cloudsec9-ca
commented
2 years ago Added "iam:DetachRolePolicy" to IAM policy to allow deletion and cleanup to possibly complete without errors.
Open cloudsec9-ca opened 2 years ago
cloudsec9-ca
commented
2 years ago Added "iam:DetachRolePolicy" to IAM policy to allow deletion and cleanup to possibly complete without errors.
cloudsec9-ca
commented
2 years ago Added "iam:ListInstanceProfileForRole", "iam:DeletePolicyVersion", "iam:DeletePolicy" to IAM policy to hopefully allow deletion and cleanup to complete without errors.
cloudsec9-ca
commented
2 years ago The more permissive IAM bits didn't help because the actions that are failing are tied to k8s-instance-role.
This could require a passRole, or perhaps a bit of Terraform code giving the right permissions, or even something else. Have to dig more into it.
cloudsec9-ca
commented
2 years ago Turns out it wasn't Terraform, but my actual AWS side policy that wasn't right (maybe I didn't save it properly?).
I've managed to solve 3 of the 5 issues, so now I'll work on the other 2 - DeletePolicyVersion and DeleteRole.
Once I get this error free, I'll start to clean up things and pare down what I give out perms on and to which resources.
cloudsec9-ca
commented
2 years ago We are now error free. I have to snip this down.
The only issue is that testing means spinning a whole cluster up, so I'm not sure this is going to be a quick process (on the test side, anyways).
Write a doc about the IAM bits needed to deploy this project (not on root)