diff --git a/requirements-dev.txt b/requirements-dev.txt index 2aaca300b..4e5f4e8a0 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -10,7 +10,7 @@ freezegun flask boto>=2.45.0 boto3>=1.4.4 -botocore>=1.12.13 +botocore>=1.15.13 six>=1.9 parameterized>=0.7.0 prompt-toolkit==1.0.14 diff --git a/tests/test_core/test_auth.py b/tests/test_core/test_auth.py index 29273cea7..b391d82c8 100644 --- a/tests/test_core/test_auth.py +++ b/tests/test_core/test_auth.py @@ -298,6 +298,40 @@ def test_access_denied_with_not_allowing_policy(): ) +@set_initial_no_auth_action_count(3) +@mock_ec2 +def test_access_denied_for_run_instances(): + # https://github.com/spulec/moto/issues/2774 + # The run-instances method was broken between botocore versions 1.15.8 and 1.15.12 + # This was due to the inclusion of '"idempotencyToken":true' in the response, somehow altering the signature and breaking the authentication + # Keeping this test in place in case botocore decides to break again + user_name = "test-user" + inline_policy_document = { + "Version": "2012-10-17", + "Statement": [ + {"Effect": "Allow", "Action": ["ec2:Describe*"], "Resource": "*"} + ], + } + access_key = create_user_with_access_key_and_inline_policy( + user_name, inline_policy_document + ) + client = boto3.client( + "ec2", + region_name="us-east-1", + aws_access_key_id=access_key["AccessKeyId"], + aws_secret_access_key=access_key["SecretAccessKey"], + ) + with assert_raises(ClientError) as ex: + client.run_instances(MaxCount=1, MinCount=1) + ex.exception.response["Error"]["Code"].should.equal("AccessDenied") + ex.exception.response["ResponseMetadata"]["HTTPStatusCode"].should.equal(403) + ex.exception.response["Error"]["Message"].should.equal( + "User: arn:aws:iam::{account_id}:user/{user_name} is not authorized to perform: {operation}".format( + account_id=ACCOUNT_ID, user_name=user_name, operation="ec2:RunInstances", + ) + ) + + @set_initial_no_auth_action_count(3) @mock_ec2 def test_access_denied_with_denying_policy():