Correctly handle cases where the assume role policy document is a dic…

…t, when coming from cloudformation, fix assertion in test case
localstack · Sep 30, 2024 · 1861abb · 1861abb
1 parent 98062d8
commit 1861abb
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/moto/iam/models.py b/moto/iam/models.py
@@ -745,10 +745,21 @@ def create_from_cloudformation_json(  # type: ignore[misc]
         properties = cloudformation_json["Properties"]
         role_name = properties.get("RoleName", resource_name)
 
+        assume_role_policy_document = properties["AssumeRolePolicyDocument"]
+        if not isinstance(assume_role_policy_document, str):
+
+            def _serialize_datetime(value):
+                if isinstance(value, datetime):
+                    return value.strftime("%Y-%m-%d")
+
+            assume_role_policy_document = json.dumps(
+                assume_role_policy_document, default=_serialize_datetime
+            )
+
         iam_backend = iam_backends[account_id][get_partition(region_name)]
         role = iam_backend.create_role(
             role_name=role_name,
-            assume_role_policy_document=properties["AssumeRolePolicyDocument"],
+            assume_role_policy_document=assume_role_policy_document,
             path=properties.get("Path", "/"),
             permissions_boundary=properties.get("PermissionsBoundary", ""),
             description=properties.get("Description", ""),

diff --git a/tests/test_iam/test_iam.py b/tests/test_iam/test_iam.py
@@ -209,8 +209,11 @@ def test_get_instance_profile__should_throw__when_instance_profile_does_not_exis
 def test_create_role_and_instance_profile():
     conn = boto3.client("iam", region_name="us-east-1")
     conn.create_instance_profile(InstanceProfileName="my-profile", Path="my-path")
+    assume_role_policy_document = {"value": "some policy"}
     conn.create_role(
-        RoleName="my-role", AssumeRolePolicyDocument="some policy", Path="/my-path/"
+        RoleName="my-role",
+        AssumeRolePolicyDocument=json.dumps(assume_role_policy_document),
+        Path="/my-path/",
     )
 
     conn.add_role_to_instance_profile(
@@ -219,7 +222,7 @@ def test_create_role_and_instance_profile():
 
     role = conn.get_role(RoleName="my-role")["Role"]
     assert role["Path"] == "/my-path/"
-    assert role["AssumeRolePolicyDocument"] == "some policy"
+    assert role["AssumeRolePolicyDocument"] == assume_role_policy_document
 
     profile = conn.get_instance_profile(InstanceProfileName="my-profile")[
         "InstanceProfile"