From cf2dae0ce8866f67ba088b36bafe3ec6c9827e1c Mon Sep 17 00:00:00 2001
From: acsbendi <acsbendi28@gmail.com>
Date: Thu, 22 Aug 2019 18:09:52 +0200
Subject: [PATCH] Calling sts:GetCallerIdentity is always allowed.

---
 moto/core/access_control.py  |  2 ++
 tests/test_core/test_auth.py | 21 +++++++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/moto/core/access_control.py b/moto/core/access_control.py
index c64acf20c..3fb11eebd 100644
--- a/moto/core/access_control.py
+++ b/moto/core/access_control.py
@@ -172,6 +172,8 @@ class IAMRequestBase(object):
             self._raise_signature_does_not_match()
 
     def check_action_permitted(self):
+        if self._action == 'sts:GetCallerIdentity':  # always allowed, even if there's an explicit Deny for it
+            return True
         policies = self._access_key.collect_policies()
 
         permitted = False
diff --git a/tests/test_core/test_auth.py b/tests/test_core/test_auth.py
index 3a1107eaa..00229f808 100644
--- a/tests/test_core/test_auth.py
+++ b/tests/test_core/test_auth.py
@@ -273,6 +273,27 @@ def test_access_denied_with_denying_policy():
     )
 
 
+@set_initial_no_auth_action_count(3)
+@mock_sts
+def test_get_caller_identity_allowed_with_denying_policy():
+    user_name = 'test-user'
+    inline_policy_document = {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Deny",
+                "Action": "sts:GetCallerIdentity",
+                "Resource": "*"
+            }
+        ]
+    }
+    access_key = create_user_with_access_key_and_inline_policy(user_name, inline_policy_document)
+    client = boto3.client('sts', region_name='us-east-1',
+                          aws_access_key_id=access_key['AccessKeyId'],
+                          aws_secret_access_key=access_key['SecretAccessKey'])
+    client.get_caller_identity().should.be.a(dict)
+
+
 @set_initial_no_auth_action_count(3)
 @mock_ec2
 def test_allowed_with_wildcard_action():