How to use delete_open_id_connect_provider method in localstack

Best Python code snippet using localstack_python

test_sts.py

Source:test_sts.py Github

copy

Full Screen

...424 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)425 bkt = s3_client.delete_bucket(Bucket=bucket_name)426 eq(bkt['ResponseMetadata']['HTTPStatusCode'],204)427 428 oidc_remove=iam_client.delete_open_id_connect_provider(429 OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]430 )431'''432@attr(resource='assume role with web identity')433@attr(method='get')434@attr(operation='check')435@attr(assertion='assume_role_with_web_token creds expire')436@attr('webidentity_test')437def test_assume_role_with_web_identity_invalid_webtoken():438 resp_error=None439 iam_client=get_iam_client()440 sts_client=get_sts_client()441 default_endpoint=get_config_endpoint()442 role_session_name=get_parameter_name()443 thumbprint=get_thumbprint()444 aud=get_aud()445 token=get_token()446 realm=get_realm_name()447 oidc_response = iam_client.create_open_id_connect_provider(448 Url='http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm),449 ThumbprintList=[450 thumbprint,451 ],452 )453 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/​auth/​realms/​"+realm+":app_id\":\""+aud+"\"}}}]}"454 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)455 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')456 role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}"457 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy)458 eq(response['ResponseMetadata']['HTTPStatusCode'],200)459 resp=""460 try:461 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken='abcdef')462 except InvalidIdentityTokenException as e:463 log.debug('{}'.format(resp))464 log.debug('{}'.format(e.response.get("Error", {}).get("Code")))465 log.debug('{}'.format(e))466 resp_error = e.response.get("Error", {}).get("Code")467 eq(resp_error,'AccessDenied')468 oidc_remove=iam_client.delete_open_id_connect_provider(469 OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]470 )471'''472#######################473# Session Policy Tests474#######################475@attr(resource='assume role with web identity')476@attr(method='get')477@attr(operation='check')478@attr(assertion='checking session policy working for two different buckets')479@attr('webidentity_test')480@attr('session_policy')481def test_session_policy_check_on_different_buckets():482 check_webidentity()483 iam_client=get_iam_client()484 sts_client=get_sts_client()485 default_endpoint=get_config_endpoint()486 role_session_name=get_parameter_name()487 thumbprint=get_thumbprint()488 aud=get_aud()489 token=get_token()490 realm=get_realm_name()491 url = 'http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm)492 thumbprintlist = [thumbprint]493 (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist)494 if oidc_error is not None:495 raise RuntimeError('Unable to create/​get openid connect provider {}'.format(oidc_error))496 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/​auth/​realms/​"+realm+":app_id\":\""+aud+"\"}}}]}"497 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)498 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')499 role_policy_new = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::test2\",\"arn:aws:s3:::test2/​*\"]}}"500 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy_new)501 eq(response['ResponseMetadata']['HTTPStatusCode'],200)502 session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/​*\"]}}"503 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy)504 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)505 s3_client = boto3.client('s3',506 aws_access_key_id = resp['Credentials']['AccessKeyId'],507 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],508 aws_session_token = resp['Credentials']['SessionToken'],509 endpoint_url=default_endpoint,510 region_name='',511 )512 bucket_name_1 = 'test1'513 try:514 s3bucket = s3_client.create_bucket(Bucket=bucket_name_1)515 except ClientError as e:516 s3bucket_error = e.response.get("Error", {}).get("Code")517 eq(s3bucket_error, 'AccessDenied')518 bucket_name_2 = 'test2'519 try:520 s3bucket = s3_client.create_bucket(Bucket=bucket_name_2)521 except ClientError as e:522 s3bucket_error = e.response.get("Error", {}).get("Code")523 eq(s3bucket_error, 'AccessDenied')524 bucket_body = 'please-write-something'525 #body.encode(encoding='utf_8')526 try:527 s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt")528 except ClientError as e:529 s3_put_obj_error = e.response.get("Error", {}).get("Code")530 eq(s3_put_obj_error,'NoSuchBucket')531 oidc_remove=iam_client.delete_open_id_connect_provider(532 OpenIDConnectProviderArn=oidc_arn533 )534@attr(resource='assume role with web identity')535@attr(method='put')536@attr(operation='check')537@attr(assertion='checking session policy working for same bucket')538@attr('webidentity_test')539@attr('session_policy')540def test_session_policy_check_on_same_bucket():541 check_webidentity()542 iam_client=get_iam_client()543 sts_client=get_sts_client()544 default_endpoint=get_config_endpoint()545 role_session_name=get_parameter_name()546 thumbprint=get_thumbprint()547 aud=get_aud()548 token=get_token()549 realm=get_realm_name()550 url = 'http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm)551 thumbprintlist = [thumbprint]552 (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist)553 if oidc_error is not None:554 raise RuntimeError('Unable to create/​get openid connect provider {}'.format(oidc_error))555 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/​auth/​realms/​"+realm+":app_id\":\""+aud+"\"}}}]}"556 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)557 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')558 role_policy_new = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":[\"*\"]}}"559 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy_new)560 eq(response['ResponseMetadata']['HTTPStatusCode'],200)561 s3_client_iam_creds = get_s3_client_using_iam_creds()562 bucket_name_1 = 'test1'563 s3bucket = s3_client_iam_creds.create_bucket(Bucket=bucket_name_1)564 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)565 session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/​*\"]}}"566 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy)567 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)568 s3_client = boto3.client('s3',569 aws_access_key_id = resp['Credentials']['AccessKeyId'],570 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],571 aws_session_token = resp['Credentials']['SessionToken'],572 endpoint_url=default_endpoint,573 region_name='',574 )575 bucket_body = 'this is a test file'576 s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt")577 eq(s3_put_obj['ResponseMetadata']['HTTPStatusCode'],200)578 oidc_remove=iam_client.delete_open_id_connect_provider(579 OpenIDConnectProviderArn=oidc_arn580 )581@attr(resource='assume role with web identity')582@attr(method='get')583@attr(operation='check')584@attr(assertion='checking put_obj op denial')585@attr('webidentity_test')586@attr('session_policy')587def test_session_policy_check_put_obj_denial():588 check_webidentity()589 iam_client=get_iam_client()590 iam_access_key=get_iam_access_key()591 iam_secret_key=get_iam_secret_key()592 sts_client=get_sts_client()593 default_endpoint=get_config_endpoint()594 role_session_name=get_parameter_name()595 thumbprint=get_thumbprint()596 aud=get_aud()597 token=get_token()598 realm=get_realm_name()599 url = 'http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm)600 thumbprintlist = [thumbprint]601 (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist)602 if oidc_error is not None:603 raise RuntimeError('Unable to create/​get openid connect provider {}'.format(oidc_error))604 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/​auth/​realms/​"+realm+":app_id\":\""+aud+"\"}}}]}"605 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)606 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')607 role_policy_new = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":[\"*\"]}}"608 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy_new)609 eq(response['ResponseMetadata']['HTTPStatusCode'],200)610 s3_client_iam_creds = get_s3_client_using_iam_creds()611 bucket_name_1 = 'test1'612 s3bucket = s3_client_iam_creds.create_bucket(Bucket=bucket_name_1)613 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)614 session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/​*\"]}}"615 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy)616 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)617 s3_client = boto3.client('s3',618 aws_access_key_id = resp['Credentials']['AccessKeyId'],619 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],620 aws_session_token = resp['Credentials']['SessionToken'],621 endpoint_url=default_endpoint,622 region_name='',623 )624 bucket_body = 'this is a test file'625 try:626 s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt")627 except ClientError as e:628 s3_put_obj_error = e.response.get("Error", {}).get("Code")629 eq(s3_put_obj_error, 'AccessDenied')630 oidc_remove=iam_client.delete_open_id_connect_provider(631 OpenIDConnectProviderArn=oidc_arn632 )633@attr(resource='assume role with web identity')634@attr(method='get')635@attr(operation='check')636@attr(assertion='checking put_obj working by swapping policies')637@attr('webidentity_test')638@attr('session_policy')639def test_swapping_role_policy_and_session_policy():640 check_webidentity()641 iam_client=get_iam_client()642 iam_access_key=get_iam_access_key()643 iam_secret_key=get_iam_secret_key()644 sts_client=get_sts_client()645 default_endpoint=get_config_endpoint()646 role_session_name=get_parameter_name()647 thumbprint=get_thumbprint()648 aud=get_aud()649 token=get_token()650 realm=get_realm_name()651 url = 'http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm)652 thumbprintlist = [thumbprint]653 (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist)654 if oidc_error is not None:655 raise RuntimeError('Unable to create/​get openid connect provider {}'.format(oidc_error))656 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/​auth/​realms/​"+realm+":app_id\":\""+aud+"\"}}}]}"657 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)658 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')659 role_policy_new = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/​*\"]}}"660 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy_new)661 eq(response['ResponseMetadata']['HTTPStatusCode'],200)662 s3_client_iam_creds = get_s3_client_using_iam_creds()663 bucket_name_1 = 'test1'664 s3bucket = s3_client_iam_creds.create_bucket(Bucket=bucket_name_1)665 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)666 session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":[\"*\"]}}"667 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy)668 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)669 s3_client = boto3.client('s3',670 aws_access_key_id = resp['Credentials']['AccessKeyId'],671 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],672 aws_session_token = resp['Credentials']['SessionToken'],673 endpoint_url=default_endpoint,674 region_name='',675 )676 bucket_body = 'this is a test file'677 s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt")678 eq(s3_put_obj['ResponseMetadata']['HTTPStatusCode'],200)679 oidc_remove=iam_client.delete_open_id_connect_provider(680 OpenIDConnectProviderArn=oidc_arn681 )682@attr(resource='assume role with web identity')683@attr(method='put')684@attr(operation='check')685@attr(assertion='checking put_obj working by setting different permissions to role and session policy')686@attr('webidentity_test')687@attr('session_policy')688def test_session_policy_check_different_op_permissions():689 check_webidentity()690 iam_client=get_iam_client()691 iam_access_key=get_iam_access_key()692 iam_secret_key=get_iam_secret_key()693 sts_client=get_sts_client()694 default_endpoint=get_config_endpoint()695 role_session_name=get_parameter_name()696 thumbprint=get_thumbprint()697 aud=get_aud()698 token=get_token()699 realm=get_realm_name()700 url = 'http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm)701 thumbprintlist = [thumbprint]702 (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist)703 if oidc_error is not None:704 raise RuntimeError('Unable to create/​get openid connect provider {}'.format(oidc_error))705 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/​auth/​realms/​"+realm+":app_id\":\""+aud+"\"}}}]}"706 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)707 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')708 role_policy_new = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/​*\"]}}"709 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy_new)710 eq(response['ResponseMetadata']['HTTPStatusCode'],200)711 s3_client_iam_creds = get_s3_client_using_iam_creds()712 bucket_name_1 = 'test1'713 s3bucket = s3_client_iam_creds.create_bucket(Bucket=bucket_name_1)714 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)715 session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/​*\"]}}"716 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy)717 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)718 s3_client = boto3.client('s3',719 aws_access_key_id = resp['Credentials']['AccessKeyId'],720 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],721 aws_session_token = resp['Credentials']['SessionToken'],722 endpoint_url=default_endpoint,723 region_name='',724 )725 bucket_body = 'this is a test file'726 try:727 s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt")728 except ClientError as e:729 s3_put_obj_error = e.response.get("Error", {}).get("Code")730 eq(s3_put_obj_error, 'AccessDenied')731 oidc_remove=iam_client.delete_open_id_connect_provider(732 OpenIDConnectProviderArn=oidc_arn733 )734@attr(resource='assume role with web identity')735@attr(method='put')736@attr(operation='check')737@attr(assertion='checking op behaviour with deny effect')738@attr('webidentity_test')739@attr('session_policy')740def test_session_policy_check_with_deny_effect():741 check_webidentity()742 iam_client=get_iam_client()743 iam_access_key=get_iam_access_key()744 iam_secret_key=get_iam_secret_key()745 sts_client=get_sts_client()746 default_endpoint=get_config_endpoint()747 role_session_name=get_parameter_name()748 thumbprint=get_thumbprint()749 aud=get_aud()750 token=get_token()751 realm=get_realm_name()752 url = 'http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm)753 thumbprintlist = [thumbprint]754 (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist)755 if oidc_error is not None:756 raise RuntimeError('Unable to create/​get openid connect provider {}'.format(oidc_error))757 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/​auth/​realms/​"+realm+":app_id\":\""+aud+"\"}}}]}"758 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)759 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')760 role_policy_new = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":[\"*\"]}}"761 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy_new)762 eq(response['ResponseMetadata']['HTTPStatusCode'],200)763 s3_client_iam_creds = get_s3_client_using_iam_creds()764 bucket_name_1 = 'test1'765 s3bucket = s3_client_iam_creds.create_bucket(Bucket=bucket_name_1)766 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)767 session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/​*\"]}}"768 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy)769 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)770 s3_client = boto3.client('s3',771 aws_access_key_id = resp['Credentials']['AccessKeyId'],772 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],773 aws_session_token = resp['Credentials']['SessionToken'],774 endpoint_url=default_endpoint,775 region_name='',776 )777 bucket_body = 'this is a test file'778 try:779 s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt")780 except ClientError as e:781 s3_put_obj_error = e.response.get("Error", {}).get("Code")782 eq(s3_put_obj_error, 'AccessDenied')783 oidc_remove=iam_client.delete_open_id_connect_provider(784 OpenIDConnectProviderArn=oidc_arn785 )786@attr(resource='assume role with web identity')787@attr(method='put')788@attr(operation='check')789@attr(assertion='checking put_obj working with deny and allow on same op')790@attr('webidentity_test')791@attr('session_policy')792def test_session_policy_check_with_deny_on_same_op():793 check_webidentity()794 iam_client=get_iam_client()795 iam_access_key=get_iam_access_key()796 iam_secret_key=get_iam_secret_key()797 sts_client=get_sts_client()798 default_endpoint=get_config_endpoint()799 role_session_name=get_parameter_name()800 thumbprint=get_thumbprint()801 aud=get_aud()802 token=get_token()803 realm=get_realm_name()804 url = 'http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm)805 thumbprintlist = [thumbprint]806 (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist)807 if oidc_error is not None:808 raise RuntimeError('Unable to create/​get openid connect provider {}'.format(oidc_error))809 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/​auth/​realms/​"+realm+":app_id\":\""+aud+"\"}}}]}"810 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)811 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')812 role_policy_new = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/​*\"]}}"813 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy_new)814 eq(response['ResponseMetadata']['HTTPStatusCode'],200)815 s3_client_iam_creds = get_s3_client_using_iam_creds()816 bucket_name_1 = 'test1'817 s3bucket = s3_client_iam_creds.create_bucket(Bucket=bucket_name_1)818 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)819 session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Deny\",\"Action\":[\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/​*\"]}}"820 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy)821 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)822 s3_client = boto3.client('s3',823 aws_access_key_id = resp['Credentials']['AccessKeyId'],824 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],825 aws_session_token = resp['Credentials']['SessionToken'],826 endpoint_url=default_endpoint,827 region_name='',828 )829 bucket_body = 'this is a test file'830 try:831 s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt")832 except ClientError as e:833 s3_put_obj_error = e.response.get("Error", {}).get("Code")834 eq(s3_put_obj_error, 'AccessDenied')835 oidc_remove=iam_client.delete_open_id_connect_provider(836 OpenIDConnectProviderArn=oidc_arn837 )838@attr(resource='assume role with web identity')839@attr(method='put')840@attr(operation='check')841@attr(assertion='checking op when bucket policy has role arn')842@attr('webidentity_test')843@attr('session_policy')844def test_session_policy_bucket_policy_role_arn():845 check_webidentity()846 iam_client=get_iam_client()847 sts_client=get_sts_client()848 default_endpoint=get_config_endpoint()849 role_session_name=get_parameter_name()850 thumbprint=get_thumbprint()851 aud=get_aud()852 token=get_token()853 realm=get_realm_name()854 url = 'http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm)855 thumbprintlist = [thumbprint]856 (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist)857 if oidc_error is not None:858 raise RuntimeError('Unable to create/​get openid connect provider {}'.format(oidc_error))859 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/​auth/​realms/​"+realm+":app_id\":\""+aud+"\"}}}]}"860 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)861 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')862 role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":[\"*\"]}}"863 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy)864 eq(response['ResponseMetadata']['HTTPStatusCode'],200)865 s3client_iamcreds = get_s3_client_using_iam_creds()866 bucket_name_1 = 'test1'867 s3bucket = s3client_iamcreds.create_bucket(Bucket=bucket_name_1)868 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)869 resource1 = "arn:aws:s3:::" + bucket_name_1870 resource2 = "arn:aws:s3:::" + bucket_name_1 + "/​*"871 rolearn = "arn:aws:iam:::role/​" + general_role_name872 bucket_policy = json.dumps(873 {874 "Version": "2012-10-17",875 "Statement": [{876 "Effect": "Allow",877 "Principal": {"AWS": "{}".format(rolearn)},878 "Action": ["s3:GetObject","s3:PutObject"],879 "Resource": [880 "{}".format(resource1),881 "{}".format(resource2)882 ]883 }]884 })885 s3client_iamcreds.put_bucket_policy(Bucket=bucket_name_1, Policy=bucket_policy)886 session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/​*\"]}}"887 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy)888 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)889 s3_client = boto3.client('s3',890 aws_access_key_id = resp['Credentials']['AccessKeyId'],891 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],892 aws_session_token = resp['Credentials']['SessionToken'],893 endpoint_url=default_endpoint,894 region_name='',895 )896 bucket_body = 'this is a test file'897 s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt")898 eq(s3_put_obj['ResponseMetadata']['HTTPStatusCode'],200)899 try:900 obj = s3_client.get_object(Bucket=bucket_name_1, Key="test-1.txt")901 except ClientError as e:902 s3object_error = e.response.get("Error", {}).get("Code")903 eq(s3object_error, 'AccessDenied')904 oidc_remove=iam_client.delete_open_id_connect_provider(905 OpenIDConnectProviderArn=oidc_arn906 )907@attr(resource='assume role with web identity')908@attr(method='get')909@attr(operation='check')910@attr(assertion='checking op when bucket policy has session arn')911@attr('webidentity_test')912@attr('session_policy')913def test_session_policy_bucket_policy_session_arn():914 check_webidentity()915 iam_client=get_iam_client()916 sts_client=get_sts_client()917 default_endpoint=get_config_endpoint()918 role_session_name=get_parameter_name()919 thumbprint=get_thumbprint()920 aud=get_aud()921 token=get_token()922 realm=get_realm_name()923 url = 'http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm)924 thumbprintlist = [thumbprint]925 (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist)926 if oidc_error is not None:927 raise RuntimeError('Unable to create/​get openid connect provider {}'.format(oidc_error))928 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/​auth/​realms/​"+realm+":app_id\":\""+aud+"\"}}}]}"929 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)930 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')931 role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":[\"*\"]}}"932 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy)933 eq(response['ResponseMetadata']['HTTPStatusCode'],200)934 s3client_iamcreds = get_s3_client_using_iam_creds()935 bucket_name_1 = 'test1'936 s3bucket = s3client_iamcreds.create_bucket(Bucket=bucket_name_1)937 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)938 resource1 = "arn:aws:s3:::" + bucket_name_1939 resource2 = "arn:aws:s3:::" + bucket_name_1 + "/​*"940 rolesessionarn = "arn:aws:iam:::assumed-role/​" + general_role_name + "/​" + role_session_name941 bucket_policy = json.dumps(942 {943 "Version": "2012-10-17",944 "Statement": [{945 "Effect": "Allow",946 "Principal": {"AWS": "{}".format(rolesessionarn)},947 "Action": ["s3:GetObject","s3:PutObject"],948 "Resource": [949 "{}".format(resource1),950 "{}".format(resource2)951 ]952 }]953 })954 s3client_iamcreds.put_bucket_policy(Bucket=bucket_name_1, Policy=bucket_policy)955 session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/​*\"]}}"956 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy)957 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)958 s3_client = boto3.client('s3',959 aws_access_key_id = resp['Credentials']['AccessKeyId'],960 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],961 aws_session_token = resp['Credentials']['SessionToken'],962 endpoint_url=default_endpoint,963 region_name='',964 )965 bucket_body = 'this is a test file'966 s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt")967 eq(s3_put_obj['ResponseMetadata']['HTTPStatusCode'],200)968 s3_get_obj = s3_client.get_object(Bucket=bucket_name_1, Key="test-1.txt")969 eq(s3_get_obj['ResponseMetadata']['HTTPStatusCode'],200)970 oidc_remove=iam_client.delete_open_id_connect_provider(971 OpenIDConnectProviderArn=oidc_arn972 )973@attr(resource='assume role with web identity')974@attr(method='put')975@attr(operation='check')976@attr(assertion='checking copy object op with role, session and bucket policy')977@attr('webidentity_test')978@attr('session_policy')979def test_session_policy_copy_object():980 check_webidentity()981 iam_client=get_iam_client()982 sts_client=get_sts_client()983 default_endpoint=get_config_endpoint()984 role_session_name=get_parameter_name()985 thumbprint=get_thumbprint()986 aud=get_aud()987 token=get_token()988 realm=get_realm_name()989 url = 'http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm)990 thumbprintlist = [thumbprint]991 (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist)992 if oidc_error is not None:993 raise RuntimeError('Unable to create/​get openid connect provider {}'.format(oidc_error))994 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/​auth/​realms/​"+realm+":app_id\":\""+aud+"\"}}}]}"995 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)996 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')997 role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":[\"*\"]}}"998 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy)999 eq(response['ResponseMetadata']['HTTPStatusCode'],200)1000 s3client_iamcreds = get_s3_client_using_iam_creds()1001 bucket_name_1 = 'test1'1002 s3bucket = s3client_iamcreds.create_bucket(Bucket=bucket_name_1)1003 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)1004 resource1 = "arn:aws:s3:::" + bucket_name_11005 resource2 = "arn:aws:s3:::" + bucket_name_1 + "/​*"1006 rolesessionarn = "arn:aws:iam:::assumed-role/​" + general_role_name + "/​" + role_session_name1007 print (rolesessionarn)1008 bucket_policy = json.dumps(1009 {1010 "Version": "2012-10-17",1011 "Statement": [{1012 "Effect": "Allow",1013 "Principal": {"AWS": "{}".format(rolesessionarn)},1014 "Action": ["s3:GetObject","s3:PutObject"],1015 "Resource": [1016 "{}".format(resource1),1017 "{}".format(resource2)1018 ]1019 }]1020 })1021 s3client_iamcreds.put_bucket_policy(Bucket=bucket_name_1, Policy=bucket_policy)1022 session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/​*\"]}}"1023 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy)1024 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)1025 s3_client = boto3.client('s3',1026 aws_access_key_id = resp['Credentials']['AccessKeyId'],1027 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],1028 aws_session_token = resp['Credentials']['SessionToken'],1029 endpoint_url=default_endpoint,1030 region_name='',1031 )1032 bucket_body = 'this is a test file'1033 s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt")1034 eq(s3_put_obj['ResponseMetadata']['HTTPStatusCode'],200)1035 copy_source = {1036 'Bucket': bucket_name_1,1037 'Key': 'test-1.txt'1038 }1039 s3_client.copy(copy_source, bucket_name_1, "test-2.txt")1040 s3_get_obj = s3_client.get_object(Bucket=bucket_name_1, Key="test-2.txt")1041 eq(s3_get_obj['ResponseMetadata']['HTTPStatusCode'],200)1042 oidc_remove=iam_client.delete_open_id_connect_provider(1043 OpenIDConnectProviderArn=oidc_arn1044 )1045@attr(resource='assume role with web identity')1046@attr(method='put')1047@attr(operation='check')1048@attr(assertion='checking op is denied when no role policy')1049@attr('webidentity_test')1050@attr('session_policy')1051def test_session_policy_no_bucket_role_policy():1052 check_webidentity()1053 iam_client=get_iam_client()1054 sts_client=get_sts_client()1055 default_endpoint=get_config_endpoint()1056 role_session_name=get_parameter_name()1057 thumbprint=get_thumbprint()1058 aud=get_aud()1059 token=get_token()1060 realm=get_realm_name()1061 url = 'http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm)1062 thumbprintlist = [thumbprint]1063 (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist)1064 if oidc_error is not None:1065 raise RuntimeError('Unable to create/​get openid connect provider {}'.format(oidc_error))1066 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/​auth/​realms/​"+realm+":app_id\":\""+aud+"\"}}}]}"1067 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)1068 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')1069 s3client_iamcreds = get_s3_client_using_iam_creds()1070 bucket_name_1 = 'test1'1071 s3bucket = s3client_iamcreds.create_bucket(Bucket=bucket_name_1)1072 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)1073 session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\",\"s3:GetObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/​*\"]}}"1074 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy)1075 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)1076 s3_client = boto3.client('s3',1077 aws_access_key_id = resp['Credentials']['AccessKeyId'],1078 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],1079 aws_session_token = resp['Credentials']['SessionToken'],1080 endpoint_url=default_endpoint,1081 region_name='',1082 )1083 bucket_body = 'this is a test file'1084 try:1085 s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt")1086 except ClientError as e:1087 s3putobj_error = e.response.get("Error", {}).get("Code")1088 eq(s3putobj_error, 'AccessDenied')1089 oidc_remove=iam_client.delete_open_id_connect_provider(1090 OpenIDConnectProviderArn=oidc_arn1091 )1092@attr(resource='assume role with web identity')1093@attr(method='put')1094@attr(operation='check')1095@attr(assertion='checking op is denied when resource policy denies')1096@attr('webidentity_test')1097@attr('session_policy')1098def test_session_policy_bucket_policy_deny():1099 check_webidentity()1100 iam_client=get_iam_client()1101 sts_client=get_sts_client()1102 default_endpoint=get_config_endpoint()1103 role_session_name=get_parameter_name()1104 thumbprint=get_thumbprint()1105 aud=get_aud()1106 token=get_token()1107 realm=get_realm_name()1108 url = 'http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm)1109 thumbprintlist = [thumbprint]1110 (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist)1111 if oidc_error is not None:1112 raise RuntimeError('Unable to create/​get openid connect provider {}'.format(oidc_error))1113 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/​auth/​realms/​"+realm+":app_id\":\""+aud+"\"}}}]}"1114 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)1115 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')1116 role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":[\"*\"]}}"1117 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy)1118 eq(response['ResponseMetadata']['HTTPStatusCode'],200)1119 s3client_iamcreds = get_s3_client_using_iam_creds()1120 bucket_name_1 = 'test1'1121 s3bucket = s3client_iamcreds.create_bucket(Bucket=bucket_name_1)1122 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)1123 resource1 = "arn:aws:s3:::" + bucket_name_11124 resource2 = "arn:aws:s3:::" + bucket_name_1 + "/​*"1125 rolesessionarn = "arn:aws:iam:::assumed-role/​" + general_role_name + "/​" + role_session_name1126 bucket_policy = json.dumps(1127 {1128 "Version": "2012-10-17",1129 "Statement": [{1130 "Effect": "Deny",1131 "Principal": {"AWS": "{}".format(rolesessionarn)},1132 "Action": ["s3:GetObject","s3:PutObject"],1133 "Resource": [1134 "{}".format(resource1),1135 "{}".format(resource2)1136 ]1137 }]1138 })1139 s3client_iamcreds.put_bucket_policy(Bucket=bucket_name_1, Policy=bucket_policy)1140 session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/​*\"]}}"1141 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy)1142 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)1143 s3_client = boto3.client('s3',1144 aws_access_key_id = resp['Credentials']['AccessKeyId'],1145 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],1146 aws_session_token = resp['Credentials']['SessionToken'],1147 endpoint_url=default_endpoint,1148 region_name='',1149 )1150 bucket_body = 'this is a test file'1151 try:1152 s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt")1153 except ClientError as e:1154 s3putobj_error = e.response.get("Error", {}).get("Code")1155 eq(s3putobj_error, 'AccessDenied')1156 oidc_remove=iam_client.delete_open_id_connect_provider(1157 OpenIDConnectProviderArn=oidc_arn1158 )1159@attr(resource='assume role with web identity')1160@attr(method='get')1161@attr(operation='check')1162@attr(assertion='assuming role using web token using sub in trust policy')1163@attr('webidentity_test')1164@attr('token_claims_trust_policy_test')1165def test_assume_role_with_web_identity_with_sub():1166 check_webidentity()1167 iam_client=get_iam_client()1168 sts_client=get_sts_client()1169 default_endpoint=get_config_endpoint()1170 role_session_name=get_parameter_name()1171 thumbprint=get_thumbprint()1172 sub=get_sub()1173 token=get_token()1174 realm=get_realm_name()1175 oidc_response = iam_client.create_open_id_connect_provider(1176 Url='http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm),1177 ThumbprintList=[1178 thumbprint,1179 ],1180 )1181 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/​auth/​realms/​"+realm+":sub\":\""+sub+"\"}}}]}"1182 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)1183 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')1184 role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}"1185 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy)1186 eq(response['ResponseMetadata']['HTTPStatusCode'],200)1187 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token)1188 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)1189 s3_client = boto3.client('s3',1190 aws_access_key_id = resp['Credentials']['AccessKeyId'],1191 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],1192 aws_session_token = resp['Credentials']['SessionToken'],1193 endpoint_url=default_endpoint,1194 region_name='',1195 )1196 bucket_name = get_new_bucket_name()1197 s3bucket = s3_client.create_bucket(Bucket=bucket_name)1198 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)1199 bkt = s3_client.delete_bucket(Bucket=bucket_name)1200 eq(bkt['ResponseMetadata']['HTTPStatusCode'],204)1201 oidc_remove=iam_client.delete_open_id_connect_provider(1202 OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]1203 )1204@attr(resource='assume role with web identity')1205@attr(method='get')1206@attr(operation='check')1207@attr(assertion='assuming role using web token using azp in trust policy')1208@attr('webidentity_test')1209@attr('token_claims_trust_policy_test')1210def test_assume_role_with_web_identity_with_azp():1211 check_webidentity()1212 iam_client=get_iam_client()1213 sts_client=get_sts_client()1214 default_endpoint=get_config_endpoint()1215 role_session_name=get_parameter_name()1216 thumbprint=get_thumbprint()1217 azp=get_azp()1218 token=get_token()1219 realm=get_realm_name()1220 oidc_response = iam_client.create_open_id_connect_provider(1221 Url='http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm),1222 ThumbprintList=[1223 thumbprint,1224 ],1225 )1226 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/​auth/​realms/​"+realm+":azp\":\""+azp+"\"}}}]}"1227 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)1228 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')1229 role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}"1230 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy)1231 eq(response['ResponseMetadata']['HTTPStatusCode'],200)1232 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token)1233 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)1234 s3_client = boto3.client('s3',1235 aws_access_key_id = resp['Credentials']['AccessKeyId'],1236 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],1237 aws_session_token = resp['Credentials']['SessionToken'],1238 endpoint_url=default_endpoint,1239 region_name='',1240 )1241 bucket_name = get_new_bucket_name()1242 s3bucket = s3_client.create_bucket(Bucket=bucket_name)1243 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)1244 bkt = s3_client.delete_bucket(Bucket=bucket_name)1245 eq(bkt['ResponseMetadata']['HTTPStatusCode'],204)1246 oidc_remove=iam_client.delete_open_id_connect_provider(1247 OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]1248 )1249@attr(resource='assume role with web identity')1250@attr(method='get')1251@attr(operation='check')1252@attr(assertion='assuming role using web token using aws:RequestTag in trust policy')1253@attr('webidentity_test')1254@attr('abac_test')1255@attr('token_request_tag_trust_policy_test')1256def test_assume_role_with_web_identity_with_request_tag():1257 check_webidentity()1258 iam_client=get_iam_client()1259 sts_client=get_sts_client()1260 default_endpoint=get_config_endpoint()1261 role_session_name=get_parameter_name()1262 thumbprint=get_thumbprint()1263 user_token=get_user_token()1264 realm=get_realm_name()1265 oidc_response = iam_client.create_open_id_connect_provider(1266 Url='http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm),1267 ThumbprintList=[1268 thumbprint,1269 ],1270 )1271 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:RequestTag/​Department\":\"Engineering\"}}}]}"1272 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)1273 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')1274 role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}"1275 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy)1276 eq(response['ResponseMetadata']['HTTPStatusCode'],200)1277 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token)1278 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)1279 s3_client = boto3.client('s3',1280 aws_access_key_id = resp['Credentials']['AccessKeyId'],1281 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],1282 aws_session_token = resp['Credentials']['SessionToken'],1283 endpoint_url=default_endpoint,1284 region_name='',1285 )1286 bucket_name = get_new_bucket_name()1287 s3bucket = s3_client.create_bucket(Bucket=bucket_name)1288 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)1289 bkt = s3_client.delete_bucket(Bucket=bucket_name)1290 eq(bkt['ResponseMetadata']['HTTPStatusCode'],204)1291 oidc_remove=iam_client.delete_open_id_connect_provider(1292 OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]1293 )1294@attr(resource='assume role with web identity')1295@attr(method='get')1296@attr(operation='check')1297@attr(assertion='assuming role using web token with aws:PrincipalTag in role policy')1298@attr('webidentity_test')1299@attr('abac_test')1300@attr('token_principal_tag_role_policy_test')1301def test_assume_role_with_web_identity_with_principal_tag():1302 check_webidentity()1303 iam_client=get_iam_client()1304 sts_client=get_sts_client()1305 default_endpoint=get_config_endpoint()1306 role_session_name=get_parameter_name()1307 thumbprint=get_thumbprint()1308 user_token=get_user_token()1309 realm=get_realm_name()1310 oidc_response = iam_client.create_open_id_connect_provider(1311 Url='http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm),1312 ThumbprintList=[1313 thumbprint,1314 ],1315 )1316 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:RequestTag/​Department\":\"Engineering\"}}}]}"1317 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)1318 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')1319 role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"StringEquals\":{\"aws:PrincipalTag/​Department\":\"Engineering\"}}}}"1320 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy)1321 eq(response['ResponseMetadata']['HTTPStatusCode'],200)1322 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token)1323 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)1324 s3_client = boto3.client('s3',1325 aws_access_key_id = resp['Credentials']['AccessKeyId'],1326 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],1327 aws_session_token = resp['Credentials']['SessionToken'],1328 endpoint_url=default_endpoint,1329 region_name='',1330 )1331 bucket_name = get_new_bucket_name()1332 s3bucket = s3_client.create_bucket(Bucket=bucket_name)1333 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)1334 bkt = s3_client.delete_bucket(Bucket=bucket_name)1335 eq(bkt['ResponseMetadata']['HTTPStatusCode'],204)1336 oidc_remove=iam_client.delete_open_id_connect_provider(1337 OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]1338 )1339@attr(resource='assume role with web identity')1340@attr(method='get')1341@attr(operation='check')1342@attr(assertion='assuming role using web token with aws:PrincipalTag in role policy')1343@attr('webidentity_test')1344@attr('abac_test')1345@attr('token_principal_tag_role_policy_test')1346def test_assume_role_with_web_identity_for_all_values():1347 check_webidentity()1348 iam_client=get_iam_client()1349 sts_client=get_sts_client()1350 default_endpoint=get_config_endpoint()1351 role_session_name=get_parameter_name()1352 thumbprint=get_thumbprint()1353 user_token=get_user_token()1354 realm=get_realm_name()1355 oidc_response = iam_client.create_open_id_connect_provider(1356 Url='http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm),1357 ThumbprintList=[1358 thumbprint,1359 ],1360 )1361 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:RequestTag/​Department\":\"Engineering\"}}}]}"1362 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)1363 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')1364 role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"ForAllValues:StringEquals\":{\"aws:PrincipalTag/​Department\":[\"Engineering\",\"Marketing\"]}}}}"1365 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy)1366 eq(response['ResponseMetadata']['HTTPStatusCode'],200)1367 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token)1368 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)1369 s3_client = boto3.client('s3',1370 aws_access_key_id = resp['Credentials']['AccessKeyId'],1371 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],1372 aws_session_token = resp['Credentials']['SessionToken'],1373 endpoint_url=default_endpoint,1374 region_name='',1375 )1376 bucket_name = get_new_bucket_name()1377 s3bucket = s3_client.create_bucket(Bucket=bucket_name)1378 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)1379 bkt = s3_client.delete_bucket(Bucket=bucket_name)1380 eq(bkt['ResponseMetadata']['HTTPStatusCode'],204)1381 oidc_remove=iam_client.delete_open_id_connect_provider(1382 OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]1383 )1384@attr(resource='assume role with web identity')1385@attr(method='get')1386@attr(operation='check')1387@attr(assertion='assuming role using web token with aws:PrincipalTag in role policy')1388@attr('webidentity_test')1389@attr('abac_test')1390@attr('token_principal_tag_role_policy_test')1391def test_assume_role_with_web_identity_for_all_values_deny():1392 check_webidentity()1393 iam_client=get_iam_client()1394 sts_client=get_sts_client()1395 default_endpoint=get_config_endpoint()1396 role_session_name=get_parameter_name()1397 thumbprint=get_thumbprint()1398 user_token=get_user_token()1399 realm=get_realm_name()1400 oidc_response = iam_client.create_open_id_connect_provider(1401 Url='http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm),1402 ThumbprintList=[1403 thumbprint,1404 ],1405 )1406 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:RequestTag/​Department\":\"Engineering\"}}}]}"1407 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)1408 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')1409 #ForAllValues: The condition returns true if every key value in the request matches at least one value in the policy1410 role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"ForAllValues:StringEquals\":{\"aws:PrincipalTag/​Department\":[\"Engineering\"]}}}}"1411 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy)1412 eq(response['ResponseMetadata']['HTTPStatusCode'],200)1413 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token)1414 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)1415 s3_client = boto3.client('s3',1416 aws_access_key_id = resp['Credentials']['AccessKeyId'],1417 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],1418 aws_session_token = resp['Credentials']['SessionToken'],1419 endpoint_url=default_endpoint,1420 region_name='',1421 )1422 bucket_name = get_new_bucket_name()1423 try:1424 s3bucket = s3_client.create_bucket(Bucket=bucket_name)1425 except ClientError as e:1426 s3bucket_error = e.response.get("Error", {}).get("Code")1427 eq(s3bucket_error,'AccessDenied')1428 oidc_remove=iam_client.delete_open_id_connect_provider(1429 OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]1430 )1431@attr(resource='assume role with web identity')1432@attr(method='get')1433@attr(operation='check')1434@attr(assertion='assuming role using web token with aws:TagKeys in trust policy')1435@attr('webidentity_test')1436@attr('abac_test')1437@attr('token_tag_keys_test')1438def test_assume_role_with_web_identity_tag_keys_trust_policy():1439 check_webidentity()1440 iam_client=get_iam_client()1441 sts_client=get_sts_client()1442 default_endpoint=get_config_endpoint()1443 role_session_name=get_parameter_name()1444 thumbprint=get_thumbprint()1445 user_token=get_user_token()1446 realm=get_realm_name()1447 oidc_response = iam_client.create_open_id_connect_provider(1448 Url='http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm),1449 ThumbprintList=[1450 thumbprint,1451 ],1452 )1453 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:TagKeys\":\"Department\"}}}]}"1454 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)1455 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')1456 role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"ForAnyValue:StringEquals\":{\"aws:PrincipalTag/​Department\":[\"Engineering\"]}}}}"1457 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy)1458 eq(response['ResponseMetadata']['HTTPStatusCode'],200)1459 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token)1460 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)1461 s3_client = boto3.client('s3',1462 aws_access_key_id = resp['Credentials']['AccessKeyId'],1463 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],1464 aws_session_token = resp['Credentials']['SessionToken'],1465 endpoint_url=default_endpoint,1466 region_name='',1467 )1468 bucket_name = get_new_bucket_name()1469 s3bucket = s3_client.create_bucket(Bucket=bucket_name)1470 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)1471 bkt = s3_client.delete_bucket(Bucket=bucket_name)1472 eq(bkt['ResponseMetadata']['HTTPStatusCode'],204)1473 oidc_remove=iam_client.delete_open_id_connect_provider(1474 OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]1475 )1476@attr(resource='assume role with web identity')1477@attr(method='get')1478@attr(operation='check')1479@attr(assertion='assuming role using web token with aws:TagKeys in role permission policy')1480@attr('webidentity_test')1481@attr('abac_test')1482@attr('token_tag_keys_test')1483def test_assume_role_with_web_identity_tag_keys_role_policy():1484 check_webidentity()1485 iam_client=get_iam_client()1486 sts_client=get_sts_client()1487 default_endpoint=get_config_endpoint()1488 role_session_name=get_parameter_name()1489 thumbprint=get_thumbprint()1490 user_token=get_user_token()1491 realm=get_realm_name()1492 oidc_response = iam_client.create_open_id_connect_provider(1493 Url='http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm),1494 ThumbprintList=[1495 thumbprint,1496 ],1497 )1498 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:RequestTag/​Department\":\"Engineering\"}}}]}"1499 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)1500 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')1501 role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"StringEquals\":{\"aws:TagKeys\":[\"Department\"]}}}}"1502 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy)1503 eq(response['ResponseMetadata']['HTTPStatusCode'],200)1504 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token)1505 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)1506 s3_client = boto3.client('s3',1507 aws_access_key_id = resp['Credentials']['AccessKeyId'],1508 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],1509 aws_session_token = resp['Credentials']['SessionToken'],1510 endpoint_url=default_endpoint,1511 region_name='',1512 )1513 bucket_name = get_new_bucket_name()1514 s3bucket = s3_client.create_bucket(Bucket=bucket_name)1515 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)1516 bkt = s3_client.delete_bucket(Bucket=bucket_name)1517 eq(bkt['ResponseMetadata']['HTTPStatusCode'],204)1518 oidc_remove=iam_client.delete_open_id_connect_provider(1519 OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]1520 )1521@attr(resource='assume role with web identity')1522@attr(method='put')1523@attr(operation='check')1524@attr(assertion='assuming role using web token with s3:ResourceTag in role permission policy')1525@attr('webidentity_test')1526@attr('abac_test')1527@attr('token_resource_tags_test')1528def test_assume_role_with_web_identity_resource_tag():1529 check_webidentity()1530 iam_client=get_iam_client()1531 sts_client=get_sts_client()1532 default_endpoint=get_config_endpoint()1533 role_session_name=get_parameter_name()1534 thumbprint=get_thumbprint()1535 user_token=get_user_token()1536 realm=get_realm_name()1537 s3_res_iam_creds = get_s3_resource_using_iam_creds()1538 s3_client_iam_creds = s3_res_iam_creds.meta.client1539 bucket_name = get_new_bucket_name()1540 s3bucket = s3_client_iam_creds.create_bucket(Bucket=bucket_name)1541 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)1542 bucket_tagging = s3_res_iam_creds.BucketTagging(bucket_name)1543 Set_Tag = bucket_tagging.put(Tagging={'TagSet':[{'Key':'Department', 'Value': 'Engineering'},{'Key':'Department', 'Value': 'Marketing'}]})1544 oidc_response = iam_client.create_open_id_connect_provider(1545 Url='http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm),1546 ThumbprintList=[1547 thumbprint,1548 ],1549 )1550 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:RequestTag/​Department\":\"Engineering\"}}}]}"1551 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)1552 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')1553 role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"StringEquals\":{\"s3:ResourceTag/​Department\":[\"Engineering\"]}}}}"1554 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy)1555 eq(response['ResponseMetadata']['HTTPStatusCode'],200)1556 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token)1557 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)1558 s3_client = boto3.client('s3',1559 aws_access_key_id = resp['Credentials']['AccessKeyId'],1560 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],1561 aws_session_token = resp['Credentials']['SessionToken'],1562 endpoint_url=default_endpoint,1563 region_name='',1564 )1565 bucket_body = 'this is a test file'1566 s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name, Key="test-1.txt")1567 eq(s3_put_obj['ResponseMetadata']['HTTPStatusCode'],200)1568 oidc_remove=iam_client.delete_open_id_connect_provider(1569 OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]1570 )1571@attr(resource='assume role with web identity')1572@attr(method='put')1573@attr(operation='check')1574@attr(assertion='assuming role using web token with s3:ResourceTag with missing tags on bucket')1575@attr('webidentity_test')1576@attr('abac_test')1577@attr('token_resource_tags_test')1578def test_assume_role_with_web_identity_resource_tag_deny():1579 check_webidentity()1580 iam_client=get_iam_client()1581 sts_client=get_sts_client()1582 default_endpoint=get_config_endpoint()1583 role_session_name=get_parameter_name()1584 thumbprint=get_thumbprint()1585 user_token=get_user_token()1586 realm=get_realm_name()1587 s3_res_iam_creds = get_s3_resource_using_iam_creds()1588 s3_client_iam_creds = s3_res_iam_creds.meta.client1589 bucket_name = get_new_bucket_name()1590 s3bucket = s3_client_iam_creds.create_bucket(Bucket=bucket_name)1591 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)1592 oidc_response = iam_client.create_open_id_connect_provider(1593 Url='http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm),1594 ThumbprintList=[1595 thumbprint,1596 ],1597 )1598 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:RequestTag/​Department\":\"Engineering\"}}}]}"1599 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)1600 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')1601 role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"StringEquals\":{\"s3:ResourceTag/​Department\":[\"Engineering\"]}}}}"1602 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy)1603 eq(response['ResponseMetadata']['HTTPStatusCode'],200)1604 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token)1605 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)1606 s3_client = boto3.client('s3',1607 aws_access_key_id = resp['Credentials']['AccessKeyId'],1608 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],1609 aws_session_token = resp['Credentials']['SessionToken'],1610 endpoint_url=default_endpoint,1611 region_name='',1612 )1613 bucket_body = 'this is a test file'1614 try:1615 s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name, Key="test-1.txt")1616 except ClientError as e:1617 s3_put_obj_error = e.response.get("Error", {}).get("Code")1618 eq(s3_put_obj_error,'AccessDenied')1619 oidc_remove=iam_client.delete_open_id_connect_provider(1620 OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]1621 )1622@attr(resource='assume role with web identity')1623@attr(method='put')1624@attr(operation='check')1625@attr(assertion='assuming role using web token with s3:ResourceTag with wrong resource tag in policy')1626@attr('webidentity_test')1627@attr('abac_test')1628@attr('token_resource_tags_test')1629def test_assume_role_with_web_identity_wrong_resource_tag_deny():1630 check_webidentity()1631 iam_client=get_iam_client()1632 sts_client=get_sts_client()1633 default_endpoint=get_config_endpoint()1634 role_session_name=get_parameter_name()1635 thumbprint=get_thumbprint()1636 user_token=get_user_token()1637 realm=get_realm_name()1638 s3_res_iam_creds = get_s3_resource_using_iam_creds()1639 s3_client_iam_creds = s3_res_iam_creds.meta.client1640 bucket_name = get_new_bucket_name()1641 s3bucket = s3_client_iam_creds.create_bucket(Bucket=bucket_name)1642 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)1643 bucket_tagging = s3_res_iam_creds.BucketTagging(bucket_name)1644 Set_Tag = bucket_tagging.put(Tagging={'TagSet':[{'Key':'Department', 'Value': 'WrongResourcetag'}]})1645 oidc_response = iam_client.create_open_id_connect_provider(1646 Url='http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm),1647 ThumbprintList=[1648 thumbprint,1649 ],1650 )1651 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:RequestTag/​Department\":\"Engineering\"}}}]}"1652 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)1653 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')1654 role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"StringEquals\":{\"s3:ResourceTag/​Department\":[\"Engineering\"]}}}}"1655 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy)1656 eq(response['ResponseMetadata']['HTTPStatusCode'],200)1657 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token)1658 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)1659 s3_client = boto3.client('s3',1660 aws_access_key_id = resp['Credentials']['AccessKeyId'],1661 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],1662 aws_session_token = resp['Credentials']['SessionToken'],1663 endpoint_url=default_endpoint,1664 region_name='',1665 )1666 bucket_body = 'this is a test file'1667 try:1668 s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name, Key="test-1.txt")1669 except ClientError as e:1670 s3_put_obj_error = e.response.get("Error", {}).get("Code")1671 eq(s3_put_obj_error,'AccessDenied')1672 oidc_remove=iam_client.delete_open_id_connect_provider(1673 OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]1674 )1675@attr(resource='assume role with web identity')1676@attr(method='put')1677@attr(operation='check')1678@attr(assertion='assuming role using web token with s3:ResourceTag matching aws:PrincipalTag in role permission policy')1679@attr('webidentity_test')1680@attr('abac_test')1681@attr('token_resource_tags_test')1682def test_assume_role_with_web_identity_resource_tag_princ_tag():1683 check_webidentity()1684 iam_client=get_iam_client()1685 sts_client=get_sts_client()1686 default_endpoint=get_config_endpoint()1687 role_session_name=get_parameter_name()1688 thumbprint=get_thumbprint()1689 user_token=get_user_token()1690 realm=get_realm_name()1691 s3_res_iam_creds = get_s3_resource_using_iam_creds()1692 s3_client_iam_creds = s3_res_iam_creds.meta.client1693 bucket_name = get_new_bucket_name()1694 s3bucket = s3_client_iam_creds.create_bucket(Bucket=bucket_name)1695 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)1696 bucket_tagging = s3_res_iam_creds.BucketTagging(bucket_name)1697 Set_Tag = bucket_tagging.put(Tagging={'TagSet':[{'Key':'Department', 'Value': 'Engineering'}]})1698 oidc_response = iam_client.create_open_id_connect_provider(1699 Url='http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm),1700 ThumbprintList=[1701 thumbprint,1702 ],1703 )1704 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:RequestTag/​Department\":\"Engineering\"}}}]}"1705 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)1706 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')1707 role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"StringEquals\":{\"s3:ResourceTag/​Department\":[\"${aws:PrincipalTag/​Department}\"]}}}}"1708 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy)1709 eq(response['ResponseMetadata']['HTTPStatusCode'],200)1710 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token)1711 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)1712 s3_client = boto3.client('s3',1713 aws_access_key_id = resp['Credentials']['AccessKeyId'],1714 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],1715 aws_session_token = resp['Credentials']['SessionToken'],1716 endpoint_url=default_endpoint,1717 region_name='',1718 )1719 bucket_body = 'this is a test file'1720 tags = 'Department=Engineering&Department=Marketing'1721 key = "test-1.txt"1722 s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name, Key=key, Tagging=tags)1723 eq(s3_put_obj['ResponseMetadata']['HTTPStatusCode'],200)1724 s3_get_obj = s3_client.get_object(Bucket=bucket_name, Key=key)1725 eq(s3_get_obj['ResponseMetadata']['HTTPStatusCode'],200)1726 oidc_remove=iam_client.delete_open_id_connect_provider(1727 OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]1728 )1729@attr(resource='assume role with web identity')1730@attr(method='put')1731@attr(operation='check')1732@attr(assertion='assuming role using web token with s3:ResourceTag used to test copy object')1733@attr('webidentity_test')1734@attr('abac_test')1735@attr('token_resource_tags_test')1736def test_assume_role_with_web_identity_resource_tag_copy_obj():1737 check_webidentity()1738 iam_client=get_iam_client()1739 sts_client=get_sts_client()1740 default_endpoint=get_config_endpoint()1741 role_session_name=get_parameter_name()1742 thumbprint=get_thumbprint()1743 user_token=get_user_token()1744 realm=get_realm_name()1745 s3_res_iam_creds = get_s3_resource_using_iam_creds()1746 s3_client_iam_creds = s3_res_iam_creds.meta.client1747 #create two buckets and add same tags to both1748 bucket_name = get_new_bucket_name()1749 s3bucket = s3_client_iam_creds.create_bucket(Bucket=bucket_name)1750 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)1751 bucket_tagging = s3_res_iam_creds.BucketTagging(bucket_name)1752 Set_Tag = bucket_tagging.put(Tagging={'TagSet':[{'Key':'Department', 'Value': 'Engineering'}]})1753 copy_bucket_name = get_new_bucket_name()1754 s3bucket = s3_client_iam_creds.create_bucket(Bucket=copy_bucket_name)1755 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)1756 bucket_tagging = s3_res_iam_creds.BucketTagging(copy_bucket_name)1757 Set_Tag = bucket_tagging.put(Tagging={'TagSet':[{'Key':'Department', 'Value': 'Engineering'}]})1758 oidc_response = iam_client.create_open_id_connect_provider(1759 Url='http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm),1760 ThumbprintList=[1761 thumbprint,1762 ],1763 )1764 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:RequestTag/​Department\":\"Engineering\"}}}]}"1765 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)1766 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')1767 role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"StringEquals\":{\"s3:ResourceTag/​Department\":[\"${aws:PrincipalTag/​Department}\"]}}}}"1768 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy)1769 eq(response['ResponseMetadata']['HTTPStatusCode'],200)1770 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token)1771 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)1772 s3_client = boto3.client('s3',1773 aws_access_key_id = resp['Credentials']['AccessKeyId'],1774 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],1775 aws_session_token = resp['Credentials']['SessionToken'],1776 endpoint_url=default_endpoint,1777 region_name='',1778 )1779 bucket_body = 'this is a test file'1780 tags = 'Department=Engineering'1781 key = "test-1.txt"1782 s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name, Key=key, Tagging=tags)1783 eq(s3_put_obj['ResponseMetadata']['HTTPStatusCode'],200)1784 #copy to same bucket1785 copy_source = {1786 'Bucket': bucket_name,1787 'Key': 'test-1.txt'1788 }1789 s3_client.copy(copy_source, bucket_name, "test-2.txt")1790 s3_get_obj = s3_client.get_object(Bucket=bucket_name, Key="test-2.txt")1791 eq(s3_get_obj['ResponseMetadata']['HTTPStatusCode'],200)1792 #copy to another bucket1793 copy_source = {1794 'Bucket': bucket_name,1795 'Key': 'test-1.txt'1796 }1797 s3_client.copy(copy_source, copy_bucket_name, "test-1.txt")1798 s3_get_obj = s3_client.get_object(Bucket=copy_bucket_name, Key="test-1.txt")1799 eq(s3_get_obj['ResponseMetadata']['HTTPStatusCode'],200)1800 oidc_remove=iam_client.delete_open_id_connect_provider(1801 OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]1802 )1803@attr(resource='assume role with web identity')1804@attr(method='put')1805@attr(operation='check')1806@attr(assertion='assuming role using web token with iam:ResourceTag in role trust policy')1807@attr('webidentity_test')1808@attr('abac_test')1809@attr('token_role_tags_test')1810def test_assume_role_with_web_identity_role_resource_tag():1811 check_webidentity()1812 iam_client=get_iam_client()1813 sts_client=get_sts_client()1814 default_endpoint=get_config_endpoint()1815 role_session_name=get_parameter_name()1816 thumbprint=get_thumbprint()1817 user_token=get_user_token()1818 realm=get_realm_name()1819 s3_res_iam_creds = get_s3_resource_using_iam_creds()1820 s3_client_iam_creds = s3_res_iam_creds.meta.client1821 bucket_name = get_new_bucket_name()1822 s3bucket = s3_client_iam_creds.create_bucket(Bucket=bucket_name)1823 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)1824 bucket_tagging = s3_res_iam_creds.BucketTagging(bucket_name)1825 Set_Tag = bucket_tagging.put(Tagging={'TagSet':[{'Key':'Department', 'Value': 'Engineering'},{'Key':'Department', 'Value': 'Marketing'}]})1826 oidc_response = iam_client.create_open_id_connect_provider(1827 Url='http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm),1828 ThumbprintList=[1829 thumbprint,1830 ],1831 )1832 #iam:ResourceTag refers to the tag attached to role, hence the role is allowed to be assumed only when it has a tag matching the policy.1833 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"iam:ResourceTag/​Department\":\"Engineering\"}}}]}"1834 tags_list = [1835 {'Key':'Department','Value':'Engineering'},1836 {'Key':'Department','Value':'Marketing'}1837 ]1838 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None,tags_list)1839 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')1840 role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"StringEquals\":{\"s3:ResourceTag/​Department\":[\"Engineering\"]}}}}"1841 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy)1842 eq(response['ResponseMetadata']['HTTPStatusCode'],200)1843 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token)1844 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)1845 s3_client = boto3.client('s3',1846 aws_access_key_id = resp['Credentials']['AccessKeyId'],1847 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],1848 aws_session_token = resp['Credentials']['SessionToken'],1849 endpoint_url=default_endpoint,1850 region_name='',1851 )1852 bucket_body = 'this is a test file'1853 s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name, Key="test-1.txt")1854 eq(s3_put_obj['ResponseMetadata']['HTTPStatusCode'],200)1855 oidc_remove=iam_client.delete_open_id_connect_provider(1856 OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]...

Full Screen

Full Screen

test_webidentity.py

Source:test_webidentity.py Github

copy

Full Screen

...82 aud=get_aud()83 token=get_token()84 realm=get_realm_name()85 '''86 oidc_remove=iam_client.delete_open_id_connect_provider(87 OpenIDConnectProviderArn='arn:aws:iam:::oidc-provider/​localhost:8081/​auth/​realms/​demorealm'88 )89 '''90 oidc_response = iam_client.create_open_id_connect_provider(91 Url='http:/​/​localhost:8080/​auth/​realms/​{}'.format(realm),92 ThumbprintList=[93 thumbprint,94 ],95 )96 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/​auth/​realms/​"+realm+":app_id\":\""+aud+"\"}}}]}"97 (role_error,role_response,general_role_name)=create_role(iam_client,'/​',None,policy_document,None,None,None)98 eq(role_response['Role']['Arn'],'arn:aws:iam:::role/​'+general_role_name+'')99 role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}"100 (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy)101 eq(response['ResponseMetadata']['HTTPStatusCode'],200)102 resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token)103 eq(resp['ResponseMetadata']['HTTPStatusCode'],200)104 s3_client = boto3.client('s3',105 aws_access_key_id = resp['Credentials']['AccessKeyId'],106 aws_secret_access_key = resp['Credentials']['SecretAccessKey'],107 aws_session_token = resp['Credentials']['SessionToken'],108 endpoint_url=default_endpoint,109 region_name='',110 )111 bucket_name = get_bucket_name()112 s3bucket = s3_client.create_bucket(Bucket=bucket_name)113 eq(s3bucket['ResponseMetadata']['HTTPStatusCode'],200)114 bkt = s3_client.delete_bucket(Bucket=bucket_name)115 eq(bkt['ResponseMetadata']['HTTPStatusCode'],204)116 oidc_remove=iam_client.delete_open_id_connect_provider(117 OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]118 )...

Full Screen

Full Screen

app.py

Source:app.py Github

copy

Full Screen

...67 if (event['OldResourceProperties']['Url'] !=68 event['ResourceProperties']['Url']):69 arn = ARN_FORMAT.format(70 aws_account_id, event['OldResourceProperties']['Url'][8:])71 iam.delete_open_id_connect_provider(OpenIDConnectProviderArn=arn)72 return create_provider(73 aws_account_id, url, client_id_list, thumbprint_list)74 else:75 arn = ARN_FORMAT.format(76 aws_account_id, event['ResourceProperties']['Url'][8:])77 update_provider(url, aws_account_id, client_id_list, thumbprint_list)78@helper.delete79def delete(event, context):80 aws_account_id, _, _, _ = get_parameters(event)81 arn = ARN_FORMAT.format(82 aws_account_id, event['ResourceProperties']['Url'][8:])83 iam.delete_open_id_connect_provider(OpenIDConnectProviderArn=arn)84def lambda_handler(event, context):...

Full Screen

Full Screen

Automation Testing Tutorials

Learn to execute automation testing from scratch with LambdaTest Learning Hub. Right from setting up the prerequisites to run your first automation test, to following best practices and diving deeper into advanced test scenarios. LambdaTest Learning Hubs compile a list of step-by-step guides to help you be proficient with different test automation frameworks i.e. Selenium, Cypress, TestNG etc.

LambdaTest Learning Hubs:

YouTube

You could also refer to video tutorials over LambdaTest YouTube channel to get step by step demonstration from industry experts.

Run localstack automation tests on LambdaTest cloud grid

Perform automation testing on 3000+ real desktop and mobile devices online.

... View sample repo... View DocumentationSign up Free
_

Try LambdaTest Now !!

Get 100 minutes of automation test minutes FREE!!

...
Sign up with GoogleSign up with Email
Next-Gen App & Browser Testing Cloud

Was this article helpful?

Helpful

NotHelpful