IAM: additional role on instance profile validation (#6415)

This commit is contained in:
rafcio19 2023-06-17 12:19:59 +01:00 committed by GitHub
parent 1c8d1aec2e
commit 627dd3073c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 54 additions and 30 deletions

View File

@ -2375,7 +2375,12 @@ class IAMBackend(BaseBackend):
def add_role_to_instance_profile(self, profile_name: str, role_name: str) -> None:
profile = self.get_instance_profile(profile_name)
role = self.get_role(role_name)
if not profile.roles:
profile.roles.append(role)
else:
raise IAMLimitExceededException(
"Cannot exceed quota for InstanceSessionsPerInstanceProfile: 1"
)
def remove_role_from_instance_profile(
self, profile_name: str, role_name: str

View File

@ -69,6 +69,23 @@ MOCK_POLICY_3 = """
}
"""
MOCK_STS_EC2_POLICY_DOCUMENT = """{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}"""
@mock_iam
def test_get_role__should_throw__when_role_does_not_exist():
@ -153,6 +170,35 @@ def test_create_instance_profile_should_throw_when_name_is_not_unique():
conn.create_instance_profile(InstanceProfileName="unique-instance-profile")
@mock_iam
def test_create_add_additional_roles_to_instance_profile_error():
# Setup
iam = boto3.client("iam", region_name="us-east-1")
name = "test_profile"
role_name = "test_role"
role_name2 = "test_role2"
iam.create_instance_profile(InstanceProfileName=name)
iam.create_role(
RoleName=role_name, AssumeRolePolicyDocument=MOCK_STS_EC2_POLICY_DOCUMENT
)
iam.create_role(
RoleName=role_name2, AssumeRolePolicyDocument=MOCK_STS_EC2_POLICY_DOCUMENT
)
iam.add_role_to_instance_profile(InstanceProfileName=name, RoleName=role_name)
# Execute
with pytest.raises(ClientError) as exc:
iam.add_role_to_instance_profile(InstanceProfileName=name, RoleName=role_name2)
# Verify
err = exc.value.response["Error"]
assert err["Code"].should.equal("LimitExceeded")
assert err["Message"].should.equal(
"Cannot exceed quota for InstanceSessionsPerInstanceProfile: 1"
)
@mock_iam
def test_remove_role_from_instance_profile():
conn = boto3.client("iam", region_name="us-east-1")
@ -420,20 +466,7 @@ def test_update_assume_role_valid_policy():
conn.create_role(
RoleName="my-role", AssumeRolePolicyDocument="some policy", Path="my-path"
)
policy_document = """
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}
]
}
"""
policy_document = MOCK_STS_EC2_POLICY_DOCUMENT
conn.update_assume_role_policy(RoleName="my-role", PolicyDocument=policy_document)
role = conn.get_role(RoleName="my-role")["Role"]
role["AssumeRolePolicyDocument"]["Statement"][0]["Action"][0].should.equal(
@ -3381,21 +3414,7 @@ def test_list_user_tags():
def test_delete_role_with_instance_profiles_present():
iam = boto3.client("iam", region_name="us-east-1")
trust_policy = """
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
"""
trust_policy = trust_policy.strip()
trust_policy = MOCK_STS_EC2_POLICY_DOCUMENT.strip()
iam.create_role(RoleName="Role1", AssumeRolePolicyDocument=trust_policy)
iam.create_instance_profile(InstanceProfileName="IP1")