0

模拟场景:

我正在尝试以附加了 s3 拒绝策略的 iam 用户身份访问 s3 存储桶。因此访问 s3 存储桶将通过 Access Denied 错误。但我可以看到桶的内容..

下面是我的代码:

@pytest.fixture()
def s3():
    with moto.mock_s3():
        yield boto3.client(
            "s3",
            region_name="us-east-1",
            aws_access_key_id="testing",
            aws_secret_access_key="testing",
            aws_session_token="testing",
        )
@pytest.fixture
def bucket_name(s3):
    bucket_name = "test_bucket"
    s3.create_bucket(Bucket=bucket_name)
    s3.put_object(Bucket=bucket_name, Key="a/b/c/abc.txt")

    return bucket_name

@pytest.fixture()
def iam():
    with moto.mock_iam():
        yield boto3.client(
            "iam",
            region_name="us-east-1",
            aws_access_key_id="testing",
            aws_secret_access_key="testing",
            aws_session_token="testing",
        )
#
#
@pytest.fixture()
def iam_user(iam, s3, bucket_name):
    user_name = "test-user"
    policy_name = "policy1"
    iam.create_user(UserName=user_name)
    policy_document = {
        "Version": "2012-10-17",
        "Statement": {"Effect": "Deny", "Action": "s3:ListBucket", "Resource": "*"}
    policy_arn = iam.create_policy(PolicyName=policy_name, PolicyDocument=json.dumps(policy_document))["Policy"][
        "Arn"
    ]
    iam.attach_user_policy(UserName=user_name, PolicyArn=policy_arn)
    access_key = iam.create_access_key(UserName=user_name)

    client = boto3.client(
        "s3",
        region_name="us-east-1",
        aws_access_key_id=access_key["AccessKey"]["AccessKeyId"],
        aws_secret_access_key=access_key["AccessKey"]["SecretAccessKey"],
    )

    print(client.list_objects(Bucket=bucket_name))
def test_check(iam, iam_user):
        print("DOne")

回复

{'ResponseMetadata': {'HTTPStatusCode': 200, 'HTTPHeaders': {}, 'RetryAttempts': 0}, 'IsTruncated': False, 'Contents': [{'Key': 'a/b/c/abc.txt', 'LastModified': datetime.datetime(2021, 3, 25, 20, 31, 15, tzinfo=tzutc()), 'ETag': '"abcdefghikkd"', 'Size': 0, 'StorageClass': 'STANDARD', 'Owner': {'DisplayName': 'webfile', 'ID': 'abcdefgh'}}], 'Name': 'test_bucket', 'MaxKeys': 1000}

任何帮助表示赞赏。谢谢

4

1 回答 1

2

默认情况下,moto 将允许任何操作。不过,可以打开基本策略验证 - 请参阅README 中的本节

启用验证是使用set_initial_no_auth_action_count-decorator 完成的,这实质上意味着:不验证初始 x 操作(以允许用户设置所有 IAM 操作/策略),而是在之后验证所有内容。

像这样重写示例给了我一个成功的失败:

import boto3
import json
import moto
import pytest

from moto.core import set_initial_no_auth_action_count

bucket_name = "test_bucket"


@pytest.fixture()
def s3():
    with moto.mock_s3():
        yield boto3.client(
            "s3",
            region_name="us-east-1",
            aws_access_key_id="testing",
            aws_secret_access_key="testing",
            aws_session_token="testing",
        )


@pytest.fixture
def bucket(s3):
    s3.create_bucket(Bucket=bucket_name)
    s3.put_object(Bucket=bucket_name, Key="a/b/c/abc.txt")


@pytest.fixture()
def iam():
    with moto.mock_iam():
        yield boto3.client(
            "iam",
            region_name="us-east-1",
            aws_access_key_id="testing",
            aws_secret_access_key="testing",
            aws_session_token="testing",
        )
#
#
@pytest.fixture()
def iam_user(iam, s3):
    user_name = "test-user"
    policy_name = "policy1"
    iam.create_user(UserName=user_name)
    policy_document = {
        "Version": "2012-10-17",
        "Statement": {"Effect": "Deny", "Action": "s3:ListBucket", "Resource": "*"}
    }
    policy_arn = iam.create_policy(PolicyName=policy_name, PolicyDocument=json.dumps(policy_document))["Policy"][
        "Arn"
    ]
    iam.attach_user_policy(UserName=user_name, PolicyArn=policy_arn)
    access_key = iam.create_access_key(UserName=user_name)

    yield access_key


@set_initial_no_auth_action_count(0)
def test_check(iam, iam_user, bucket):
        access_key = iam_user
        print(access_key)
        client = boto3.client(
            "s3",
            region_name="us-east-1",
            aws_access_key_id=access_key["AccessKey"]["AccessKeyId"],
            aws_secret_access_key=access_key["AccessKey"]["SecretAccessKey"],
        )

        print(client.list_objects(Bucket=bucket_name))

请注意,“no_auth_action_count”设置为 0。首先执行夹具,无需任何 IAM 验证。之后,装饰器仅应用于测试方法。由于我们要验证函数内的每个语句,因此计数设置为 0。

于 2021-03-27T09:48:42.553 回答