Add EC2 runtime test for assume-role path

2026-03-05 12:42:57 +01:00 · 2026-03-05 12:42:57 +01:00 · f0fd0f342e
commit f0fd0f342e
parent 4c7333ca07
1 changed files with 60 additions and 1 deletions
--- a/agent/nix_builder_autoscaler/tests/test_runtime_ec2.py
+++ b/agent/nix_builder_autoscaler/tests/test_runtime_ec2.py
@ -1,6 +1,6 @@
 """Unit tests for the EC2 runtime adapter using botocore Stubber."""

-from datetime import UTC, datetime
+from datetime import UTC, datetime, timedelta
 from unittest.mock import patch

 import boto3
@ -462,3 +462,62 @@ class TestErrorClassification:
        with pytest.raises(RuntimeAdapterError) as exc_info:
            runtime.launch_instance("slot001", "#!/bin/bash")
        assert exc_info.value.category == "throttled"
+
+
+class TestAssumeRole:
+    def test_uses_assumed_role_credentials_for_ec2_calls(self):
+        config = _make_config()
+        config.assume_role_arn = "arn:aws:iam::210987654321:role/buildbot-autoscaler-controller"
+
+        base_ec2 = boto3.client("ec2", region_name="us-east-1")
+        assumed_ec2 = boto3.client("ec2", region_name="us-east-1")
+        sts_client = boto3.client("sts", region_name="us-east-1")
+
+        sts_stubber = Stubber(sts_client)
+        sts_stubber.add_response(
+            "assume_role",
+            {
+                "Credentials": {
+                    "AccessKeyId": "ASIAAAAAAAAAAAAAAAAA",
+                    "SecretAccessKey": "s" * 40,
+                    "SessionToken": "t" * 256,
+                    "Expiration": datetime.now(UTC) + timedelta(hours=1),
+                },
+                "AssumedRoleUser": {
+                    "AssumedRoleId": "AROA1234567890EXAMPLE:nix-builder-autoscaler",
+                    "Arn": (
+                        "arn:aws:sts::210987654321:assumed-role/"
+                        "buildbot-autoscaler-controller/nix-builder-autoscaler"
+                    ),
+                },
+            },
+            {
+                "RoleArn": config.assume_role_arn,
+                "RoleSessionName": "nix-builder-autoscaler",
+            },
+        )
+        sts_stubber.activate()
+
+        assumed_stubber = Stubber(assumed_ec2)
+        assumed_stubber.add_response(
+            "run_instances",
+            {"Instances": [{"InstanceId": "i-assumed"}], "OwnerId": "210987654321"},
+        )
+        assumed_stubber.activate()
+
+        real_boto3_client = boto3.client
+
+        def _patched_client(service_name, **kwargs):
+            if service_name == "sts":
+                return sts_client
+            if service_name == "ec2" and kwargs.get("aws_access_key_id") == "ASIAAAAAAAAAAAAAAAAA":
+                return assumed_ec2
+            return real_boto3_client(service_name, **kwargs)
+
+        with patch("nix_builder_autoscaler.runtime.ec2.boto3.client", side_effect=_patched_client):
+            runtime = EC2Runtime(config, _client=base_ec2)
+            instance_id = runtime.launch_instance("slot001", "#!/bin/bash")
+
+        assert instance_id == "i-assumed"
+        sts_stubber.assert_no_pending_responses()
+        assumed_stubber.assert_no_pending_responses()