[airflow] branch main updated: Fix example_emr_eks system test. Clean trust policies from the execution role (#27331)

Sun, 30 Oct 2022 21:53:57 -0700 

This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new f9b1ae9611 Fix example_emr_eks system test. Clean trust policies from 
the execution role (#27331)
f9b1ae9611 is described below

commit f9b1ae96119c698c1d6ae8b531545ff5656a4d2c
Author: Vincent <[email protected]>
AuthorDate: Mon Oct 31 00:53:41 2022 -0400

    Fix example_emr_eks system test. Clean trust policies from the execution 
role (#27331)
---
 tests/system/providers/amazon/aws/example_emr_eks.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/tests/system/providers/amazon/aws/example_emr_eks.py 
b/tests/system/providers/amazon/aws/example_emr_eks.py
index a7e378e189..d7465a79e6 100644
--- a/tests/system/providers/amazon/aws/example_emr_eks.py
+++ b/tests/system/providers/amazon/aws/example_emr_eks.py
@@ -16,6 +16,7 @@
 # under the License.
 from __future__ import annotations
 
+import json
 import subprocess
 from datetime import datetime
 
@@ -99,6 +100,24 @@ def get_execution_role_name() -> str:
 
 @task
 def update_trust_policy_execution_role(cluster_name, cluster_namespace, 
role_name):
+    # Remove any already existing trusted entities added with 
"update-role-trust-policy"
+    # Prevent getting an error "Cannot exceed quota for ACLSizePerRole"
+    client = boto3.client("iam")
+    role_trust_policy = 
client.get_role(RoleName=role_name)["Role"]["AssumeRolePolicyDocument"]
+    # We assume if the action is sts:AssumeRoleWithWebIdentity, the statement 
had been added with
+    # "update-role-trust-policy". Removing it to not exceed the quota
+    role_trust_policy["Statement"] = list(
+        filter(
+            lambda statement: statement["Action"] != 
"sts:AssumeRoleWithWebIdentity",
+            role_trust_policy["Statement"],
+        )
+    )
+
+    client.update_assume_role_policy(
+        RoleName=role_name,
+        PolicyDocument=json.dumps(role_trust_policy),
+    )
+
     # See 
https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-trust-policy.html
     # The action "update-role-trust-policy" is not available in boto3, thus we 
need to do it using AWS CLI
     commands = (

Reply via email to