模拟场景:
作为一个附加了s3拒绝策略的iam用户,我正试图达到s3 bucket。因此,访问s3存储桶将通过Access Denied错误。但是我能看到水桶里的东西。。
以下是我的代码:
@pytest.fixture()
def s3():
with moto.mock_s3():
yield boto3.client(
"s3",
region_name="us-east-1",
aws_access_key_id="testing",
aws_secret_access_key="testing",
aws_session_token="testing",
)
@pytest.fixture
def bucket_name(s3):
bucket_name = "test_bucket"
s3.create_bucket(Bucket=bucket_name)
s3.put_object(Bucket=bucket_name, Key="a/b/c/abc.txt")
return bucket_name
@pytest.fixture()
def iam():
with moto.mock_iam():
yield boto3.client(
"iam",
region_name="us-east-1",
aws_access_key_id="testing",
aws_secret_access_key="testing",
aws_session_token="testing",
)
#
#
@pytest.fixture()
def iam_user(iam, s3, bucket_name):
user_name = "test-user"
policy_name = "policy1"
iam.create_user(UserName=user_name)
policy_document = {
"Version": "2012-10-17",
"Statement": {"Effect": "Deny", "Action": "s3:ListBucket", "Resource": "*"}
policy_arn = iam.create_policy(PolicyName=policy_name, PolicyDocument=json.dumps(policy_document))["Policy"][
"Arn"
]
iam.attach_user_policy(UserName=user_name, PolicyArn=policy_arn)
access_key = iam.create_access_key(UserName=user_name)
client = boto3.client(
"s3",
region_name="us-east-1",
aws_access_key_id=access_key["AccessKey"]["AccessKeyId"],
aws_secret_access_key=access_key["AccessKey"]["SecretAccessKey"],
)
print(client.list_objects(Bucket=bucket_name))
def test_check(iam, iam_user):
print("DOne")
响应
{'ResponseMetadata': {'HTTPStatusCode': 200, 'HTTPHeaders': {}, 'RetryAttempts': 0}, 'IsTruncated': False, 'Contents': [{'Key': 'a/b/c/abc.txt', 'LastModified': datetime.datetime(2021, 3, 25, 20, 31, 15, tzinfo=tzutc()), 'ETag': '"abcdefghikkd"', 'Size': 0, 'StorageClass': 'STANDARD', 'Owner': {'DisplayName': 'webfile', 'ID': 'abcdefgh'}}], 'Name': 'test_bucket', 'MaxKeys': 1000}
感谢您的帮助。感谢
默认情况下,moto将允许任何操作。不过,可以打开基本策略验证-请参阅自述文件上的这一部分。
启用验证是使用set_initial_no_auth_action_count-装饰器完成的,这本质上意味着:不要验证最初的x个操作(允许用户设置所有IAM操作/策略(,而是在之后验证所有操作。
重写这样的例子给了我一个成功的失败:
import boto3
import json
import moto
import pytest
from moto.core import set_initial_no_auth_action_count
bucket_name = "test_bucket"
@pytest.fixture()
def s3():
with moto.mock_s3():
yield boto3.client(
"s3",
region_name="us-east-1",
aws_access_key_id="testing",
aws_secret_access_key="testing",
aws_session_token="testing",
)
@pytest.fixture
def bucket(s3):
s3.create_bucket(Bucket=bucket_name)
s3.put_object(Bucket=bucket_name, Key="a/b/c/abc.txt")
@pytest.fixture()
def iam():
with moto.mock_iam():
yield boto3.client(
"iam",
region_name="us-east-1",
aws_access_key_id="testing",
aws_secret_access_key="testing",
aws_session_token="testing",
)
#
#
@pytest.fixture()
def iam_user(iam, s3):
user_name = "test-user"
policy_name = "policy1"
iam.create_user(UserName=user_name)
policy_document = {
"Version": "2012-10-17",
"Statement": {"Effect": "Deny", "Action": "s3:ListBucket", "Resource": "*"}
}
policy_arn = iam.create_policy(PolicyName=policy_name, PolicyDocument=json.dumps(policy_document))["Policy"][
"Arn"
]
iam.attach_user_policy(UserName=user_name, PolicyArn=policy_arn)
access_key = iam.create_access_key(UserName=user_name)
yield access_key
@set_initial_no_auth_action_count(0)
def test_check(iam, iam_user, bucket):
access_key = iam_user
print(access_key)
client = boto3.client(
"s3",
region_name="us-east-1",
aws_access_key_id=access_key["AccessKey"]["AccessKeyId"],
aws_secret_access_key=access_key["AccessKey"]["SecretAccessKey"],
)
print(client.list_objects(Bucket=bucket_name))
请注意,"no_auth_action_count"设置为0。固定装置首先执行,无需任何IAM验证。之后,装饰器仅针对测试方法应用。由于我们希望验证函数中的每个语句,因此计数设置为0。