def test_revoke_bucket_path_access(iam, users, resources): bucket_arn = 'arn:aws:s3:::test-bucket' path_arns = [f'{bucket_arn}{resource}' for resource in resources] user = users['normal_user'] aws.create_user_role(user) aws.grant_bucket_access(user.iam_role_name, bucket_arn, 'readonly', path_arns) policy = iam.RolePolicy(user.iam_role_name, 's3-access') aws.grant_bucket_access(user.iam_role_name, bucket_arn, 'readonly') policy.reload() statements = get_statements_by_sid(policy.policy_document) assert set([f'{bucket_arn}/*']) == set(statements['readonly']['Resource']) assert set([f'{bucket_arn}']) == set(statements['list']['Resource'])
def grant_bucket_access(self, bucket_arn, access_level, path_arns=[]): aws.grant_bucket_access(self.iam_role_name, bucket_arn, access_level, path_arns)