commonTest.aws.sdk.kotlin.runtime.auth.credentials.StsAssumeRoleCredentialsProviderTest.kt Maven / Gradle / Ivy
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
* SPDX-License-Identifier: Apache-2.0
*/
package aws.sdk.kotlin.runtime.auth.credentials
import aws.sdk.kotlin.runtime.auth.credentials.internal.sts.model.RegionDisabledException
import aws.smithy.kotlin.runtime.auth.awscredentials.CredentialsProviderException
import aws.smithy.kotlin.runtime.http.Headers
import aws.smithy.kotlin.runtime.http.HttpStatusCode
import aws.smithy.kotlin.runtime.http.content.ByteArrayContent
import aws.smithy.kotlin.runtime.http.response.HttpResponse
import aws.smithy.kotlin.runtime.httptest.buildTestConnection
import aws.smithy.kotlin.runtime.net.Host
import io.kotest.matchers.string.shouldContain
import kotlinx.coroutines.test.runTest
import kotlin.test.Test
import kotlin.test.assertEquals
import kotlin.test.assertFailsWith
import kotlin.test.assertIs
import kotlin.time.ExperimentalTime
@OptIn(ExperimentalTime::class)
class StsAssumeRoleCredentialsProviderTest {
private val sourceProvider = StaticCredentialsProvider {
accessKeyId = "AKID"
secretAccessKey = "secret"
}
private val testArn = "arn:aws:iam:1234567/test-role"
@Test
fun testSuccess() = runTest {
val testEngine = buildTestConnection {
expect(StsTestUtils.stsResponse(testArn))
}
val provider = StsAssumeRoleCredentialsProvider(
credentialsProvider = sourceProvider,
roleArn = testArn,
httpClient = testEngine,
)
val actual = provider.resolve()
assertEquals(StsTestUtils.expectedCredentialsBase, actual)
}
@Test
fun testServiceFailure() = runTest {
val errorResponseBody = """
Sender
AccessDeniedException
You do not have sufficient access to perform this action
foo-id
"""
val testEngine = buildTestConnection {
expect(HttpResponse(HttpStatusCode.BadRequest, Headers.Empty, ByteArrayContent(errorResponseBody.encodeToByteArray())))
}
val provider = StsAssumeRoleCredentialsProvider(
credentialsProvider = sourceProvider,
roleArn = testArn,
httpClient = testEngine,
)
assertFailsWith {
provider.resolve()
}.message.shouldContain("failed to assume role from STS")
}
@Test
fun testRegionDisabled() = runTest {
val errorResponseBody = """
Sender
RegionDisabledException
AWS STS is not activated in the requested region for the account that is being asked to generate credentials
foo-id
"""
val testEngine = buildTestConnection {
expect(HttpResponse(HttpStatusCode.Forbidden, Headers.Empty, ByteArrayContent(errorResponseBody.encodeToByteArray())))
}
val provider = StsAssumeRoleCredentialsProvider(
credentialsProvider = sourceProvider,
roleArn = testArn,
region = "us-west-2",
httpClient = testEngine,
)
val ex = assertFailsWith {
provider.resolve()
}
ex.message.shouldContain("STS is not activated in the requested region (us-west-2). Please check your configuration and activate STS in the target region if necessary")
assertIs(ex.cause)
}
@Test
fun testGlobalEndpoint() = runTest {
val testEngine = buildTestConnection {
expect(StsTestUtils.stsResponse(testArn))
}
val provider = StsAssumeRoleCredentialsProvider(
credentialsProvider = sourceProvider,
roleArn = testArn,
httpClient = testEngine,
)
val actual = provider.resolve()
assertEquals(StsTestUtils.expectedCredentialsBase, actual)
val req = testEngine.requests().first()
assertEquals(Host.Domain("sts.amazonaws.com"), req.actual.url.host)
}
@Test
fun testRegionalEndpoint() = runTest {
val testEngine = buildTestConnection {
expect(StsTestUtils.stsResponse(testArn))
}
val provider = StsAssumeRoleCredentialsProvider(
credentialsProvider = sourceProvider,
roleArn = testArn,
region = "us-west-2",
httpClient = testEngine,
)
val actual = provider.resolve()
assertEquals(StsTestUtils.expectedCredentialsBase, actual)
val req = testEngine.requests().first()
assertEquals(Host.Domain("sts.us-west-2.amazonaws.com"), req.actual.url.host)
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy