def test_revoke_bucket_path_access(iam, users, resources):
bucket_arn = 'arn:aws:s3:::test-bucket'
path_arns = [f'{bucket_arn}{resource}' for resource in resources]
user = users['normal_user']
aws.create_user_role(user)
aws.grant_bucket_access(user.iam_role_name, bucket_arn, 'readonly', path_arns)
policy = iam.RolePolicy(user.iam_role_name, 's3-access')
aws.grant_bucket_access(user.iam_role_name, bucket_arn, 'readonly')
policy.reload()
statements = get_statements_by_sid(policy.policy_document)
assert set([f'{bucket_arn}/*']) == set(statements['readonly']['Resource'])
assert set([f'{bucket_arn}']) == set(statements['list']['Resource'])
def grant_bucket_access(self, bucket_arn, access_level, path_arns=[]):
aws.grant_bucket_access(self.iam_role_name, bucket_arn, access_level,
path_arns)
