Calling sts:GetCallerIdentity is always allowed.

2019-08-22 18:09:52 +02:00 · 2019-08-22 18:09:52 +02:00 · cf2dae0ce8
commit cf2dae0ce8
parent addb631081
2 changed files with 23 additions and 0 deletions
--- a/moto/core/access_control.py
+++ b/moto/core/access_control.py
@ -172,6 +172,8 @@ class IAMRequestBase(object):
            self._raise_signature_does_not_match()

    def check_action_permitted(self):
+        if self._action == 'sts:GetCallerIdentity':  # always allowed, even if there's an explicit Deny for it
+            return True
        policies = self._access_key.collect_policies()

        permitted = False
--- a/tests/test_core/test_auth.py
+++ b/tests/test_core/test_auth.py
@ -273,6 +273,27 @@ def test_access_denied_with_denying_policy():
    )


+@set_initial_no_auth_action_count(3)
+@mock_sts
+def test_get_caller_identity_allowed_with_denying_policy():
+    user_name = 'test-user'
+    inline_policy_document = {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Deny",
+                "Action": "sts:GetCallerIdentity",
+                "Resource": "*"
+            }
+        ]
+    }
+    access_key = create_user_with_access_key_and_inline_policy(user_name, inline_policy_document)
+    client = boto3.client('sts', region_name='us-east-1',
+                          aws_access_key_id=access_key['AccessKeyId'],
+                          aws_secret_access_key=access_key['SecretAccessKey'])
+    client.get_caller_identity().should.be.a(dict)
+
+
@set_initial_no_auth_action_count(3)
@mock_ec2
 def test_allowed_with_wildcard_action():