Calling sts:GetCallerIdentity is always allowed.

2019-08-22 18:09:52 +02:00 · 2019-08-22 18:09:52 +02:00 · cf2dae0ce8
commit cf2dae0ce8
parent addb631081
2 changed files with 23 additions and 0 deletions
--- a/moto/core/access_control.py
+++ b/moto/core/access_control.py
@ -172,6 +172,8 @@ class IAMRequestBase(object):
            self._raise_signature_does_not_match()

    def check_action_permitted(self):
+        if self._action == 'sts:GetCallerIdentity':  # always allowed, even if there's an explicit Deny for it
+            return True
        policies = self._access_key.collect_policies()

        permitted = False