . list_config_service_resources (
None , roles [ 0 ] [ " name " ] , 100 , None
) [ 0 ]
assert len ( resource_name ) == 1
assert resource_name [ 0 ] [ " id " ] == roles [ 0 ] [ " id " ]
assert resource_name [ 0 ] [ " name " ] == roles [ 0 ] [ " name " ]
# test passing a single resource name AND some resource id's
both_filter_good = role_config_query . list_config_service_resources (
[ roles [ 0 ] [ " id " ] , roles [ 1 ] [ " id " ] ] , roles [ 0 ] [ " name " ] , 100 , None
) [ 0 ]
assert len ( both_filter_good ) == 1
assert both_filter_good [ 0 ] [ " id " ] == roles [ 0 ] [ " id " ]
assert both_filter_good [ 0 ] [ " name " ] == roles [ 0 ] [ " name " ]
both_filter_bad = role_config_query . list_config_service_resources (
[ roles [ 0 ] [ " id " ] , roles [ 1 ] [ " id " ] ] , roles [ 2 ] [ " name " ] , 100 , None
) [ 0 ]
assert len ( both_filter_bad ) == 0
2020-07-30 14:17:35 +00:00
@mock_iam
def test_role_config_dict ( ) :
from moto . iam . config import role_config_query , policy_config_query
2020-08-03 03:16:44 +00:00
from moto . iam . utils import random_resource_id , random_policy_id
2020-07-30 14:17:35 +00:00
# Without any roles
assert not role_config_query . get_config_resource ( " something " )
assert role_config_query . list_config_service_resources ( None , None , 100 , None ) == (
[ ] ,
None ,
)
basic_assume_role = {
" Version " : " 2012-10-17 " ,
" Statement " : [
2022-03-10 14:39:59 +00:00
{ " Effect " : " Allow " , " Principal " : { " AWS " : " * " } , " Action " : " sts:AssumeRole " }
2020-07-30 14:17:35 +00:00
] ,
}
basic_policy = {
" Version " : " 2012-10-17 " ,
" Statement " : [ { " Action " : [ " ec2:* " ] , " Effect " : " Allow " , " Resource " : " * " } ] ,
}
# Create a policy for use in role permissions boundary
2020-08-03 03:16:44 +00:00
policy_arn = (
policy_config_query . backends [ " global " ]
. create_policy (
description = " basic_policy " ,
path = " / " ,
policy_document = json . dumps ( basic_policy ) ,
policy_name = " basic_policy " ,
2021-11-03 20:58:40 +00:00
tags = [ ] ,
2020-08-03 03:16:44 +00:00
)
. arn
2020-07-30 14:17:35 +00:00
)
2020-08-03 03:16:44 +00:00
policy_id = policy_config_query . list_config_service_resources (
2020-07-30 14:17:35 +00:00
None , None , 100 , None
) [ 0 ] [ 0 ] [ " id " ]
2020-08-03 03:16:44 +00:00
assert len ( policy_id ) == len ( random_policy_id ( ) )
2020-07-30 14:17:35 +00:00
# Create some roles (and grab them repeatedly since they create with random names)
role_config_query . backends [ " global " ] . create_role (
role_name = " plain_role " ,
assume_role_policy_document = None ,
path = " / " ,
permissions_boundary = None ,
description = " plain_role " ,
tags = [ { " Key " : " foo " , " Value " : " bar " } ] ,
max_session_duration = 3600 ,
)
plain_role = role_config_query . list_config_service_resources ( None , None , 100 , None ) [
0
] [ 0 ]
assert plain_role is not None
assert len ( plain_role [ " id " ] ) == len ( random_resource_id ( ) )
role_config_query . backends [ " global " ] . create_role (
role_name = " assume_role " ,
assume_role_policy_document = json . dumps ( basic_assume_role ) ,
path = " / " ,
permissions_boundary = None ,
description = " assume_role " ,
tags = [ ] ,
max_session_duration = 3600 ,
)
assume_role = next (
role
for role in role_config_query . list_config_service_resources (
None , None , 100 , None
) [ 0 ]
if role [ " id " ] not in [ plain_role [ " id " ] ]
)
assert assume_role is not None
assert len ( assume_role [ " id " ] ) == len ( random_resource_id ( ) )
assert assume_role [ " id " ] is not plain_role [ " id " ]
role_config_query . backends [ " global " ] . create_role (
role_name = " assume_and_permission_boundary_role " ,
assume_role_policy_document = json . dumps ( basic_assume_role ) ,
path = " / " ,
permissions_boundary = policy_arn ,
description = " assume_and_permission_boundary_role " ,
tags = [ ] ,
max_session_duration = 3600 ,
)
assume_and_permission_boundary_role = next (
role
for role in role_config_query . list_config_service_resources (
None , None , 100 , None
) [ 0 ]
if role [ " id " ] not in [ plain_role [ " id " ] , assume_role [ " id " ] ]
)
assert assume_and_permission_boundary_role is not None
assert len ( assume_and_permission_boundary_role [ " id " ] ) == len ( random_resource_id ( ) )
assert assume_and_permission_boundary_role [ " id " ] is not plain_role [ " id " ]
assert assume_and_permission_boundary_role [ " id " ] is not assume_role [ " id " ]
role_config_query . backends [ " global " ] . create_role (
role_name = " role_with_attached_policy " ,
assume_role_policy_document = json . dumps ( basic_assume_role ) ,
path = " / " ,
permissions_boundary = None ,
description = " role_with_attached_policy " ,
tags = [ ] ,
max_session_duration = 3600 ,
)
role_config_query . backends [ " global " ] . attach_role_policy (
policy_arn , " role_with_attached_policy "
)
role_with_attached_policy = next (
role
for role in role_config_query . list_config_service_resources (
None , None , 100 , None
) [ 0 ]
if role [ " id " ]
not in [
plain_role [ " id " ] ,
assume_role [ " id " ] ,
assume_and_permission_boundary_role [ " id " ] ,
]
)
assert role_with_attached_policy is not None
assert len ( role_with_attached_policy [ " id " ] ) == len ( random_resource_id ( ) )
assert role_with_attached_policy [ " id " ] is not plain_role [ " id " ]
assert role_with_attached_policy [ " id " ] is not assume_role [ " id " ]
assert (
role_with_attached_policy [ " id " ] is not assume_and_permission_boundary_role [ " id " ]
)
role_config_query . backends [ " global " ] . create_role (
role_name = " role_with_inline_policy " ,
assume_role_policy_document = json . dumps ( basic_assume_role ) ,
path = " / " ,
permissions_boundary = None ,
description = " role_with_inline_policy " ,
tags = [ ] ,
max_session_duration = 3600 ,
)
role_config_query . backends [ " global " ] . put_role_policy (
" role_with_inline_policy " , " inline_policy " , json . dumps ( basic_policy )
)
role_with_inline_policy = next (
role
for role in role_config_query . list_config_service_resources (
None , None , 100 , None
) [ 0 ]
if role [ " id " ]
not in [
plain_role [ " id " ] ,
assume_role [ " id " ] ,
assume_and_permission_boundary_role [ " id " ] ,
role_with_attached_policy [ " id " ] ,
]
)
assert role_with_inline_policy is not None
assert len ( role_with_inline_policy [ " id " ] ) == len ( random_resource_id ( ) )
assert role_with_inline_policy [ " id " ] is not plain_role [ " id " ]
assert role_with_inline_policy [ " id " ] is not assume_role [ " id " ]
assert (
role_with_inline_policy [ " id " ] is not assume_and_permission_boundary_role [ " id " ]
)
assert role_with_inline_policy [ " id " ] is not role_with_attached_policy [ " id " ]
# plain role
plain_role_config = (
role_config_query . backends [ " global " ] . roles [ plain_role [ " id " ] ] . to_config_dict ( )
)
assert plain_role_config [ " version " ] == " 1.3 "
assert plain_role_config [ " configurationItemStatus " ] == " ResourceDiscovered "
assert plain_role_config [ " configurationStateId " ] is not None
assert plain_role_config [ " arn " ] == " arn:aws:iam::123456789012:role/plain_role "
assert plain_role_config [ " resourceType " ] == " AWS::IAM::Role "
assert plain_role_config [ " resourceId " ] == " plain_role "
assert plain_role_config [ " resourceName " ] == " plain_role "
assert plain_role_config [ " awsRegion " ] == " global "
assert plain_role_config [ " availabilityZone " ] == " Not Applicable "
assert plain_role_config [ " resourceCreationTime " ] is not None
assert plain_role_config [ " tags " ] == { " foo " : { " Key " : " foo " , " Value " : " bar " } }
assert plain_role_config [ " configuration " ] [ " path " ] == " / "
assert plain_role_config [ " configuration " ] [ " roleName " ] == " plain_role "
assert plain_role_config [ " configuration " ] [ " roleId " ] == plain_role [ " id " ]
assert plain_role_config [ " configuration " ] [ " arn " ] == plain_role_config [ " arn " ]
assert plain_role_config [ " configuration " ] [ " assumeRolePolicyDocument " ] is None
assert plain_role_config [ " configuration " ] [ " instanceProfileList " ] == [ ]
assert plain_role_config [ " configuration " ] [ " rolePolicyList " ] == [ ]
assert plain_role_config [ " configuration " ] [ " attachedManagedPolicies " ] == [ ]
assert plain_role_config [ " configuration " ] [ " permissionsBoundary " ] is None
assert plain_role_config [ " configuration " ] [ " tags " ] == [
{ " key " : " foo " , " value " : " bar " }
]
assert plain_role_config [ " supplementaryConfiguration " ] == { }
# assume_role
assume_role_config = (
role_config_query . backends [ " global " ] . roles [ assume_role [ " id " ] ] . to_config_dict ( )
)
assert assume_role_config [ " arn " ] == " arn:aws:iam::123456789012:role/assume_role "
assert assume_role_config [ " resourceId " ] == " assume_role "
assert assume_role_config [ " resourceName " ] == " assume_role "
assert assume_role_config [ " configuration " ] [
" assumeRolePolicyDocument "
] == parse . quote ( json . dumps ( basic_assume_role ) )
# assume_and_permission_boundary_role
assume_and_permission_boundary_role_config = (
role_config_query . backends [ " global " ]
. roles [ assume_and_permission_boundary_role [ " id " ] ]
. to_config_dict ( )
)
assert (
assume_and_permission_boundary_role_config [ " arn " ]
== " arn:aws:iam::123456789012:role/assume_and_permission_boundary_role "
)
assert (
assume_and_permission_boundary_role_config [ " resourceId " ]
== " assume_and_permission_boundary_role "
)
assert (
assume_and_permission_boundary_role_config [ " resourceName " ]
== " assume_and_permission_boundary_role "
)
assert assume_and_permission_boundary_role_config [ " configuration " ] [
" assumeRolePolicyDocument "
] == parse . quote ( json . dumps ( basic_assume_role ) )
assert (
assume_and_permission_boundary_role_config [ " configuration " ] [
" permissionsBoundary "
]
== policy_arn
)
# role_with_attached_policy
role_with_attached_policy_config = (
role_config_query . backends [ " global " ]
. roles [ role_with_attached_policy [ " id " ] ]
. to_config_dict ( )
)
assert (
role_with_attached_policy_config [ " arn " ]
== " arn:aws:iam::123456789012:role/role_with_attached_policy "
)
assert role_with_attached_policy_config [ " configuration " ] [
" attachedManagedPolicies "
] == [ { " policyArn " : policy_arn , " policyName " : " basic_policy " } ]
# role_with_inline_policy
role_with_inline_policy_config = (
role_config_query . backends [ " global " ]
. roles [ role_with_inline_policy [ " id " ] ]
. to_config_dict ( )
)
assert (
role_with_inline_policy_config [ " arn " ]
== " arn:aws:iam::123456789012:role/role_with_inline_policy "
)
assert role_with_inline_policy_config [ " configuration " ] [ " rolePolicyList " ] == [
{
" policyName " : " inline_policy " ,
" policyDocument " : parse . quote ( json . dumps ( basic_policy ) ) ,
}
]
2020-08-03 03:16:44 +00:00
@mock_iam
@mock_config
def test_role_config_client ( ) :
from moto . iam . utils import random_resource_id
2020-08-12 23:16:47 +00:00
CONFIG_REGIONS = boto3 . Session ( ) . get_available_regions ( " config " )
2020-08-03 03:16:44 +00:00
iam_client = boto3 . client ( " iam " , region_name = " us-west-2 " )
config_client = boto3 . client ( " config " , region_name = " us-west-2 " )
2020-08-08 04:34:59 +00:00
all_account_aggregation_source = {
2020-08-03 03:16:44 +00:00
" AccountIds " : [ ACCOUNT_ID ] ,
" AllAwsRegions " : True ,
}
2020-08-08 04:34:59 +00:00
two_region_account_aggregation_source = {
" AccountIds " : [ ACCOUNT_ID ] ,
" AwsRegions " : [ " us-east-1 " , " us-west-2 " ] ,
}
2020-08-03 03:16:44 +00:00
config_client . put_configuration_aggregator (
ConfigurationAggregatorName = " test_aggregator " ,
2020-08-08 04:34:59 +00:00
AccountAggregationSources = [ all_account_aggregation_source ] ,
)
config_client . put_configuration_aggregator (
ConfigurationAggregatorName = " test_aggregator_two_regions " ,
AccountAggregationSources = [ two_region_account_aggregation_source ] ,
2020-08-03 03:16:44 +00:00
)
result = config_client . list_discovered_resources ( resourceType = " AWS::IAM::Role " )
assert not result [ " resourceIdentifiers " ]
2020-08-06 23:18:57 +00:00
# Make 10 policies
roles = [ ]
num_roles = 10
for ix in range ( 1 , num_roles + 1 ) :
this_policy = iam_client . create_role (
RoleName = " role {} " . format ( ix ) ,
Path = " / " ,
Description = " role {} " . format ( ix ) ,
AssumeRolePolicyDocument = json . dumps ( " { } " ) ,
)
roles . append (
{
" id " : this_policy [ " Role " ] [ " RoleId " ] ,
" name " : this_policy [ " Role " ] [ " RoleName " ] ,
}
)
2020-08-03 03:16:44 +00:00
2020-08-06 23:18:57 +00:00
assert len ( roles ) == num_roles
2020-08-03 03:16:44 +00:00
# Test non-aggregated query: (everything is getting a random id, so we can't test names by ordering)
result = config_client . list_discovered_resources (
resourceType = " AWS::IAM::Role " , limit = 1
)
first_result = result [ " resourceIdentifiers " ] [ 0 ] [ " resourceId " ]
assert result [ " resourceIdentifiers " ] [ 0 ] [ " resourceType " ] == " AWS::IAM::Role "
assert len ( first_result ) == len ( random_resource_id ( ) )
# Test non-aggregated pagination
assert (
config_client . list_discovered_resources (
2022-03-10 14:39:59 +00:00
resourceType = " AWS::IAM::Role " , limit = 1 , nextToken = result [ " nextToken " ]
2020-08-03 03:16:44 +00:00
) [ " resourceIdentifiers " ] [ 0 ] [ " resourceId " ]
) != first_result
2020-08-08 04:34:59 +00:00
# Test aggregated query - by `Limit=len(CONFIG_REGIONS)`, we should get a single policy duplicated across all regions
2020-08-03 03:16:44 +00:00
agg_result = config_client . list_aggregate_discovered_resources (
ResourceType = " AWS::IAM::Role " ,
ConfigurationAggregatorName = " test_aggregator " ,
2020-08-08 04:34:59 +00:00
Limit = len ( CONFIG_REGIONS ) ,
)
assert len ( agg_result [ " ResourceIdentifiers " ] ) == len ( CONFIG_REGIONS )
agg_name = None
agg_id = None
for resource in agg_result [ " ResourceIdentifiers " ] :
assert resource [ " ResourceType " ] == " AWS::IAM::Role "
assert resource [ " SourceRegion " ] in CONFIG_REGIONS
assert resource [ " SourceAccountId " ] == ACCOUNT_ID
if agg_id :
assert resource [ " ResourceId " ] == agg_id
if agg_name :
assert resource [ " ResourceName " ] == agg_name
agg_name = resource [ " ResourceName " ]
agg_id = resource [ " ResourceId " ]
2020-08-03 03:16:44 +00:00
# Test aggregated pagination
2020-08-08 04:34:59 +00:00
for resource in config_client . list_aggregate_discovered_resources (
ConfigurationAggregatorName = " test_aggregator " ,
ResourceType = " AWS::IAM::Role " ,
NextToken = agg_result [ " NextToken " ] ,
) [ " ResourceIdentifiers " ] :
assert resource [ " ResourceId " ] != agg_id
# Test non-aggregated resource name/id filter
2020-08-03 03:16:44 +00:00
assert (
2020-08-08 04:34:59 +00:00
config_client . list_discovered_resources (
2022-03-10 14:39:59 +00:00
resourceType = " AWS::IAM::Role " , resourceName = roles [ 1 ] [ " name " ] , limit = 1
2020-08-08 04:34:59 +00:00
) [ " resourceIdentifiers " ] [ 0 ] [ " resourceName " ]
== roles [ 1 ] [ " name " ]
)
assert (
config_client . list_discovered_resources (
2022-03-10 14:39:59 +00:00
resourceType = " AWS::IAM::Role " , resourceIds = [ roles [ 0 ] [ " id " ] ] , limit = 1
2020-08-08 04:34:59 +00:00
) [ " resourceIdentifiers " ] [ 0 ] [ " resourceName " ]
== roles [ 0 ] [ " name " ]
2020-08-03 03:16:44 +00:00
)
2020-08-08 04:34:59 +00:00
# Test aggregated resource name/id filter
agg_name_filter = config_client . list_aggregate_discovered_resources (
ConfigurationAggregatorName = " test_aggregator " ,
ResourceType = " AWS::IAM::Role " ,
Filters = { " ResourceName " : roles [ 5 ] [ " name " ] } ,
)
assert len ( agg_name_filter [ " ResourceIdentifiers " ] ) == len ( CONFIG_REGIONS )
assert agg_name_filter [ " ResourceIdentifiers " ] [ 0 ] [ " ResourceId " ] == roles [ 5 ] [ " id " ]
agg_name_filter = config_client . list_aggregate_discovered_resources (
ConfigurationAggregatorName = " test_aggregator_two_regions " ,
ResourceType = " AWS::IAM::Role " ,
Filters = { " ResourceName " : roles [ 5 ] [ " name " ] } ,
)
assert len ( agg_name_filter [ " ResourceIdentifiers " ] ) == len (
two_region_account_aggregation_source [ " AwsRegions " ]
)
assert agg_name_filter [ " ResourceIdentifiers " ] [ 0 ] [ " ResourceId " ] == roles [ 5 ] [ " id " ]
agg_id_filter = config_client . list_aggregate_discovered_resources (
ConfigurationAggregatorName = " test_aggregator " ,
ResourceType = " AWS::IAM::Role " ,
Filters = { " ResourceId " : roles [ 4 ] [ " id " ] } ,
)
assert len ( agg_id_filter [ " ResourceIdentifiers " ] ) == len ( CONFIG_REGIONS )
assert agg_id_filter [ " ResourceIdentifiers " ] [ 0 ] [ " ResourceName " ] == roles [ 4 ] [ " name " ]
agg_name_filter = config_client . list_aggregate_discovered_resources (
ConfigurationAggregatorName = " test_aggregator_two_regions " ,
ResourceType = " AWS::IAM::Role " ,
Filters = { " ResourceId " : roles [ 5 ] [ " id " ] } ,
)
assert len ( agg_name_filter [ " ResourceIdentifiers " ] ) == len (
two_region_account_aggregation_source [ " AwsRegions " ]
)
assert agg_name_filter [ " ResourceIdentifiers " ] [ 0 ] [ " ResourceName " ] == roles [ 5 ] [ " name " ]
2020-08-06 23:18:57 +00:00
# Test non-aggregated resource name/id filter
assert (
config_client . list_discovered_resources (
2022-03-10 14:39:59 +00:00
resourceType = " AWS::IAM::Role " , resourceName = roles [ 1 ] [ " name " ] , limit = 1
2020-08-06 23:18:57 +00:00
) [ " resourceIdentifiers " ] [ 0 ] [ " resourceName " ]
== roles [ 1 ] [ " name " ]
)
assert (
config_client . list_discovered_resources (
2022-03-10 14:39:59 +00:00
resourceType = " AWS::IAM::Role " , resourceIds = [ roles [ 0 ] [ " id " ] ] , limit = 1
2020-08-06 23:18:57 +00:00
) [ " resourceIdentifiers " ] [ 0 ] [ " resourceName " ]
== roles [ 0 ] [ " name " ]
)
# Test aggregated resource name/id filter
assert (
config_client . list_aggregate_discovered_resources (
ConfigurationAggregatorName = " test_aggregator " ,
ResourceType = " AWS::IAM::Role " ,
Filters = { " ResourceName " : roles [ 5 ] [ " name " ] } ,
Limit = 1 ,
) [ " ResourceIdentifiers " ] [ 0 ] [ " ResourceName " ]
== roles [ 5 ] [ " name " ]
)
assert (
config_client . list_aggregate_discovered_resources (
ConfigurationAggregatorName = " test_aggregator " ,
ResourceType = " AWS::IAM::Role " ,
Filters = { " ResourceId " : roles [ 4 ] [ " id " ] } ,
Limit = 1 ,
) [ " ResourceIdentifiers " ] [ 0 ] [ " ResourceName " ]
== roles [ 4 ] [ " name " ]
)
# Test name/id filter with pagination
first_call = config_client . list_discovered_resources (
resourceType = " AWS::IAM::Role " ,
resourceIds = [ roles [ 1 ] [ " id " ] , roles [ 2 ] [ " id " ] ] ,
limit = 1 ,
)
assert first_call [ " nextToken " ] in [ roles [ 1 ] [ " id " ] , roles [ 2 ] [ " id " ] ]
assert first_call [ " resourceIdentifiers " ] [ 0 ] [ " resourceName " ] in [
roles [ 1 ] [ " name " ] ,
roles [ 2 ] [ " name " ] ,
]
second_call = config_client . list_discovered_resources (
resourceType = " AWS::IAM::Role " ,
resourceIds = [ roles [ 1 ] [ " id " ] , roles [ 2 ] [ " id " ] ] ,
limit = 1 ,
nextToken = first_call [ " nextToken " ] ,
)
assert " nextToken " not in second_call
assert first_call [ " resourceIdentifiers " ] [ 0 ] [ " resourceName " ] in [
roles [ 1 ] [ " name " ] ,
roles [ 2 ] [ " name " ] ,
]
assert (
first_call [ " resourceIdentifiers " ] [ 0 ] [ " resourceName " ]
!= second_call [ " resourceIdentifiers " ] [ 0 ] [ " resourceName " ]
)
2020-08-03 03:16:44 +00:00
# Test non-aggregated batch get
assert (
config_client . batch_get_resource_config (
2020-08-06 23:18:57 +00:00
resourceKeys = [
{ " resourceType " : " AWS::IAM::Role " , " resourceId " : roles [ 0 ] [ " id " ] }
]
2020-08-03 03:16:44 +00:00
) [ " baseConfigurationItems " ] [ 0 ] [ " resourceName " ]
2020-08-06 23:18:57 +00:00
== roles [ 0 ] [ " name " ]
2020-08-03 03:16:44 +00:00
)
# Test aggregated batch get
assert (
config_client . batch_get_aggregate_resource_config (
ConfigurationAggregatorName = " test_aggregator " ,
ResourceIdentifiers = [
{
" SourceAccountId " : ACCOUNT_ID ,
2020-08-08 04:34:59 +00:00
" SourceRegion " : " us-east-1 " ,
2020-08-06 23:18:57 +00:00
" ResourceId " : roles [ 1 ] [ " id " ] ,
2020-08-03 03:16:44 +00:00
" ResourceType " : " AWS::IAM::Role " ,
}
] ,
) [ " BaseConfigurationItems " ] [ 0 ] [ " resourceName " ]
2020-08-06 23:18:57 +00:00
== roles [ 1 ] [ " name " ]
2020-08-03 03:16:44 +00:00
)
@mock_iam
def test_policy_list_config_discovered_resources ( ) :
from moto . iam . config import policy_config_query
# Without any policies
assert policy_config_query . list_config_service_resources ( None , None , 100 , None ) == (
[ ] ,
None ,
)
basic_policy = {
" Version " : " 2012-10-17 " ,
" Statement " : [
{ " Action " : [ " ec2:DeleteKeyPair " ] , " Effect " : " Deny " , " Resource " : " * " }
] ,
}
2020-08-08 04:34:59 +00:00
# Make 3 policies
policies = [ ]
num_policies = 3
for ix in range ( 1 , num_policies + 1 ) :
this_policy = policy_config_query . backends [ " global " ] . create_policy (
description = " policy {} " . format ( ix ) ,
path = " " ,
policy_document = json . dumps ( basic_policy ) ,
policy_name = " policy {} " . format ( ix ) ,
2021-11-03 20:58:40 +00:00
tags = [ ] ,
2020-08-08 04:34:59 +00:00
)
2022-03-10 14:39:59 +00:00
policies . append ( { " id " : this_policy . id , " name " : this_policy . name } )
2020-08-08 04:34:59 +00:00
assert len ( policies ) == num_policies
2020-08-03 03:16:44 +00:00
2020-08-06 23:18:57 +00:00
# We expect the backend to have arns as their keys
for backend_key in list (
policy_config_query . backends [ " global " ] . managed_policies . keys ( )
) :
assert backend_key . startswith ( " arn:aws:iam:: " )
2020-08-03 03:16:44 +00:00
result = policy_config_query . list_config_service_resources ( None , None , 100 , None ) [ 0 ]
2020-08-08 04:34:59 +00:00
assert len ( result ) == num_policies
2020-08-03 03:16:44 +00:00
policy = result [ 0 ]
assert policy [ " type " ] == " AWS::IAM::Policy "
2020-08-08 04:34:59 +00:00
assert policy [ " id " ] in list ( map ( lambda p : p [ " id " ] , policies ) )
assert policy [ " name " ] in list ( map ( lambda p : p [ " name " ] , policies ) )
2020-08-03 03:16:44 +00:00
assert policy [ " region " ] == " global "
2020-08-08 04:34:59 +00:00
# test passing list of resource ids
resource_ids = policy_config_query . list_config_service_resources (
[ policies [ 0 ] [ " id " ] , policies [ 1 ] [ " id " ] ] , None , 100 , None
) [ 0 ]
assert len ( resource_ids ) == 2
# test passing a single resource name
resource_name = policy_config_query . list_config_service_resources (
None , policies [ 0 ] [ " name " ] , 100 , None
) [ 0 ]
assert len ( resource_name ) == 1
assert resource_name [ 0 ] [ " id " ] == policies [ 0 ] [ " id " ]
assert resource_name [ 0 ] [ " name " ] == policies [ 0 ] [ " name " ]
# test passing a single resource name AND some resource id's
both_filter_good = policy_config_query . list_config_service_resources (
[ policies [ 0 ] [ " id " ] , policies [ 1 ] [ " id " ] ] , policies [ 0 ] [ " name " ] , 100 , None
) [ 0 ]
assert len ( both_filter_good ) == 1
assert both_filter_good [ 0 ] [ " id " ] == policies [ 0 ] [ " id " ]
assert both_filter_good [ 0 ] [ " name " ] == policies [ 0 ] [ " name " ]
both_filter_bad = policy_config_query . list_config_service_resources (
[ policies [ 0 ] [ " id " ] , policies [ 1 ] [ " id " ] ] , policies [ 2 ] [ " name " ] , 100 , None
) [ 0 ]
assert len ( both_filter_bad ) == 0
2020-08-03 03:16:44 +00:00
2020-07-30 14:17:35 +00:00
@mock_iam
def test_policy_config_dict ( ) :
from moto . iam . config import role_config_query , policy_config_query
from moto . iam . utils import random_policy_id
# Without any roles
assert not policy_config_query . get_config_resource (
" arn:aws:iam::123456789012:policy/basic_policy "
)
assert policy_config_query . list_config_service_resources ( None , None , 100 , None ) == (
[ ] ,
None ,
)
basic_policy = {
" Version " : " 2012-10-17 " ,
" Statement " : [ { " Action " : [ " ec2:* " ] , " Effect " : " Allow " , " Resource " : " * " } ] ,
}
basic_policy_v2 = {
" Version " : " 2012-10-17 " ,
" Statement " : [
{ " Action " : [ " ec2:* " , " s3:* " ] , " Effect " : " Allow " , " Resource " : " * " }
] ,
}
2020-08-03 03:16:44 +00:00
policy_arn = (
policy_config_query . backends [ " global " ]
. create_policy (
description = " basic_policy " ,
path = " / " ,
policy_document = json . dumps ( basic_policy ) ,
policy_name = " basic_policy " ,
2021-11-03 20:58:40 +00:00
tags = [ ] ,
2020-08-03 03:16:44 +00:00
)
. arn
2020-07-30 14:17:35 +00:00
)
2020-08-03 03:16:44 +00:00
policy_id = policy_config_query . list_config_service_resources (
2020-07-30 14:17:35 +00:00
None , None , 100 , None
) [ 0 ] [ 0 ] [ " id " ]
2020-08-03 03:16:44 +00:00
assert len ( policy_id ) == len ( random_policy_id ( ) )
2020-07-30 14:17:35 +00:00
assert policy_arn == " arn:aws:iam::123456789012:policy/basic_policy "
2020-08-04 15:11:26 +00:00
assert policy_config_query . get_config_resource ( policy_id ) is not None
2020-07-30 14:17:35 +00:00
# Create a new version
policy_config_query . backends [ " global " ] . create_policy_version (
policy_arn , json . dumps ( basic_policy_v2 ) , " true "
)
# Create role to trigger attachment
role_config_query . backends [ " global " ] . create_role (
role_name = " role_with_attached_policy " ,
assume_role_policy_document = None ,
path = " / " ,
permissions_boundary = None ,
description = " role_with_attached_policy " ,
tags = [ ] ,
max_session_duration = 3600 ,
)
role_config_query . backends [ " global " ] . attach_role_policy (
policy_arn , " role_with_attached_policy "
)
policy = (
role_config_query . backends [ " global " ]
. managed_policies [ " arn:aws:iam::123456789012:policy/basic_policy " ]
. to_config_dict ( )
)
assert policy [ " version " ] == " 1.3 "
assert policy [ " configurationItemCaptureTime " ] is not None
assert policy [ " configurationItemStatus " ] == " OK "
assert policy [ " configurationStateId " ] is not None
assert policy [ " arn " ] == " arn:aws:iam::123456789012:policy/basic_policy "
assert policy [ " resourceType " ] == " AWS::IAM::Policy "
assert len ( policy [ " resourceId " ] ) == len ( random_policy_id ( ) )
assert policy [ " resourceName " ] == " basic_policy "
assert policy [ " awsRegion " ] == " global "
assert policy [ " availabilityZone " ] == " Not Applicable "
assert policy [ " resourceCreationTime " ] is not None
assert policy [ " configuration " ] [ " policyName " ] == policy [ " resourceName " ]
assert policy [ " configuration " ] [ " policyId " ] == policy [ " resourceId " ]
assert policy [ " configuration " ] [ " arn " ] == policy [ " arn " ]
assert policy [ " configuration " ] [ " path " ] == " / "
assert policy [ " configuration " ] [ " defaultVersionId " ] == " v2 "
assert policy [ " configuration " ] [ " attachmentCount " ] == 1
assert policy [ " configuration " ] [ " permissionsBoundaryUsageCount " ] == 0
2022-03-11 21:28:45 +00:00
assert policy [ " configuration " ] [ " isAttachable " ] is True
2020-07-30 14:17:35 +00:00
assert policy [ " configuration " ] [ " description " ] == " basic_policy "
assert policy [ " configuration " ] [ " createDate " ] is not None
assert policy [ " configuration " ] [ " updateDate " ] is not None
assert policy [ " configuration " ] [ " policyVersionList " ] == [
{
" document " : str ( parse . quote ( json . dumps ( basic_policy ) ) ) ,
" versionId " : " v1 " ,
" isDefaultVersion " : False ,
" createDate " : policy [ " configuration " ] [ " policyVersionList " ] [ 0 ] [ " createDate " ] ,
} ,
{
" document " : str ( parse . quote ( json . dumps ( basic_policy_v2 ) ) ) ,
" versionId " : " v2 " ,
" isDefaultVersion " : True ,
" createDate " : policy [ " configuration " ] [ " policyVersionList " ] [ 1 ] [ " createDate " ] ,
} ,
]
assert policy [ " supplementaryConfiguration " ] == { }
2020-08-03 03:16:44 +00:00
@mock_iam
@mock_config
def test_policy_config_client ( ) :
2020-08-04 15:11:26 +00:00
from moto . iam . utils import random_policy_id
2020-08-12 23:16:47 +00:00
CONFIG_REGIONS = boto3 . Session ( ) . get_available_regions ( " config " )
2020-08-04 15:11:26 +00:00
basic_policy = {
" Version " : " 2012-10-17 " ,
" Statement " : [ { " Action " : [ " ec2:* " ] , " Effect " : " Allow " , " Resource " : " * " } ] ,
}
iam_client = boto3 . client ( " iam " , region_name = " us-west-2 " )
config_client = boto3 . client ( " config " , region_name = " us-west-2 " )
2020-08-08 04:34:59 +00:00
all_account_aggregation_source = {
2020-08-04 15:11:26 +00:00
" AccountIds " : [ ACCOUNT_ID ] ,
" AllAwsRegions " : True ,
}
2020-08-08 04:34:59 +00:00
two_region_account_aggregation_source = {
" AccountIds " : [ ACCOUNT_ID ] ,
" AwsRegions " : [ " us-east-1 " , " us-west-2 " ] ,
}
2020-08-04 15:11:26 +00:00
config_client . put_configuration_aggregator (
ConfigurationAggregatorName = " test_aggregator " ,
2020-08-08 04:34:59 +00:00
AccountAggregationSources = [ all_account_aggregation_source ] ,
)
config_client . put_configuration_aggregator (
ConfigurationAggregatorName = " test_aggregator_two_regions " ,
AccountAggregationSources = [ two_region_account_aggregation_source ] ,
2020-08-04 15:11:26 +00:00
)
result = config_client . list_discovered_resources ( resourceType = " AWS::IAM::Policy " )
assert not result [ " resourceIdentifiers " ]
2020-08-06 23:18:57 +00:00
# Make 10 policies
policies = [ ]
num_policies = 10
for ix in range ( 1 , num_policies + 1 ) :
this_policy = iam_client . create_policy (
PolicyName = " policy {} " . format ( ix ) ,
Path = " / " ,
PolicyDocument = json . dumps ( basic_policy ) ,
Description = " policy {} " . format ( ix ) ,
)
policies . append (
{
" id " : this_policy [ " Policy " ] [ " PolicyId " ] ,
" name " : this_policy [ " Policy " ] [ " PolicyName " ] ,
}
)
2020-08-04 15:11:26 +00:00
2020-08-06 23:18:57 +00:00
assert len ( policies ) == num_policies
2020-08-04 15:11:26 +00:00
# Test non-aggregated query: (everything is getting a random id, so we can't test names by ordering)
result = config_client . list_discovered_resources (
resourceType = " AWS::IAM::Policy " , limit = 1
)
first_result = result [ " resourceIdentifiers " ] [ 0 ] [ " resourceId " ]
assert result [ " resourceIdentifiers " ] [ 0 ] [ " resourceType " ] == " AWS::IAM::Policy "
assert len ( first_result ) == len ( random_policy_id ( ) )
# Test non-aggregated pagination
assert (
config_client . list_discovered_resources (
2022-03-10 14:39:59 +00:00
resourceType = " AWS::IAM::Policy " , limit = 1 , nextToken = result [ " nextToken " ]
2020-08-04 15:11:26 +00:00
) [ " resourceIdentifiers " ] [ 0 ] [ " resourceId " ]
) != first_result
2020-08-08 04:34:59 +00:00
# Test aggregated query - by `Limit=len(CONFIG_REGIONS)`, we should get a single policy duplicated across all regions
2020-08-04 15:11:26 +00:00
agg_result = config_client . list_aggregate_discovered_resources (
ResourceType = " AWS::IAM::Policy " ,
ConfigurationAggregatorName = " test_aggregator " ,
2020-08-08 04:34:59 +00:00
Limit = len ( CONFIG_REGIONS ) ,
)
assert len ( agg_result [ " ResourceIdentifiers " ] ) == len ( CONFIG_REGIONS )
agg_name = None
agg_id = None
for resource in agg_result [ " ResourceIdentifiers " ] :
assert resource [ " ResourceType " ] == " AWS::IAM::Policy "
assert resource [ " SourceRegion " ] in CONFIG_REGIONS
assert resource [ " SourceAccountId " ] == ACCOUNT_ID
if agg_id :
assert resource [ " ResourceId " ] == agg_id
if agg_name :
assert resource [ " ResourceName " ] == agg_name
agg_name = resource [ " ResourceName " ]
agg_id = resource [ " ResourceId " ]
2020-08-04 15:11:26 +00:00
# Test aggregated pagination
2020-08-08 04:34:59 +00:00
for resource in config_client . list_aggregate_discovered_resources (
ConfigurationAggregatorName = " test_aggregator " ,
ResourceType = " AWS::IAM::Policy " ,
Limit = 1 ,
NextToken = agg_result [ " NextToken " ] ,
) [ " ResourceIdentifiers " ] :
assert resource [ " ResourceId " ] != agg_id
2020-08-04 15:11:26 +00:00
2020-08-06 23:18:57 +00:00
# Test non-aggregated resource name/id filter
assert (
config_client . list_discovered_resources (
2022-03-10 14:39:59 +00:00
resourceType = " AWS::IAM::Policy " , resourceName = policies [ 1 ] [ " name " ] , limit = 1
2020-08-06 23:18:57 +00:00
) [ " resourceIdentifiers " ] [ 0 ] [ " resourceName " ]
== policies [ 1 ] [ " name " ]
)
2020-08-08 04:34:59 +00:00
2020-08-06 23:18:57 +00:00
assert (
config_client . list_discovered_resources (
2022-03-10 14:39:59 +00:00
resourceType = " AWS::IAM::Policy " , resourceIds = [ policies [ 0 ] [ " id " ] ] , limit = 1
2020-08-06 23:18:57 +00:00
) [ " resourceIdentifiers " ] [ 0 ] [ " resourceName " ]
== policies [ 0 ] [ " name " ]
)
# Test aggregated resource name/id filter
2020-08-08 04:34:59 +00:00
agg_name_filter = config_client . list_aggregate_discovered_resources (
ConfigurationAggregatorName = " test_aggregator " ,
ResourceType = " AWS::IAM::Policy " ,
Filters = { " ResourceName " : policies [ 5 ] [ " name " ] } ,
)
assert len ( agg_name_filter [ " ResourceIdentifiers " ] ) == len ( CONFIG_REGIONS )
2020-08-06 23:18:57 +00:00
assert (
2020-08-08 04:34:59 +00:00
agg_name_filter [ " ResourceIdentifiers " ] [ 0 ] [ " ResourceName " ] == policies [ 5 ] [ " name " ]
)
agg_name_filter = config_client . list_aggregate_discovered_resources (
ConfigurationAggregatorName = " test_aggregator_two_regions " ,
ResourceType = " AWS::IAM::Policy " ,
Filters = { " ResourceName " : policies [ 5 ] [ " name " ] } ,
)
assert len ( agg_name_filter [ " ResourceIdentifiers " ] ) == len (
two_region_account_aggregation_source [ " AwsRegions " ]
2020-08-06 23:18:57 +00:00
)
2020-08-08 04:34:59 +00:00
assert agg_name_filter [ " ResourceIdentifiers " ] [ 0 ] [ " ResourceId " ] == policies [ 5 ] [ " id " ]
2020-08-06 23:18:57 +00:00
2020-08-08 04:34:59 +00:00
agg_id_filter = config_client . list_aggregate_discovered_resources (
ConfigurationAggregatorName = " test_aggregator " ,
ResourceType = " AWS::IAM::Policy " ,
Filters = { " ResourceId " : policies [ 4 ] [ " id " ] } ,
)
assert len ( agg_id_filter [ " ResourceIdentifiers " ] ) == len ( CONFIG_REGIONS )
2020-08-06 23:18:57 +00:00
assert (
2020-08-08 04:34:59 +00:00
agg_id_filter [ " ResourceIdentifiers " ] [ 0 ] [ " ResourceName " ] == policies [ 4 ] [ " name " ]
)
agg_name_filter = config_client . list_aggregate_discovered_resources (
ConfigurationAggregatorName = " test_aggregator_two_regions " ,
ResourceType = " AWS::IAM::Policy " ,
Filters = { " ResourceId " : policies [ 5 ] [ " id " ] } ,
)
assert len ( agg_name_filter [ " ResourceIdentifiers " ] ) == len (
two_region_account_aggregation_source [ " AwsRegions " ]
)
assert (
agg_name_filter [ " ResourceIdentifiers " ] [ 0 ] [ " ResourceName " ] == policies [ 5 ] [ " name " ]
2020-08-06 23:18:57 +00:00
)
# Test name/id filter with pagination
first_call = config_client . list_discovered_resources (
resourceType = " AWS::IAM::Policy " ,
resourceIds = [ policies [ 1 ] [ " id " ] , policies [ 2 ] [ " id " ] ] ,
limit = 1 ,
)
assert first_call [ " nextToken " ] in [ policies [ 1 ] [ " id " ] , policies [ 2 ] [ " id " ] ]
assert first_call [ " resourceIdentifiers " ] [ 0 ] [ " resourceName " ] in [
policies [ 1 ] [ " name " ] ,
policies [ 2 ] [ " name " ] ,
]
second_call = config_client . list_discovered_resources (
resourceType = " AWS::IAM::Policy " ,
resourceIds = [ policies [ 1 ] [ " id " ] , policies [ 2 ] [ " id " ] ] ,
limit = 1 ,
nextToken = first_call [ " nextToken " ] ,
)
assert " nextToken " not in second_call
assert first_call [ " resourceIdentifiers " ] [ 0 ] [ " resourceName " ] in [
policies [ 1 ] [ " name " ] ,
policies [ 2 ] [ " name " ] ,
]
assert (
first_call [ " resourceIdentifiers " ] [ 0 ] [ " resourceName " ]
!= second_call [ " resourceIdentifiers " ] [ 0 ] [ " resourceName " ]
)
2020-08-04 15:11:26 +00:00
# Test non-aggregated batch get
assert (
config_client . batch_get_resource_config (
2020-08-06 23:18:57 +00:00
resourceKeys = [
2022-03-10 14:39:59 +00:00
{ " resourceType " : " AWS::IAM::Policy " , " resourceId " : policies [ 7 ] [ " id " ] }
2020-08-06 23:18:57 +00:00
]
2020-08-04 15:11:26 +00:00
) [ " baseConfigurationItems " ] [ 0 ] [ " resourceName " ]
2020-08-06 23:18:57 +00:00
== policies [ 7 ] [ " name " ]
2020-08-04 15:11:26 +00:00
)
# Test aggregated batch get
assert (
config_client . batch_get_aggregate_resource_config (
ConfigurationAggregatorName = " test_aggregator " ,
ResourceIdentifiers = [
{
" SourceAccountId " : ACCOUNT_ID ,
2020-08-08 04:34:59 +00:00
" SourceRegion " : " us-east-2 " ,
2020-08-06 23:18:57 +00:00
" ResourceId " : policies [ 8 ] [ " id " ] ,
2020-08-04 15:11:26 +00:00
" ResourceType " : " AWS::IAM::Policy " ,
}
] ,
) [ " BaseConfigurationItems " ] [ 0 ] [ " resourceName " ]
2020-08-06 23:18:57 +00:00
== policies [ 8 ] [ " name " ]
2020-08-04 15:11:26 +00:00
)
2020-10-12 11:13:20 +00:00
@mock_iam ( )
def test_list_roles_with_more_than_100_roles_no_max_items_defaults_to_100 ( ) :
iam = boto3 . client ( " iam " , region_name = " us-east-1 " )
for i in range ( 150 ) :
iam . create_role (
RoleName = " test_role_ {} " . format ( i ) , AssumeRolePolicyDocument = " some policy "
)
response = iam . list_roles ( )
roles = response [ " Roles " ]
assert response [ " IsTruncated " ] is True
assert len ( roles ) == 100
@mock_iam ( )
def test_list_roles_max_item_and_marker_values_adhered ( ) :
iam = boto3 . client ( " iam " , region_name = " us-east-1 " )
for i in range ( 10 ) :
iam . create_role (
RoleName = " test_role_ {} " . format ( i ) , AssumeRolePolicyDocument = " some policy "
)
response = iam . list_roles ( MaxItems = 2 )
roles = response [ " Roles " ]
assert response [ " IsTruncated " ] is True
assert len ( roles ) == 2
response = iam . list_roles ( Marker = response [ " Marker " ] )
roles = response [ " Roles " ]
assert response [ " IsTruncated " ] is False
assert len ( roles ) == 8
@mock_iam ( )
def test_list_roles_path_prefix_value_adhered ( ) :
iam = boto3 . client ( " iam " , region_name = " us-east-1 " )
iam . create_role (
RoleName = " test_role_without_path " , AssumeRolePolicyDocument = " some policy "
)
iam . create_role (
RoleName = " test_role_with_path " ,
AssumeRolePolicyDocument = " some policy " ,
Path = " /TestPath/ " ,
)
response = iam . list_roles ( PathPrefix = " /TestPath/ " )
roles = response [ " Roles " ]
assert len ( roles ) == 1
assert roles [ 0 ] [ " RoleName " ] == " test_role_with_path "
@mock_iam ( )
def test_list_roles_none_found_returns_empty_list ( ) :
iam = boto3 . client ( " iam " , region_name = " us-east-1 " )
response = iam . list_roles ( )
roles = response [ " Roles " ]
assert len ( roles ) == 0
response = iam . list_roles ( PathPrefix = " /TestPath " )
roles = response [ " Roles " ]
assert len ( roles ) == 0
response = iam . list_roles ( Marker = " 10 " )
roles = response [ " Roles " ]
assert len ( roles ) == 0
response = iam . list_roles ( MaxItems = 10 )
roles = response [ " Roles " ]
assert len ( roles ) == 0
2020-11-09 22:59:06 +00:00
2021-02-24 19:14:11 +00:00
@pytest.mark.parametrize ( " desc " , [ " " , " Test Description " ] )
@mock_iam ( )
def test_list_roles_with_description ( desc ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
resp = conn . create_role (
2022-03-10 14:39:59 +00:00
RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " , Description = desc
2021-02-24 19:14:11 +00:00
)
resp . get ( " Role " ) . get ( " Description " ) . should . equal ( desc )
# Ensure the Description is included in role listing as well
conn . list_roles ( ) . get ( " Roles " ) [ 0 ] . get ( " Description " ) . should . equal ( desc )
@mock_iam ( )
def test_list_roles_without_description ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2022-03-10 14:39:59 +00:00
resp = conn . create_role ( RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " )
2021-02-24 19:14:11 +00:00
resp . get ( " Role " ) . should_not . have . key ( " Description " )
# Ensure the Description is not included in role listing as well
conn . list_roles ( ) . get ( " Roles " ) [ 0 ] . should_not . have . key ( " Description " )
2021-03-10 08:49:50 +00:00
@mock_iam ( )
def test_list_roles_includes_max_session_duration ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
2022-03-10 14:39:59 +00:00
conn . create_role ( RoleName = " my-role " , AssumeRolePolicyDocument = " some policy " )
2021-03-10 08:49:50 +00:00
# Ensure the MaxSessionDuration is included in the role listing
conn . list_roles ( ) . get ( " Roles " ) [ 0 ] . should . have . key ( " MaxSessionDuration " )
2020-11-09 22:59:06 +00:00
@mock_iam ( )
def test_create_user_with_tags ( ) :
conn = boto3 . client ( " iam " , region_name = " us-east-1 " )
user_name = " test-user "
tags = [
{ " Key " : " somekey " , " Value " : " somevalue " } ,
{ " Key " : " someotherkey " , " Value " : " someothervalue " } ,
]
resp = conn . create_user ( UserName = user_name , Tags = tags )
assert resp [ " User " ] [ " Tags " ] == tags
resp = conn . list_user_tags ( UserName = user_name )
assert resp [ " Tags " ] == tags
2021-04-03 09:38:18 +00:00
resp = conn . get_user ( UserName = user_name )
assert resp [ " User " ] [ " Tags " ] == tags
2020-11-09 22:59:06 +00:00
resp = conn . create_user ( UserName = " test-create-user-no-tags " )
assert " Tags " not in resp [ " User " ]
2021-02-01 11:37:54 +00:00
@mock_iam
def test_tag_user ( ) :
# given
client = boto3 . client ( " iam " , region_name = " eu-central-1 " )
name = " test-user "
tags = sorted (
[ { " Key " : " key " , " Value " : " value " } , { " Key " : " key-2 " , " Value " : " value-2 " } ] ,
key = lambda item : item [ " Key " ] ,
)
client . create_user ( UserName = name )
# when
client . tag_user ( UserName = name , Tags = tags )
# then
response = client . list_user_tags ( UserName = name )
2022-03-10 14:39:59 +00:00
sorted ( response [ " Tags " ] , key = lambda item : item [ " Key " ] ) . should . equal ( tags )
2021-02-01 11:37:54 +00:00
@mock_iam
def test_tag_user_error_unknown_user_name ( ) :
# given
client = boto3 . client ( " iam " , region_name = " eu-central-1 " )
name = " unknown "
# when
with pytest . raises ( ClientError ) as e :
client . tag_user ( UserName = name , Tags = [ { " Key " : " key " , " Value " : " value " } ] )
# then
ex = e . value
ex . operation_name . should . equal ( " TagUser " )
ex . response [ " ResponseMetadata " ] [ " HTTPStatusCode " ] . should . equal ( 404 )
ex . response [ " Error " ] [ " Code " ] . should . contain ( " NoSuchEntity " )
ex . response [ " Error " ] [ " Message " ] . should . equal (
" The user with name {} cannot be found. " . format ( name )
)
@mock_iam
def test_untag_user ( ) :
# given
client = boto3 . client ( " iam " , region_name = " eu-central-1 " )
name = " test-user "
client . create_user (
UserName = name ,
Tags = [ { " Key " : " key " , " Value " : " value " } , { " Key " : " key-2 " , " Value " : " value " } ] ,
)
# when
client . untag_user ( UserName = name , TagKeys = [ " key-2 " ] )
# then
response = client . list_user_tags ( UserName = name )
response [ " Tags " ] . should . equal ( [ { " Key " : " key " , " Value " : " value " } ] )
@mock_iam
def test_untag_user_error_unknown_user_name ( ) :
# given
client = boto3 . client ( " iam " , region_name = " eu-central-1 " )
name = " unknown "
# when
with pytest . raises ( ClientError ) as e :
client . untag_user ( UserName = name , TagKeys = [ " key " ] )
# then
ex = e . value
ex . operation_name . should . equal ( " UntagUser " )
ex . response [ " ResponseMetadata " ] [ " HTTPStatusCode " ] . should . equal ( 404 )
ex . response [ " Error " ] [ " Code " ] . should . contain ( " NoSuchEntity " )
ex . response [ " Error " ] [ " Message " ] . should . equal (
" The user with name {} cannot be found. " . format ( name )
)
2022-05-03 09:44:47 +00:00
@mock_iam
@pytest.mark.parametrize (
" service,cased " ,
[
( " autoscaling " , " AutoScaling " ) ,
( " elasticbeanstalk " , " ElasticBeanstalk " ) ,
(
" custom-resource.application-autoscaling " ,
" ApplicationAutoScaling_CustomResource " ,
) ,
( " other " , " other " ) ,
] ,
)
def test_create_service_linked_role ( service , cased ) :
client = boto3 . client ( " iam " , region_name = " eu-central-1 " )
resp = client . create_service_linked_role (
AWSServiceName = f " { service } .amazonaws.com " , Description = " desc "
) [ " Role " ]
resp . should . have . key ( " RoleName " ) . equals ( f " AWSServiceRoleFor { cased } " )
@mock_iam
def test_create_service_linked_role__with_suffix ( ) :
client = boto3 . client ( " iam " , region_name = " eu-central-1 " )
resp = client . create_service_linked_role (
AWSServiceName = " autoscaling.amazonaws.com " ,
CustomSuffix = " suf " ,
Description = " desc " ,
) [ " Role " ]
resp . should . have . key ( " RoleName " ) . match ( " _suf$ " )
resp . should . have . key ( " Description " ) . equals ( " desc " )
resp . should . have . key ( " AssumeRolePolicyDocument " )
policy_doc = resp [ " AssumeRolePolicyDocument " ]
policy_doc . should . have . key ( " Statement " ) . equals (
[
{
" Action " : [ " sts:AssumeRole " ] ,
" Effect " : " Allow " ,
" Principal " : { " Service " : [ " autoscaling.amazonaws.com " ] } ,
}
]
)
@mock_iam
def test_delete_service_linked_role ( ) :
client = boto3 . client ( " iam " , region_name = " eu-central-1 " )
role_name = client . create_service_linked_role (
AWSServiceName = " autoscaling.amazonaws.com " ,
CustomSuffix = " suf " ,
Description = " desc " ,
) [ " Role " ] [ " RoleName " ]
# Role exists
client . get_role ( RoleName = role_name )
# Delete role
resp = client . delete_service_linked_role ( RoleName = role_name )
resp . should . have . key ( " DeletionTaskId " )
# Role deletion should be successful
resp = client . get_service_linked_role_deletion_status (
DeletionTaskId = resp [ " DeletionTaskId " ]
)
resp . should . have . key ( " Status " ) . equals ( " SUCCEEDED " )
# Role no longer exists
with pytest . raises ( ClientError ) as ex :
client . get_role ( RoleName = role_name )
err = ex . value . response [ " Error " ]
err [ " Code " ] . should . equal ( " NoSuchEntity " )
err [ " Message " ] . should . contain ( " not found " )