Skip to content

Commit

Permalink
IAM: Only load AWS Managed Policies on request (#7219)
Browse files Browse the repository at this point in the history
  • Loading branch information
bblommers committed Jan 27, 2024
1 parent 0c8ccbb commit f834d98
Show file tree
Hide file tree
Showing 7 changed files with 65 additions and 28 deletions.
12 changes: 11 additions & 1 deletion moto/core/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,16 +16,26 @@ class _core_config(TypedDict, total=False):
passthrough: _passthrough_config


class _iam_config(TypedDict, total=False):
load_aws_managed_policies: bool


DefaultConfig = TypedDict(
"DefaultConfig",
{"batch": _docker_config, "core": _core_config, "lambda": _docker_config},
{
"batch": _docker_config,
"core": _core_config,
"lambda": _docker_config,
"iam": _iam_config,
},
total=False,
)

default_user_config: DefaultConfig = {
"batch": {"use_docker": True},
"lambda": {"use_docker": True},
"core": {"mock_credentials": True, "passthrough": {"urls": [], "services": []}},
"iam": {"load_aws_managed_policies": False},
}


Expand Down
23 changes: 6 additions & 17 deletions moto/iam/models.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
import base64
import copy
import json
import os
import re
Expand Down Expand Up @@ -31,6 +30,7 @@
IAMTrustPolicyDocumentValidator,
)
from moto.moto_api._internal import mock_random as random
from moto.settings import load_iam_aws_managed_policies
from moto.utilities.utils import md5_hash

from ..utilities.tagging_service import TaggingService
Expand Down Expand Up @@ -1795,20 +1795,15 @@ def filter_items_with_path_prefix(


class IAMBackend(BaseBackend):
def __init__(
self,
region_name: str,
account_id: str,
aws_policies: Optional[List[ManagedPolicy]] = None,
):
def __init__(self, region_name: str, account_id: str):
super().__init__(region_name=region_name, account_id=account_id)
self.instance_profiles: Dict[str, InstanceProfile] = {}
self.roles: Dict[str, Role] = {}
self.certificates: Dict[str, Certificate] = {}
self.groups: Dict[str, Group] = {}
self.users: Dict[str, User] = {}
self.credential_report: Optional[bool] = None
self.aws_managed_policies = aws_policies or self._init_aws_policies()
self.aws_managed_policies = self._init_aws_policies()
self.managed_policies = self._init_managed_policies()
self.account_aliases: List[str] = []
self.saml_providers: Dict[str, SAMLProvider] = {}
Expand All @@ -1825,6 +1820,8 @@ def __init__(
self.initialize_service_roles()

def _init_aws_policies(self) -> List[ManagedPolicy]:
if not load_iam_aws_managed_policies():
return []
# AWS defines some of its own managed policies
# we periodically import them via `make aws_managed_policies`
aws_managed_policies_data_parsed = json.loads(aws_managed_policies_data)
Expand All @@ -1834,15 +1831,7 @@ def _init_aws_policies(self) -> List[ManagedPolicy]:
]

def _init_managed_policies(self) -> Dict[str, ManagedPolicy]:
return dict((p.arn, copy.deepcopy(p)) for p in self.aws_managed_policies)

def reset(self) -> None:
region_name = self.region_name
account_id = self.account_id
# Do not reset these policies, as they take a long time to load
aws_policies = self.aws_managed_policies
self.__dict__ = {}
IAMBackend.__init__(self, region_name, account_id, aws_policies)
return dict((p.arn, p) for p in self.aws_managed_policies)

def initialize_service_roles(self) -> None:
pass
Expand Down
10 changes: 10 additions & 0 deletions moto/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@
from functools import lru_cache
from typing import List, Optional

from moto.core.config import default_user_config


def test_proxy_mode() -> bool:
return os.environ.get("TEST_PROXY_MODE", "0").lower() == "true"
Expand Down Expand Up @@ -177,3 +179,11 @@ def get_cognito_idp_user_pool_id_strategy() -> Optional[str]:

def enable_iso_regions() -> bool:
return os.environ.get("MOTO_ENABLE_ISO_REGIONS", "false").lower() == "true"


def load_iam_aws_managed_policies() -> bool:
return (
default_user_config.get("iam", {}).get("load_aws_managed_policies", False)
is True
or os.environ.get("MOTO_IAM_LOAD_MANAGED_POLICIES", "").lower() == "true"
)
20 changes: 15 additions & 5 deletions tests/test_iam/test_iam.py
Original file line number Diff line number Diff line change
Expand Up @@ -706,8 +706,10 @@ def test_get_policy():
assert policy["Policy"]["Arn"] == f"arn:aws:iam::{ACCOUNT_ID}:policy/TestGetPolicy"


@mock_aws
@mock_aws(config={"iam": {"load_aws_managed_policies": True}})
def test_get_aws_managed_policy():
if settings.TEST_SERVER_MODE:
raise SkipTest("Policies not loaded in ServerMode")
conn = boto3.client("iam", region_name="us-east-1")
managed_policy_arn = "arn:aws:iam::aws:policy/IAMUserChangePassword"
managed_policy_create_date = datetime.strptime(
Expand Down Expand Up @@ -742,8 +744,10 @@ def test_get_policy_version():
assert retrieved.get("PolicyVersion")["IsDefaultVersion"] is False


@mock_aws
@mock_aws(config={"iam": {"load_aws_managed_policies": True}})
def test_get_aws_managed_policy_version():
if settings.TEST_SERVER_MODE:
raise SkipTest("Policies not loaded in ServerMode")
conn = boto3.client("iam", region_name="us-east-1")
managed_policy_arn = (
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
Expand All @@ -763,8 +767,10 @@ def test_get_aws_managed_policy_version():
assert isinstance(retrieved["PolicyVersion"]["Document"], dict)


@mock_aws
@mock_aws(config={"iam": {"load_aws_managed_policies": True}})
def test_get_aws_managed_policy_v6_version():
if settings.TEST_SERVER_MODE:
raise SkipTest("Policies not loaded in ServerMode")
conn = boto3.client("iam", region_name="us-east-1")
managed_policy_arn = "arn:aws:iam::aws:policy/job-function/SystemAdministrator"
with pytest.raises(ClientError):
Expand Down Expand Up @@ -1953,8 +1959,10 @@ def test_get_access_key_last_used_when_used():
assert resp["AccessKeyLastUsed"]["Region"] == "us-east-1"


@mock_aws
@mock_aws(config={"iam": {"load_aws_managed_policies": True}})
def test_managed_policy():
if settings.TEST_SERVER_MODE:
raise SkipTest("Policies not loaded in ServerMode")
conn = boto3.client("iam", region_name="us-west-1")

conn.create_policy(
Expand Down Expand Up @@ -2364,8 +2372,10 @@ def test_delete_ssh_public_key():
assert len(resp["SSHPublicKeys"]) == 0


@mock_aws
@mock_aws(config={"iam": {"load_aws_managed_policies": True}})
def test_get_account_authorization_details():
if settings.TEST_SERVER_MODE:
raise SkipTest("Policies not loaded in ServerMode")
test_policy = json.dumps(
{
"Version": "2012-10-17",
Expand Down
5 changes: 4 additions & 1 deletion tests/test_iam/test_iam_groups.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import json
from datetime import datetime
from unittest import SkipTest

import boto3
import pytest
Expand Down Expand Up @@ -213,8 +214,10 @@ def test_put_group_policy():
)


@mock_aws
@mock_aws(config={"iam": {"load_aws_managed_policies": True}})
def test_attach_group_policies():
if settings.TEST_SERVER_MODE:
raise SkipTest("Policies not loaded in ServerMode")
conn = boto3.client("iam", region_name="us-east-1")
conn.create_group(GroupName="my-group")
assert (
Expand Down
21 changes: 18 additions & 3 deletions tests/test_iam/test_iam_resets.py
Original file line number Diff line number Diff line change
@@ -1,13 +1,17 @@
import json
import os
from unittest import SkipTest, mock

import boto3

from moto import mock_aws
from moto import mock_aws, settings


# Test IAM User Inline Policy
def test_policies_are_not_kept_after_mock_ends():
with mock_aws():
if settings.TEST_SERVER_MODE:
raise SkipTest("Policies not loaded in ServerMode")
with mock_aws(config={"iam": {"load_aws_managed_policies": True}}):
iam_client = boto3.client("iam", "us-east-1")
role_name = "test"
assume_role_policy_document = {
Expand All @@ -34,6 +38,17 @@ def test_policies_are_not_kept_after_mock_ends():
assert iam_policies[0]["Arn"] == "arn:aws:iam::aws:policy/ReadOnlyAccess"
assert iam_client.list_roles()["Roles"][0]["RoleName"] == "test"

with mock_aws():
with mock_aws(config={"iam": {"load_aws_managed_policies": True}}):
resp = iam_client.list_policies(Scope="AWS", OnlyAttached=True)
assert len(resp["Policies"]) == 0


def test_policies_are_loaded_when_using_env_variable():
if settings.TEST_SERVER_MODE:
raise SkipTest("EnvVar not loaded in ServerMode")
with mock.patch.dict(os.environ, {"MOTO_IAM_LOAD_MANAGED_POLICIES": "true"}):
with mock_aws():
iam_client = boto3.client("iam", "us-east-1")

iam_policies = iam_client.list_policies(Scope="AWS")["Policies"]
assert len(iam_policies) > 10
2 changes: 1 addition & 1 deletion tests/test_moto_api/seeder/test_seeder.py
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ def test_0(self) -> None:
instances = self.ec2_client.run_instances(MaxCount=1, MinCount=1)["Instances"]

instance_ids = [instance["InstanceId"] for instance in instances]
assert instance_ids == ["i-0df6e943394d7fdb0"]
assert instance_ids == ["i-73bd4755d05ad7853"]

def test_1(self) -> None:
# Create some data in a different account (111111111111)
Expand Down

0 comments on commit f834d98

Please sign in to comment.