IAM-like Access Control

Moto also has the ability to authenticate and authorize actions, just like it’s done by IAM in AWS. This functionality can be enabled by either setting the INITIAL_NO_AUTH_ACTION_COUNT environment variable or using the set_initial_no_auth_action_count decorator. Note that the current implementation is very basic, see the source code for more information.


If this environment variable is set, moto will skip performing any authentication as many times as the variable’s value, and only starts authenticating requests afterwards. If it is not set, it defaults to infinity, thus moto will never perform any authentication at all.


This is a decorator that works similarly to the environment variable, but the settings are only valid in the function’s scope. When the function returns, everything is restored.

def test_describe_instances_allowed():
    policy_document = {
        "Version": "2012-10-17",
        "Statement": [
                "Effect": "Allow",
                "Action": "ec2:Describe*",
                "Resource": "*"
    access_key = ...
    # create access key for an IAM user/assumed role that has the policy above.
    # this part should call __exactly__ 4 AWS actions, so that authentication and authorization starts exactly after this

    client = boto3.client('ec2', region_name='us-east-1',

    # if the IAM principal whose access key is used, does not have the permission to describe instances, this will fail
    instances = client.describe_instances()['Reservations'][0]['Instances']
    assert len(instances) == 0

See the related test suite for more examples.