From 5d61a2facf31465cbcff32586f0eeab4b67c89cd Mon Sep 17 00:00:00 2001
From: Casey Bodley <cbodley@redhat.com>
Date: Thu, 15 Jan 2026 14:25:51 -0500
Subject: [PATCH] iam: test identity policy for ListRoles

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---
 s3tests/functional/test_iam.py | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/s3tests/functional/test_iam.py b/s3tests/functional/test_iam.py
index 4fcb8c0b..da274fb1 100644
--- a/s3tests/functional/test_iam.py
+++ b/s3tests/functional/test_iam.py
@@ -1962,6 +1962,27 @@ role_policy = json.dumps({
         }]
     })
 
+@pytest.mark.iam_account
+@pytest.mark.iam_role
+def test_account_role_list_permission(iam_root):
+    path = get_iam_path_prefix()
+    user_name = make_iam_name('MyUser')
+
+    user = iam_root.create_user(UserName=user_name, Path=path)['User']
+    user_arn = user['Arn']
+
+    key = iam_root.create_access_key(UserName=user_name)['AccessKey']
+    iam_client = get_iam_client(aws_access_key_id=key['AccessKeyId'],
+                                aws_secret_access_key=key['SecretAccessKey'])
+
+    # reject ListRoles due to lack of identity policy
+    e = assert_raises(ClientError, iam_client.list_roles, PathPrefix=path)
+    assert (403, 'AccessDenied') == _get_status_and_error_code(e.response)
+
+    iam_root.attach_user_policy(UserName=user_name, PolicyArn='arn:aws:iam::aws:policy/IAMReadOnlyAccess')
+
+    iam_client.list_roles(PathPrefix=path)
+
 # IAM RolePolicy apis
 @pytest.mark.iam_account
 @pytest.mark.iam_role
-- 
2.47.3