def test_revoke_bucket_access_when_no_role(iam):
role_name = "test_role_non_existent"
bucket_arn = "arn:aws:s3:::test-bucket"
# be sure role doesn't exist before calling revoke_bucket_access()
with pytest.raises(iam.meta.client.exceptions.NoSuchEntityException):
role = iam.Role(role_name)
role.load()
aws.revoke_bucket_access(role_name, bucket_arn)
def test_revoke_bucket_access(iam, users, resources):
bucket_arn = 'arn:aws:s3:::test-bucket'
path_arns = [f'{bucket_arn}{resource}' for resource in resources]
user = users['normal_user']
aws.create_user_role(user)
aws.grant_bucket_access(user.iam_role_name, bucket_arn, 'readonly', path_arns)
aws.revoke_bucket_access(user.iam_role_name, bucket_arn)
policy = iam.RolePolicy(user.iam_role_name, 's3-access')
statements = get_statements_by_sid(policy.policy_document)
assert 'readonly' not in statements
assert 'readwrite' not in statements
assert 'list' not in statements
def revoke_bucket_access(self, bucket_arn):
aws.revoke_bucket_access(self.iam_role_name, bucket_arn)