Skip to content

feat(iam,vm): implement IAM03 credential access and AUTH03 key access#537

Open
abegnoche wants to merge 4 commits into
mainfrom
cursor/iam03-auth03-validations-12d5
Open

feat(iam,vm): implement IAM03 credential access and AUTH03 key access#537
abegnoche wants to merge 4 commits into
mainfrom
cursor/iam03-auth03-validations-12d5

Conversation

@abegnoche

@abegnoche abegnoche commented Jul 13, 2026

Copy link
Copy Markdown
Member

Summary

Implements M7 Batch A foundational identity/access issues:

Issue Test ID Check
#341 IAM-XX-03 IAM03-01 IamCredentialAccessCheck
#248 AUTH-XX-03 AUTH03-01 ComponentKeyAccessCheck

Changes

IAM03-01 (#341)

  • Replace weak FieldExistsCheck(account_id) with IamCredentialAccessCheck requiring tests.identity + tests.access
  • Normalize AWS test_credentials.py JSON to the provider-neutral identity/access contract (already used by my-isv)

AUTH03-01 (#248)

  • Add ComponentKeyAccessCheck on a new component_key_access VM step
  • AWS: authorize the launch key for EC2 serial-console SSH (SOL); mark network-device SSH provider_hidden
  • my-isv: DEMO_MODE stub for make demo-test

Test plan

  • $ ISVTEST_INCLUDE_UNRELEASED=1 uv run isvctl test run -f isvctl/configs/providers/aws/config/iam.yaml -- -v -s
  • $ ISVTEST_INCLUDE_UNRELEASED=1 uv run isvctl test run -f isvctl/configs/providers/aws/config/vm.yaml -- -v -s
  • make lint / make test

Closes #341
Closes #248

Open in Web Open in Cursor 

Summary by CodeRabbit

  • New Features
    • Added component_key_access VM validation for launch-key access to serial console and network devices (with SOL-disabled skipping).
    • Introduced AUTH03-01 component key access checks and a my-isv demo-mode implementation.
    • Added IAM03 credential-access validation for identity and authorization results.
  • Documentation
    • Updated VM/IAM suite and validation docs plus the test plan to include the new component_key_access step and JSON field expectations.
  • Tests
    • Added contract and validation tests covering pass/fail/skip and provider-hidden network-device behavior, and expanded IAM03 validation cases.

Strengthen IAM03-01 beyond FieldExistsCheck by validating identity and
authorized-resource probes, and add AUTH03-01 component key access for
SOL (with provider-hidden network devices on AWS).

Closes #341
Closes #248

Signed-off-by: Cursor Agent <cursoragent@cursor.com>

Co-authored-by: Alexandre Begnoche <abegnoche@users.noreply.github.com>
@copy-pr-bot

copy-pr-bot Bot commented Jul 13, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds IAM credential-access validation and VM component key-access checks. AWS probes serial-console key authorization and reports provider-hidden network-device access, while provider configuration, suite validation, documentation, and contract tests are updated.

Changes

Access validation

Layer / File(s) Summary
IAM credential access contract
isvctl/configs/providers/aws/scripts/iam/test_credentials.py, isvctl/configs/suites/iam.yaml, isvtest/src/isvtest/validations/iam.py, isvtest/tests/test_iam.py
IAM results now use tests.identity and tests.access; both checks are required by the new IamCredentialAccessCheck validation and its tests.
Component key access probes
isvctl/configs/providers/aws/scripts/common/serial_console.py, isvctl/configs/providers/aws/scripts/vm/*, isvctl/configs/providers/my-isv/scripts/vm/component_key_access.py, isvctl/tests/test_component_key_access_contract.py
Adds AWS serial-console key authorization, provider-hidden network-device reporting, a provider template script, shared skip handling, and probe contract tests.
Component key access validation
isvtest/src/isvtest/validations/instance.py, isvtest/tests/test_instance.py
Adds ComponentKeyAccessCheck to validate the launch key and required SOL and network-device subtests, including skipped and provider-hidden results.
Suite and provider integration
isvctl/configs/suites/*, isvctl/configs/providers/*/config/vm.yaml, isvctl/configs/providers/my-isv/scripts/README.md, docs/test-plan.yaml
Registers the new VM step, updates documented JSON contracts and step numbering, increments the script count, and labels the test plan entry.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant VMValidation as VM validation suite
  participant ComponentProbe as component_key_access.py
  participant EC2Console as EC2 serial console
  participant InstanceConnect as EC2 Instance Connect
  participant ComponentCheck as ComponentKeyAccessCheck
  VMValidation->>ComponentProbe: Run with instance and key parameters
  ComponentProbe->>EC2Console: Check serial access
  ComponentProbe->>InstanceConnect: Send serial-console SSH public key
  InstanceConnect-->>ComponentProbe: Return authorization result
  ComponentProbe-->>ComponentCheck: Return JSON probe results
  ComponentCheck-->>VMValidation: Validate required access tests
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The PR implements both linked objectives by adding IAM credential-access validation and AUTH03 key-based component access checks.
Out of Scope Changes check ✅ Passed The changes all support the IAM03 and AUTH03 work, with no obvious unrelated additions.
Docstring Coverage ✅ Passed Docstring coverage is 93.55% which is sufficient. The required threshold is 80.00%.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main IAM03 and AUTH03 access changes in the pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cursor/iam03-auth03-validations-12d5

Comment @coderabbitai help to get the list of available commands.

Cleanup pass over the IAM03 credential-access and AUTH03 key-access
change; no behavior change.

- component_key_access.py: drop _make_test_result/_mark_skipped/
  REQUIRED_TESTS copied from console_rbac.py; emit a minimal top-level
  skip instead of the unconsumed per-subtest fan-out; remove the
  isinstance dance and the unconsumed request_id field; stop
  fabricating a passing network_device_access on key-load failure
- hoist SERIAL_ACCESS_DISABLED_SKIP_REASON into common/serial_console
  and import it in both console_rbac.py and component_key_access.py
- ComponentKeyAccessCheck: remove the inline pytest.skip already
  handled by BaseValidation.execute(), the dead requested_key_name
  fallback, and a redundant isinstance guard
- suites: drop required_tests overrides that duplicated class defaults
- contract test: reuse the cached conftest load_vm_script instead of a
  local uncached loader; use tmp_path instead of mkstemp (leaked fd)
- test_credentials.py: simplify the success expression; hoist local
  imports in tests

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Alexandre Begnoche <abegnoche@nvidia.com>
@abegnoche abegnoche marked this pull request as ready for review July 13, 2026 18:29
@abegnoche abegnoche requested a review from a team as a code owner July 13, 2026 18:29
@abegnoche

Copy link
Copy Markdown
Member Author

/ok to test d6dd460

@github-actions

Copy link
Copy Markdown

🔐 TruffleHog Secret Scan

No secrets or credentials found!

Your code has been scanned for 700+ types of secrets and credentials. All clear! 🎉

🔗 View scan details

🕐 Last updated: 2026-07-13 18:31:09 UTC | Commit: d6dd460

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🧹 Nitpick comments (2)
isvctl/configs/providers/aws/scripts/iam/test_credentials.py (1)

96-97: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

main() is missing a docstring.

Coding guidelines require every function to have a PEP 257 docstring; main() has none.

📝 Proposed fix
 def main() -> int:
+    """Test IAM credentials by validating STS identity and authorized-resource access."""
     parser = argparse.ArgumentParser(description="Test IAM credentials")

Based on learnings, coding guidelines state "Every function and class must have docstrings following PEP 257."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@isvctl/configs/providers/aws/scripts/iam/test_credentials.py` around lines 96
- 97, Add a concise PEP 257-compliant docstring as the first statement in the
main() function, describing that it tests IAM credentials and returns the
resulting process exit status. Preserve the existing argument parsing and
execution flow.

Source: Coding guidelines

isvctl/configs/providers/my-isv/scripts/vm/component_key_access.py (1)

89-121: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Non-demo failure path leaves tests empty instead of per-test {"passed": False} stubs.

Other my-isv scaffolds (e.g. api_endpoint_test.py, bmc_isolation_test.py, sa_credential_test.py) initialize each subtest entry with {"passed": False} and set a single top-level result["error"]. This scaffold leaves result["tests"] as {} in the not-implemented branch, so it doesn't follow that established convention.

♻️ Proposed fix to match the established scaffold convention
     if DEMO_MODE:
         result = _demo_result(args.instance_id, args.key_name)
     else:
         result["error"] = "Not implemented - replace with your platform's component key access logic"
+        result["tests"]["sol_access"] = {"passed": False}
+        result["tests"]["network_device_access"] = {"passed": False}

Based on learnings, "follow the established non-demo failure convention: initialize each test entry with {"passed": False} and record a single top-level result["error"] string for failures" for my-isv scaffolds.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@isvctl/configs/providers/my-isv/scripts/vm/component_key_access.py` around
lines 89 - 121, Update the non-DEMO_MODE branch in the component key access flow
to initialize every expected entry in result["tests"] with {"passed": False},
matching the scaffold convention used by the related test scripts. Keep a single
top-level result["error"] string for the not-implemented failure, while
preserving the existing demo result behavior and success-based exit code.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@isvctl/configs/providers/aws/scripts/iam/test_credentials.py`:
- Around line 120-132: Update the IAM access test around iam.get_user() to catch
BotoCoreError alongside ClientError, recording the access test as failed with
the exception details so the script still writes its JSON result. Preserve the
existing AccessDenied success handling and ClientError behavior.

In `@isvctl/configs/providers/aws/scripts/vm/component_key_access.py`:
- Around line 81-94: Update the send_serial_console_ssh_public_key call in the
component key access probe to pass SerialPort=0 instead of 1, while preserving
the existing error handling and response evaluation.

In `@isvctl/configs/providers/my-isv/config/vm.yaml`:
- Around line 48-52: Update the numbered step list in the VM configuration
comments to include the active virtual_device_hardening step after
component_key_access, then renumber deploy_nim, teardown_nim, and teardown to
11, 12, and 13 respectively.

In `@isvctl/configs/suites/README.md`:
- Line 88: Update the component_key_access entry in the suites README to
document that tests.sol_access.passed and tests.network_device_access.passed are
required only for non-skipped results, matching ComponentKeyAccessCheck’s early
skipped response when serial access is disabled.

---

Nitpick comments:
In `@isvctl/configs/providers/aws/scripts/iam/test_credentials.py`:
- Around line 96-97: Add a concise PEP 257-compliant docstring as the first
statement in the main() function, describing that it tests IAM credentials and
returns the resulting process exit status. Preserve the existing argument
parsing and execution flow.

In `@isvctl/configs/providers/my-isv/scripts/vm/component_key_access.py`:
- Around line 89-121: Update the non-DEMO_MODE branch in the component key
access flow to initialize every expected entry in result["tests"] with
{"passed": False}, matching the scaffold convention used by the related test
scripts. Keep a single top-level result["error"] string for the not-implemented
failure, while preserving the existing demo result behavior and success-based
exit code.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d19a0da1-3240-45ae-a499-80ac51ebfd1a

📥 Commits

Reviewing files that changed from the base of the PR and between 3a95d5a and d6dd460.

📒 Files selected for processing (17)
  • docs/test-plan.yaml
  • isvctl/configs/providers/aws/config/vm.yaml
  • isvctl/configs/providers/aws/scripts/common/serial_console.py
  • isvctl/configs/providers/aws/scripts/iam/test_credentials.py
  • isvctl/configs/providers/aws/scripts/vm/component_key_access.py
  • isvctl/configs/providers/aws/scripts/vm/console_rbac.py
  • isvctl/configs/providers/my-isv/config/vm.yaml
  • isvctl/configs/providers/my-isv/scripts/README.md
  • isvctl/configs/providers/my-isv/scripts/vm/component_key_access.py
  • isvctl/configs/suites/README.md
  • isvctl/configs/suites/iam.yaml
  • isvctl/configs/suites/vm.yaml
  • isvctl/tests/test_component_key_access_contract.py
  • isvtest/src/isvtest/validations/iam.py
  • isvtest/src/isvtest/validations/instance.py
  • isvtest/tests/test_iam.py
  • isvtest/tests/test_instance.py

Comment thread isvctl/configs/providers/aws/scripts/iam/test_credentials.py
Comment thread isvctl/configs/providers/aws/scripts/vm/component_key_access.py
Comment thread isvctl/configs/providers/my-isv/config/vm.yaml Outdated
Comment thread isvctl/configs/suites/README.md Outdated
AWS only accepts serial port 0 for SendSerialConsoleSSHPublicKey;
SerialPort=1 would fail every SOL probe. Also sync my-isv step
comments and document the skipped component_key_access contract.

Signed-off-by: Alexandre Begnoche <abegnoche@nvidia.com>
@abegnoche

Copy link
Copy Markdown
Member Author

/ok to test 7b061e9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

2 participants