search

getmoto / moto

A library that allows you to easily mock out tests based on AWS infrastructure.
http://docs.getmoto.org/en/latest/
Apache License 2.0
7.66k stars 2.06k forks source link

sts:SetSourceIdentity is not recognized as a valid action for update_assume_role_policy #5750

Closed mciul closed 1 year ago

mciul commented 1 year ago 
import json
import boto3
from moto import mock_iam

policy_doc = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {"Service": "sagemaker.amazonaws.com"},
            "Action": ["sts:AssumeRole", "sts:SetSourceIdentity"]
        },
    ]
}
with mock_iam():
    client = boto3.client("iam")
    client.create_role(RoleName="SageMakerUser", AssumeRolePolicyDocument=json.dumps(policy_doc))
    client.update_assume_role_policy(RoleName="SageMakerUser", PolicyDocument=json.dumps(policy_doc))

This corresponds to code we have running in AWS, which gives permission for the SetSourceIdentity action and allows us to enable logging of SageMaker Studio user profile name to events logged in CloudTrail. But when I run it within a test using moto, I see this error:

MalformedPolicyDocumentException: An error occurred (MalformedPolicyDocument) when calling the UpdateAssumeRolePolicy operation: Trust Policy statement actions can only be sts:AssumeRole, sts:AssumeRoleWithSAML, and sts:AssumeRoleWithWebIdentity
---------------------------------------------------------------------------
MalformedPolicyDocumentException          Traceback (most recent call last)
Cell In [14], line 21
     19 client = boto3.client("iam")
     20 client.create_role(RoleName="SageMakerUser", AssumeRolePolicyDocument=json.dumps(policy_doc))
---> 21 client.update_assume_role_policy(
     22     RoleName="SageMakerUser",
     23     PolicyDocument=json.dumps(policy_doc)
     24 )
File C:\Program Files\Python3810\lib\site-packages\botocore\client.py:514, in ClientCreator._create_api_method.<locals>._api_call(self, *args, **kwargs)
    510     raise TypeError(
    511         f"{py_operation_name}() only accepts keyword arguments."
    512     )
    513 # The "self" in this scope is referring to the BaseClient.
--> 514 return self._make_api_call(operation_name, kwargs)
File C:\Program Files\Python3810\lib\site-packages\botocore\client.py:938, in BaseClient._make_api_call(self, operation_name, api_params)
    936     error_code = parsed_response.get("Error", {}).get("Code")
    937     error_class = self.exceptions.from_code(error_code)
--> 938     raise error_class(parsed_response, operation_name)
    939 else:
    940     return parsed_response
MalformedPolicyDocumentException: An error occurred (MalformedPolicyDocument) when calling the UpdateAssumeRolePolicy operation: Trust Policy statement actions can only be sts:AssumeRole, sts:AssumeRoleWithSAML,  and sts:AssumeRoleWithWebIdentity

versions: Python 3.8.10 moto 4.0.9 installed using pip boto3 1.24.77 botocore 1.27.82

I also tried boto3 1.26.26 with botocore 1.29.26 with the same result.

bblommers commented 1 year ago

Thanks for raising this @mciul - our validation may be a bit too strict here. Marking it as a bug.