Skip to content

Commit

Permalink
Merge pull request #793 from ministryofjustice/ag--handle-no-role-whe…
Browse files Browse the repository at this point in the history
…n-revoke-access

Fixed revoke access when IAM role doesn't exist
  • Loading branch information
xoen authored Dec 20, 2019
2 parents 5589897 + f20e761 commit 4f4f08d
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 1 deletion.
10 changes: 9 additions & 1 deletion controlpanel/api/aws.py
Original file line number Diff line number Diff line change
Expand Up @@ -365,7 +365,15 @@ def revoke_bucket_access(role_name, bucket_arn=None, path_arns=[]):
log.warning(f'Asked to revoke {role_name} role access to nothing')
return

role = boto3.resource('iam').Role(role_name)
try:
role = boto3.resource("iam").Role(role_name)
role.load()
except botocore.exceptions.ClientError as e:
if e.response["Error"]["Code"] == "NoSuchEntity":
log.warning(f"Role '{role_name}' doesn't exist: Nothing to revoke")
return
raise e

policy = S3AccessPolicy(role.Policy('s3-access'))
for arn in path_arns:
policy.revoke_access(arn)
Expand Down
12 changes: 12 additions & 0 deletions tests/api/test_aws.py
Original file line number Diff line number Diff line change
Expand Up @@ -359,6 +359,18 @@ def test_revoke_bucket_access(iam, users, resources):
assert 'list' not in statements


def test_revoke_bucket_access_when_no_role(iam):
role_name = "test_role_non_existent"
bucket_arn = "arn:aws:s3:::test-bucket"

# be sure role doesn't exist before calling revoke_bucket_access()
with pytest.raises(iam.meta.client.exceptions.NoSuchEntityException):
role = iam.Role(role_name)
role.load()

aws.revoke_bucket_access(role_name, bucket_arn, [])


def test_create_group(iam, settings):
aws.create_group('test', '/group/test/')

Expand Down

0 comments on commit 4f4f08d

Please sign in to comment.