def test_get_temporary_credentials_assume_role_fails():
session = create_autospec(spec=Session, spec_set=True)
client = session.client.return_value
client.assume_role.side_effect = ClientError(
{
"Error": {
"Type":
"Sender",
"Code":
"AccessDeniedException",
"Message":
"You do not have sufficient access to perform this action.",
}
},
"GetSessionToken",
)
session.region_name = "us-east-2"
with pytest.raises(DownstreamError):
get_temporary_credentials(session, role_arn=EXPECTED_ROLE)
session.client.assert_called_once_with(
"sts",
endpoint_url="https://sts.us-east-2.amazonaws.com",
region_name="us-east-2",
)
client.assume_role.assert_called_once_with(RoleArn=EXPECTED_ROLE,
RoleSessionName=ANY)
def test_get_temporary_credentials_invalid_credentials():
session = create_autospec(spec=Session, spec_set=True)
frozen = session.get_credentials.return_value.get_frozen_credentials.return_value
frozen.token = None
client = session.client.return_value
client.get_session_token.side_effect = ClientError(
{
"Error": {
"Type":
"Sender",
"Code":
"InvalidClientTokenId",
"Message":
"The security token included in the request is invalid.",
}
},
"GetSessionToken",
)
session.region_name = "us-east-2"
with pytest.raises(DownstreamError):
get_temporary_credentials(session)
session.get_credentials.assert_called_once_with()
session.client.assert_called_once_with(
"sts",
endpoint_url="https://sts.us-east-2.amazonaws.com",
region_name="us-east-2",
)
client.get_session_token.assert_called_once_with()
def test_get_temporary_credentials_needs_token():
session = create_autospec(spec=Session, spec_set=True)
frozen = session.get_credentials.return_value.get_frozen_credentials.return_value
frozen.token = None
access_key = object()
secret_key = object()
token = object()
client = session.client.return_value
client.get_session_token.return_value = {
"Credentials": {
"AccessKeyId": access_key,
"SecretAccessKey": secret_key,
"SessionToken": token,
}
}
session.region_name = "us-east-2"
creds = get_temporary_credentials(session, LOWER_CAMEL_CRED_KEYS)
session.get_credentials.assert_called_once_with()
session.client.assert_called_once_with(
"sts",
endpoint_url="https://sts.us-east-2.amazonaws.com",
region_name="us-east-2",
)
client.get_session_token.assert_called_once_with()
assert len(creds) == 3
assert tuple(creds.keys()) == LOWER_CAMEL_CRED_KEYS
assert tuple(creds.values()) == (access_key, secret_key, token)
def test_get_temporary_credentials_assume_role():
session = create_autospec(spec=Session, spec_set=True)
access_key = object()
secret_key = object()
token = object()
client = session.client.return_value
client.assume_role.return_value = {
"Credentials": {
"AccessKeyId": access_key,
"SecretAccessKey": secret_key,
"SessionToken": token,
}
}
session.region_name = "cn-north-1"
creds = get_temporary_credentials(session, LOWER_CAMEL_CRED_KEYS,
EXPECTED_ROLE)
session.client.assert_called_once_with(
"sts",
endpoint_url="https://sts.cn-north-1.amazonaws.com.cn",
region_name="cn-north-1",
)
client.assume_role.assert_called_once_with(RoleArn=EXPECTED_ROLE,
RoleSessionName=ANY)
assert len(creds) == 3
assert tuple(creds.keys()) == LOWER_CAMEL_CRED_KEYS
assert tuple(creds.values()) == (access_key, secret_key, token)
def __init__(
self,
function_name,
endpoint,
region,
schema,
overrides,
inputs=None,
role_arn=None,
timeout_in_seconds="60",
type_name=None,
log_group_name=None,
log_role_arn=None,
docker_image=None,
executable_entrypoint=None,
target_info=None,
): # pylint: disable=too-many-arguments
self._schema = schema
self._session = create_sdk_session(region)
self._role_arn = role_arn
self._type_name = type_name
self._log_group_name = log_group_name
self._log_role_arn = log_role_arn
self.region = region
self.account = get_account(
self._session,
get_temporary_credentials(self._session, LOWER_CAMEL_CRED_KEYS,
role_arn),
)
self._function_name = function_name
if endpoint.startswith("http://"):
self._client = self._session.client(
"lambda",
endpoint_url=endpoint,
use_ssl=False,
verify=False,
config=Config(
signature_version=UNSIGNED,
# needs to be long if docker is running on a slow machine
read_timeout=5 * 60,
retries={"max_attempts": 0},
region_name=self._session.region_name,
),
)
else:
self._client = self._session.client("lambda",
endpoint_url=endpoint)
self._schema = None
self._configuration_schema = None
self._overrides = overrides
self._update_schema(schema)
self._inputs = inputs
self._timeout_in_seconds = int(timeout_in_seconds)
self._docker_image = docker_image
self._docker_client = docker.from_env() if self._docker_image else None
self._executable_entrypoint = executable_entrypoint
self._target_info = self._setup_target_info(target_info)
def _make_payload(
self,
invocation_point,
target,
target_model,
type_configuration=None,
**kwargs,
):
return self.make_request(
target,
self.get_hook_type_name(),
self.account,
invocation_point,
get_temporary_credentials(self._session, LOWER_CAMEL_CRED_KEYS,
self._role_arn),
self._log_group_name,
get_temporary_credentials(self._session, LOWER_CAMEL_CRED_KEYS,
self._log_role_arn),
self.generate_token(),
target_model,
type_configuration=type_configuration,
**kwargs,
)
def test_get_temporary_credentials_has_token():
session = create_autospec(spec=Session, spec_set=True)
frozen = session.get_credentials.return_value.get_frozen_credentials.return_value
frozen.access_key = object()
frozen.secret_key = object()
frozen.token = object()
creds = get_temporary_credentials(session)
session.get_credentials.assert_called_once_with()
session.client.assert_called_once_with("sts")
assert len(creds) == 3
assert tuple(creds.keys()) == BOTO_CRED_KEYS
assert tuple(creds.values()) == (frozen.access_key, frozen.secret_key,
frozen.token)
def test_get_temporary_credentials_has_token():
session = create_autospec(spec=Session, spec_set=True)
frozen = session.get_credentials.return_value.get_frozen_credentials.return_value
frozen.access_key = object()
frozen.secret_key = object()
frozen.token = object()
session.region_name = "us-east-2"
creds = get_temporary_credentials(session)
session.get_credentials.assert_called_once_with()
session.client.assert_called_once_with(
"sts",
endpoint_url="https://sts.us-east-2.amazonaws.com",
region_name="us-east-2",
)
assert len(creds) == 3
assert tuple(creds.keys()) == BOTO_CRED_KEYS
assert tuple(creds.values()) == (frozen.access_key, frozen.secret_key, frozen.token)