amazon-s3 - 使用 Moto 将 s3 存储桶模拟为 IAM 用户
问题描述
模拟场景:
我正在尝试以附加了 s3 拒绝策略的 iam 用户身份访问 s3 存储桶。因此访问 s3 存储桶将通过 Access Denied 错误。但我可以看到桶的内容..
下面是我的代码:
@pytest.fixture()
def s3():
with moto.mock_s3():
yield boto3.client(
"s3",
region_name="us-east-1",
aws_access_key_id="testing",
aws_secret_access_key="testing",
aws_session_token="testing",
)
@pytest.fixture
def bucket_name(s3):
bucket_name = "test_bucket"
s3.create_bucket(Bucket=bucket_name)
s3.put_object(Bucket=bucket_name, Key="a/b/c/abc.txt")
return bucket_name
@pytest.fixture()
def iam():
with moto.mock_iam():
yield boto3.client(
"iam",
region_name="us-east-1",
aws_access_key_id="testing",
aws_secret_access_key="testing",
aws_session_token="testing",
)
#
#
@pytest.fixture()
def iam_user(iam, s3, bucket_name):
user_name = "test-user"
policy_name = "policy1"
iam.create_user(UserName=user_name)
policy_document = {
"Version": "2012-10-17",
"Statement": {"Effect": "Deny", "Action": "s3:ListBucket", "Resource": "*"}
policy_arn = iam.create_policy(PolicyName=policy_name, PolicyDocument=json.dumps(policy_document))["Policy"][
"Arn"
]
iam.attach_user_policy(UserName=user_name, PolicyArn=policy_arn)
access_key = iam.create_access_key(UserName=user_name)
client = boto3.client(
"s3",
region_name="us-east-1",
aws_access_key_id=access_key["AccessKey"]["AccessKeyId"],
aws_secret_access_key=access_key["AccessKey"]["SecretAccessKey"],
)
print(client.list_objects(Bucket=bucket_name))
def test_check(iam, iam_user):
print("DOne")
回复
{'ResponseMetadata': {'HTTPStatusCode': 200, 'HTTPHeaders': {}, 'RetryAttempts': 0}, 'IsTruncated': False, 'Contents': [{'Key': 'a/b/c/abc.txt', 'LastModified': datetime.datetime(2021, 3, 25, 20, 31, 15, tzinfo=tzutc()), 'ETag': '"abcdefghikkd"', 'Size': 0, 'StorageClass': 'STANDARD', 'Owner': {'DisplayName': 'webfile', 'ID': 'abcdefgh'}}], 'Name': 'test_bucket', 'MaxKeys': 1000}
任何帮助表示赞赏。谢谢
解决方案
默认情况下,moto 将允许任何操作。不过,可以打开基本策略验证 - 请参阅README 中的本节。
启用验证是使用set_initial_no_auth_action_count-decorator 完成的,这实质上意味着:不验证初始 x 操作(以允许用户设置所有 IAM 操作/策略),而是在之后验证所有内容。
像这样重写示例给了我一个成功的失败:
import boto3
import json
import moto
import pytest
from moto.core import set_initial_no_auth_action_count
bucket_name = "test_bucket"
@pytest.fixture()
def s3():
with moto.mock_s3():
yield boto3.client(
"s3",
region_name="us-east-1",
aws_access_key_id="testing",
aws_secret_access_key="testing",
aws_session_token="testing",
)
@pytest.fixture
def bucket(s3):
s3.create_bucket(Bucket=bucket_name)
s3.put_object(Bucket=bucket_name, Key="a/b/c/abc.txt")
@pytest.fixture()
def iam():
with moto.mock_iam():
yield boto3.client(
"iam",
region_name="us-east-1",
aws_access_key_id="testing",
aws_secret_access_key="testing",
aws_session_token="testing",
)
#
#
@pytest.fixture()
def iam_user(iam, s3):
user_name = "test-user"
policy_name = "policy1"
iam.create_user(UserName=user_name)
policy_document = {
"Version": "2012-10-17",
"Statement": {"Effect": "Deny", "Action": "s3:ListBucket", "Resource": "*"}
}
policy_arn = iam.create_policy(PolicyName=policy_name, PolicyDocument=json.dumps(policy_document))["Policy"][
"Arn"
]
iam.attach_user_policy(UserName=user_name, PolicyArn=policy_arn)
access_key = iam.create_access_key(UserName=user_name)
yield access_key
@set_initial_no_auth_action_count(0)
def test_check(iam, iam_user, bucket):
access_key = iam_user
print(access_key)
client = boto3.client(
"s3",
region_name="us-east-1",
aws_access_key_id=access_key["AccessKey"]["AccessKeyId"],
aws_secret_access_key=access_key["AccessKey"]["SecretAccessKey"],
)
print(client.list_objects(Bucket=bucket_name))
请注意,“no_auth_action_count”设置为 0。首先执行夹具,无需任何 IAM 验证。之后,装饰器仅应用于测试方法。由于我们要验证函数内的每个语句,因此计数设置为 0。
推荐阅读
- memory - 是什么让一个指向页表条目的指针数组比拥有一个页表条目数组更好?
- python - 基于值的 Python 字典排序键
- wordpress - WooCommerce 运输方式未出现在未登录用户身上
- xamarin.forms - Arduino ESP32 通过 BLE 接收文件(用于 OTA 更新)
- c++ - 寻找递归阿克曼函数的值
- node.js - 为节点运行的节点项目创建引导脚本
- ios - GCMouse.mice() 总是空的,尽管我的鼠标工作
- python - Python / Pandas for loop..为什么我的这么慢?
- android - 有没有一种方法可以在多个集合中搜索文档而不必全部阅读?火库
- python - 从 Pandas 中的季度/月度数据创建年度总和列