cloudformation-cli icon indicating copy to clipboard operation
cloudformation-cli copied to clipboard
verified publisher icon aws-cloudformation

Accessing IAM Roles with Contract Tests

Open jasonposner opened this issue 5 years ago • 1 comments

Hi, my current resource AWS::DataSync::LocationS3 requires a property 'BucketAccessRoleArn', which is an IAM role for an S3 bucket. I believe this forces the DataSync API to use IAM API's in order to access the role, which gives an "Error occurred while getting IAM Role" for contract tests.

I believe the tests currently get temporary credentials in the same way as invoking "aws sts get-session-token". But these temporary credentials do not allow calls for IAM API operations as stated here in the 'Permissions' section: https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html

I am able to get SAM testing to work by using MFA authentication in the request: "aws sts get-session-token --serial number --token-code ", but I am unable to do something similar for contract tests.

jasonposner avatar Jul 23 '20 18:07 jasonposner

Contract test can be run passing a role arn. You could use the following command to run the contract test:

cfn test --role-arn <provide-the-arn>

anshikg avatar Jan 19 '21 16:01 anshikg