import boto3 import unittest from base64 import b64encode from moto import mock_dynamodb, mock_sts, mock_iam from moto.core import DEFAULT_ACCOUNT_ID as ACCOUNT_ID @mock_sts @mock_iam @mock_dynamodb class TestStsAssumeRole(unittest.TestCase): def setUp(self) -> None: self.account_b = "111111111111" self.sts = boto3.client("sts", region_name="us-east-1") def test_assume_role_in_different_account(self): # assume role to another aws account role_name = f"arn:aws:iam::{self.account_b}:role/my-role" response = self.sts.assume_role( RoleArn=role_name, RoleSessionName="test-session-name", ExternalId="test-external-id", ) # Assume the new role iam_account_b = boto3.client( "iam", aws_access_key_id=response["Credentials"]["AccessKeyId"], aws_secret_access_key=response["Credentials"]["SecretAccessKey"], aws_session_token=response["Credentials"]["SessionToken"], region_name="us-east-1", ) # Verify new users belong to the different account user = iam_account_b.create_user(UserName="user-in-new-account")["User"] user["Arn"].should.equal( f"arn:aws:iam::{self.account_b}:user/user-in-new-account" ) def test_assume_role_with_saml_in_different_account(self): role_name = "test-role" provider_name = "TestProvFed" fed_identifier = "7ca82df9-1bad-4dd3-9b2b-adb68b554282" fed_name = "testuser" role_input = "arn:aws:iam::{account_id}:role/{role_name}".format( account_id=self.account_b, role_name=role_name ) principal_role = ( "arn:aws:iam:{account_id}:saml-provider/{provider_name}".format( account_id=ACCOUNT_ID, provider_name=provider_name ) ) saml_assertion = """ http://localhost/ http://localhost:3000/ NTIyMzk0ZGI4MjI0ZjI5ZGNhYjkyOGQyZGQ1NTZjODViZjk5YTY4ODFjOWRjNjkyYzZmODY2ZDQ4NjlkZjY3YSAgLQo= NTIyMzk0ZGI4MjI0ZjI5ZGNhYjkyOGQyZGQ1NTZjODViZjk5YTY4ODFjOWRjNjkyYzZmODY2ZDQ4NjlkZjY3YSAgLQo= NTIyMzk0ZGI4MjI0ZjI5ZGNhYjkyOGQyZGQ1NTZjODViZjk5YTY4ODFjOWRjNjkyYzZmODY2ZDQ4NjlkZjY3YSAgLQo= {fed_identifier} urn:amazon:webservices {fed_name} arn:aws:iam::{account_id}:role/{role_name},arn:aws:iam::{account_id}:saml-provider/{provider_name} 900 urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport """.format( account_id=self.account_b, role_name=role_name, provider_name=provider_name, fed_identifier=fed_identifier, fed_name=fed_name, ).replace( "\n", "" ) assume_role_response = self.sts.assume_role_with_saml( RoleArn=role_input, PrincipalArn=principal_role, SAMLAssertion=b64encode(saml_assertion.encode("utf-8")).decode("utf-8"), ) # Assume the new role iam_account_b = boto3.client( "iam", aws_access_key_id=assume_role_response["Credentials"]["AccessKeyId"], aws_secret_access_key=assume_role_response["Credentials"][ "SecretAccessKey" ], aws_session_token=assume_role_response["Credentials"]["SessionToken"], region_name="us-east-1", ) # Verify new users belong to the different account user = iam_account_b.create_user(UserName="user-in-new-account")["User"] user["Arn"].should.equal( f"arn:aws:iam::{self.account_b}:user/user-in-new-account" ) def test_dynamodb_supports_multiple_accounts(self): ddb_client = boto3.client("dynamodb", region_name="us-east-1") ddb_client.create_table( TableName="table-in-default-account", KeySchema=[{"AttributeName": "id", "KeyType": "HASH"}], AttributeDefinitions=[{"AttributeName": "id", "AttributeType": "S"}], ProvisionedThroughput={"ReadCapacityUnits": 1, "WriteCapacityUnits": 5}, ) # assume role to another aws account role_name = f"arn:aws:iam::{self.account_b}:role/my-role" response = self.sts.assume_role( RoleArn=role_name, RoleSessionName="test-session-name", ExternalId="test-external-id", ) # Assume the new role ddb_account_b = boto3.client( "dynamodb", aws_access_key_id=response["Credentials"]["AccessKeyId"], aws_secret_access_key=response["Credentials"]["SecretAccessKey"], aws_session_token=response["Credentials"]["SessionToken"], region_name="us-east-1", ) # Verify new dynamodb belong to the different account ddb_account_b.create_table( TableName="table-in-new-account", KeySchema=[{"AttributeName": "id", "KeyType": "HASH"}], AttributeDefinitions=[{"AttributeName": "id", "AttributeType": "S"}], ProvisionedThroughput={"ReadCapacityUnits": 1, "WriteCapacityUnits": 5}, ) table = ddb_client.describe_table(TableName="table-in-default-account")["Table"] table["TableArn"].should.equal( "arn:aws:dynamodb:us-east-1:123456789012:table/table-in-default-account" ) table = ddb_account_b.describe_table(TableName="table-in-new-account")["Table"] table["TableArn"].should.equal( f"arn:aws:dynamodb:us-east-1:{self.account_b}:table/table-in-new-account" )