Skip to content
This repository was archived by the owner on Mar 23, 2026. It is now read-only.

Migrate IAM list entities for policy operation#13841

Merged
dfangl merged 2 commits into
iam/moto-migrationfrom
daniel/unc-295
Feb 25, 2026
Merged

Migrate IAM list entities for policy operation#13841
dfangl merged 2 commits into
iam/moto-migrationfrom
daniel/unc-295

Conversation

@dfangl

@dfangl dfangl commented Feb 25, 2026

Copy link
Copy Markdown
Member

Motivation

One thing still missing from the policy implementation was the list_entities_for_policy operation - it was deliberately left out, since it makes little sense without all the entities implemented.

Changes

Design Decisions

  1. No index for reverse lookups: The current model stores policy ARNs on entities. For list_entities_for_policy, we iterate through all entities. This is acceptable because:

    • IAM operations are not high-frequency
    • Entity counts are typically small
    • Adding a reverse index would complicate attachment/detachment operations

  2. PolicyUsageFilter handling:

    • For PermissionsBoundary, we need to check the PermissionsBoundary field on users and roles
    • Groups don't support permissions boundaries

  3. LocalManagedPolicy vs AWSManagedPolicy filter:

    • These filters don't restrict entity types, they validate the policy type
    • Both always lead to emtpy results

Tests

Existing tests in test_iam_policies.py::TestListEntitiesForPolicy:

  • test_list_entities_for_policy: Tests filtering by Role, User, Group, LocalManagedPolicy, and no filter
  • test_list_entities_for_policy_errors: Tests error case for non-existent policy

Related

Closes UNC-295

@dfangl dfangl requested a review from pinzon as a code owner February 25, 2026 13:13
@dfangl dfangl added semver: minor Non-breaking changes which can be included in minor releases, but not in patch releases docs: skip Pull request does not require documentation changes notes: skip Pull request does not have to be mentioned in the release notes labels Feb 25, 2026
@dfangl dfangl added this to the 2026.03 milestone Feb 25, 2026
@github-actions

github-actions Bot commented Feb 25, 2026

Copy link
Copy Markdown

LocalStack Community integration with Pro

  2 files  ±0    2 suites  ±0   2m 43s ⏱️ -5s
520 tests ±0  490 ✅ +1  23 💤  - 2  7 ❌ +1 
522 runs  ±0  490 ✅ +1  25 💤  - 2  7 ❌ +1 

For more details on these failures, see this check.

Results for commit d6bb002. ± Comparison against base commit dfd4cef.

@github-actions

github-actions Bot commented Feb 25, 2026

Copy link
Copy Markdown

Test Results - Preflight, Unit

23 123 tests  ±0   21 252 ✅ ±0   6m 10s ⏱️ -3s
     1 suites ±0    1 871 💤 ±0 
     1 files   ±0        0 ❌ ±0 

Results for commit d6bb002. ± Comparison against base commit dfd4cef.

@github-actions

github-actions Bot commented Feb 25, 2026

Copy link
Copy Markdown

Test Results (amd64) - Acceptance

7 tests  ±0   5 ✅ ±0   3m 0s ⏱️ ±0s
1 suites ±0   2 💤 ±0 
1 files   ±0   0 ❌ ±0 

Results for commit d6bb002. ± Comparison against base commit dfd4cef.

@github-actions

github-actions Bot commented Feb 25, 2026

Copy link
Copy Markdown

Test Results (amd64) - Integration, Bootstrap

  5 files  ±0    5 suites  ±0   11m 41s ⏱️ +23s
544 tests ±0  512 ✅ +2  23 💤  - 2  9 ❌ ±0 
550 runs  ±0  512 ✅ +2  29 💤  - 2  9 ❌ ±0 

For more details on these failures, see this check.

Results for commit d6bb002. ± Comparison against base commit dfd4cef.

pinzon
pinzon approved these changes Feb 25, 2026
View reviewed changes

@pinzon pinzon left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I only have one question.

Comment thread localstack-core/localstack/services/iam/provider.py
PolicyRole(RoleName=role["RoleName"], RoleId=role["RoleId"])
)

# Search groups (groups don't support PermissionsBoundary)

@pinzon pinzon Feb 25, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: are we sure this doesn't raise an exception? listing with entity_type == group and policy_usage_filter == Permissions boundary

@dfangl dfangl Feb 25, 2026
edited
Loading

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just checked, it does not, it is just empty.

Base automatically changed from daniel/unc-292 to iam/moto-migration February 25, 2026 14:53
@dfangl dfangl merged commit cf50738 into iam/moto-migration Feb 25, 2026
33 of 43 checks passed
@dfangl dfangl deleted the daniel/unc-295 branch February 25, 2026 14:53
dfangl added a commit that referenced this pull request Feb 26, 2026
@dfangl
Migrate IAM list entities for policy operation (#13841)
be783a4
dfangl added a commit that referenced this pull request Feb 26, 2026
@dfangl
Migrate IAM list entities for policy operation (#13841)
69caf6e
dfangl added a commit that referenced this pull request Mar 4, 2026
@dfangl
Migrate IAM list entities for policy operation (#13841)
76318d3
dfangl added a commit that referenced this pull request Mar 6, 2026
@dfangl
Migrate IAM list entities for policy operation (#13841)
75f2587
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@pinzon pinzon pinzon approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

docs: skip Pull request does not require documentation changes notes: skip Pull request does not have to be mentioned in the release notes semver: minor Non-breaking changes which can be included in minor releases, but not in patch releases

Projects

None yet

Milestone

2026.03

Development

Successfully merging this pull request may close these issues.

2 participants

@dfangl @pinzon