IAM policies: allow s3 accesspoint arns (#6743)

2023-09-01 09:06:19 +02:00 · 2023-09-01 09:06:19 +02:00 · 7098388ee4
commit 7098388ee4
parent de44a85ed2
2 changed files with 46 additions and 12 deletions
--- a/moto/iam/policy_validation.py
+++ b/moto/iam/policy_validation.py
@ -56,11 +56,17 @@ VALID_CONDITION_PREFIXES = ["ForAnyValue:", "ForAllValues:"]

 VALID_CONDITION_POSTFIXES = ["IfExists"]

-SERVICE_TYPE_REGION_INFORMATION_ERROR_ASSOCIATIONS = {
-    "iam": "IAM resource {resource} cannot contain region information.",
-    "s3": "Resource {resource} can not contain region information.",
+SERVICE_TYPE_REGION_INFORMATION_ERROR_ASSOCIATIONS: Dict[str, Any] = {
+    "iam": {
+        "error_message": "IAM resource {resource} cannot contain region information."
+    },
+    "s3": {
+        "error_message": "Resource {resource} can not contain region information.",
+        "valid_starting_values": ["accesspoint/"],
+    },
 }

+
 VALID_RESOURCE_PATH_STARTING_VALUES: Dict[str, Any] = {
    "iam": {
        "values": [
@ -375,21 +381,35 @@ class BaseIAMPolicyValidator:
            resource_partitions = resource_partitions[2].partition(":")

            service = resource_partitions[0]
+            region = resource_partitions[2]
+            resource_partitions = resource_partitions[2].partition(":")
+
+            resource_partitions = resource_partitions[2].partition(":")
+            resource_id = resource_partitions[2]

            if (
                service in SERVICE_TYPE_REGION_INFORMATION_ERROR_ASSOCIATIONS.keys()
-                and not resource_partitions[2].startswith(":")
+                and not region.startswith(":")
            ):
+                valid_start = False
+
+                for (
+                    valid_starting_value
+                ) in SERVICE_TYPE_REGION_INFORMATION_ERROR_ASSOCIATIONS[service].get(
+                    "valid_starting_values", []
+                ):
+                    if resource_id.startswith(valid_starting_value):
+                        valid_start = True
+                        break
+
+                if not valid_start:
                    self._resource_error = (
-                    SERVICE_TYPE_REGION_INFORMATION_ERROR_ASSOCIATIONS[service].format(
-                        resource=resource
-                    )
+                        SERVICE_TYPE_REGION_INFORMATION_ERROR_ASSOCIATIONS[service][
+                            "error_message"
+                        ].format(resource=resource)
                    )
                    return

-            resource_partitions = resource_partitions[2].partition(":")
-            resource_partitions = resource_partitions[2].partition(":")
-
            if service in VALID_RESOURCE_PATH_STARTING_VALUES.keys():
                valid_start = False
                for valid_starting_value in VALID_RESOURCE_PATH_STARTING_VALUES[
--- a/tests/test_iam/test_iam_policies.py
+++ b/tests/test_iam/test_iam_policies.py
@ -1607,6 +1607,20 @@ valid_policy_documents = [
            },
        ],
    },
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "",
+                "Effect": "Allow",
+                "Action": ["s3:*"],
+                "Resource": [
+                    "arn:aws:s3:us-west-2:123456789012:accesspoint/my-access-point",
+                    "arn:aws:s3:us-west-2:123456789012:accesspoint/my-access-point/object/*",
+                ],
+            },
+        ],
+    },
 ]