CICD: share tests fixes (#1625)

### Feature or Bugfix  - Bugfix ### Detail - Add new role sessions to trust policy of consumption roles - Credentials need to be parsed from json string ### Relates - <URL or Ticket> ### Security Please answer the questions below briefly where applicable, or write `N/A`. Based on [OWASP 10](https://owasp.org/Top10/en/). - Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? - Is the input sanitized? - What precautions are you taking before deserializing the data you consume? - Is injection prevented by parametrizing queries? - Have you ensured no `eval` or similar functions are used? - Does this PR introduce any functionality or component that requires authorization? - How have you ensured it respects the existing AuthN/AuthZ mechanisms? - Are you logging failed auth attempts? - Are you using or adding any cryptographic features? - Do you use a standard proven implementations? - Are the used keys controlled by the customer? Where are they stored? - Are you introducing any new policies/roles/users? - Have you used the least-privilege principle? How? By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. --------- Co-authored-by: Sofia Sazonova <[email protected]>
data-dot-all · Oct 10, 2024 · abbb10a · abbb10a
1 parent 3f9a977
commit abbb10a
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 8 deletions.
diff --git a/tests_new/integration_tests/aws_clients/iam.py b/tests_new/integration_tests/aws_clients/iam.py
@@ -32,14 +32,8 @@ def create_role(self, account_id, role_name, test_role_name):
             'Statement': [
                 {
                     'Effect': 'Allow',
-                    'Principal': {
-                        'AWS': [
-                            f'arn:aws:iam::{account_id}:root',
-                            f'arn:aws:sts::{account_id}:assumed-role/{test_role_name}/{test_role_name}',
-                        ]
-                    },
+                    'Principal': {'AWS': [f'arn:aws:iam::{account_id}:role/{test_role_name}']},
                     'Action': 'sts:AssumeRole',
-                    'Condition': {},
                 }
             ],
         }

diff --git a/tests_new/integration_tests/modules/share_base/shared_test_functions.py b/tests_new/integration_tests/modules/share_base/shared_test_functions.py
@@ -22,6 +22,8 @@
 from tests_new.integration_tests.modules.s3_datasets.aws_clients import S3Client
 from tests_new.integration_tests.modules.s3_datasets.queries import get_folder
 
+import json
+
 ALL_S3_SHARABLE_TYPES_NAMES = [
     'Table',
     'StorageLocation',
@@ -139,7 +141,8 @@ def check_share_items_access(
     dataset = share.dataset
     principal_type = share.principal.principalType
     if principal_type == 'Group':
-        credentials = get_environment_access_token(client, share.environment.environmentUri, group)
+        credentials_str = get_environment_access_token(client, share.environment.environmentUri, group)
+        credentials = json.loads(credentials_str)
         session = boto3.Session(
             aws_access_key_id=credentials['AccessKey'],
             aws_secret_access_key=credentials['SessionKey'],