diff --git a/backend/dataall/core/environment/cdk/environment_stack.py b/backend/dataall/core/environment/cdk/environment_stack.py index d13d0acc1..3ac839046 100644 --- a/backend/dataall/core/environment/cdk/environment_stack.py +++ b/backend/dataall/core/environment/cdk/environment_stack.py @@ -599,9 +599,20 @@ def create_integration_tests_role(self): 's3:List*', 's3:GetObject*', 's3:DeleteObject', + 's3:DeleteObjectVersion', ], effect=iam.Effect.ALLOW, - resources=['arn:aws:s3:::dataalltesting*'], + resources=[ + 'arn:aws:s3:::dataalltesting*', + 'arn:aws:s3:::dataalltesting*/*', + 'arn:aws:s3:::dataall-session*', + 'arn:aws:s3:::dataall-session*/*', + 'arn:aws:s3:::dataall-test-session*', + 'arn:aws:s3:::dataall-test-session*/*', + 'arn:aws:s3:::dataall-temp*', + 'arn:aws:s3:::dataall-temp*/*', + 'arn:aws:s3:::dataall-env-access-logs*', + ], ) ) self.test_role.add_to_policy( @@ -620,8 +631,10 @@ def create_integration_tests_role(self): iam.PolicyStatement( actions=[ 'lakeformation:GrantPermissions', + 'lakeformation:RevokePermissions', 'lakeformation:PutDataLakeSettings', 'lakeformation:GetDataLakeSettings', + 'glue:GetDatabase', 'kms:CreateKey', 'kms:CreateAlias', 'kms:DeleteAlias', @@ -630,7 +643,11 @@ def create_integration_tests_role(self): 'kms:PutKeyPolicy', 'kms:ScheduleKeyDeletion', 'kms:TagResource', + 'kms:DescribeKey', 's3:GetBucketVersioning', + 's3:List*', + 's3:ListAccessPoints', + 's3:DeleteAccessPoint', ], effect=iam.Effect.ALLOW, resources=['*'], @@ -667,3 +684,40 @@ def create_integration_tests_role(self): resources=[f'arn:aws:cloudformation:*:{self.account}:stack/*/*'], ), ) + + self.test_role.add_to_policy( + iam.PolicyStatement( + actions=[ + 'iam:GetRole', + 'iam:CreateRole', + 'iam:DeleteRole', + 'iam:PutRolePolicy', + 'iam:DeleteRolePolicy', + 'iam:DetachRolePolicy', + 'iam:ListAttachedRolePolicies', + ], + effect=iam.Effect.ALLOW, + resources=[ + f'arn:aws:iam::{self.account}:role/dataall-test-*', + f'arn:aws:iam::{self.account}:role/dataall-session*', + ], + ), + ) + + self.test_role.add_to_policy( + iam.PolicyStatement( + actions=[ + 'quicksight:DescribeAccountSubscription', + ], + effect=iam.Effect.ALLOW, + resources=[f'arn:aws:quicksight:*:{self.account}:*'], + ), + ) + + self.test_role.add_to_policy( + iam.PolicyStatement( + actions=['redshift:DeauthorizeDataShare'], + effect=iam.Effect.ALLOW, + resources=[f'arn:aws:redshift:{self.region}:{self.account}:datashare:*/dataall*'], + ), + ) diff --git a/tests_new/integration_tests/core/environment/queries.py b/tests_new/integration_tests/core/environment/queries.py index a965d1588..0d0de44c6 100644 --- a/tests_new/integration_tests/core/environment/queries.py +++ b/tests_new/integration_tests/core/environment/queries.py @@ -11,6 +11,7 @@ tags SamlGroupName EnvironmentDefaultBucketName +EnvironmentLogsBucketName EnvironmentDefaultIAMRoleArn EnvironmentDefaultIAMRoleName EnvironmentDefaultIAMRoleImported