Closed chr-b closed 1 week ago
My guess is there is either a Permissions Boundary set, or there are Permissions Policies attached that were accidentally omitted from the logs above?
Can you verify using the UI if either of those two are true, if it's Permissions Boundary, that's a recently known issue that hasn't had an issue opened against it yet.
The role where the deletion failed has a policy of type "Customer inline" attached to it :(
Edit: for completeness, all the lines from the log with that role
global - IAMRole - dummyrole0001 - [] - would remove
[...]
Do you really want to nuke the account with the ID 987654321012 and the alias 'dummy'?
Waiting 3s before continuing.
global - IAMRole - dummyrole0001 - [] - failed
Removal requested: 0 waiting, 1 failed, 32 skipped, 0 finished
global - IAMRole - dummyrole0001 - [] - failed
Removal requested: 0 waiting, 1 failed, 32 skipped, 0 finished
global - IAMRole - dummyrole0001 - [] - failed
Removal requested: 0 waiting, 1 failed, 32 skipped, 0 finished
ERRO[0039] There are resources in failed state, but none are ready for deletion, anymore.
global - IAMRole - dummyrole0001 - [] - failed
ERRO[0039] DeleteConflict: Cannot delete entity, must delete policies first.
status code: 409, request id: dac8be7f-b138-4cac-8392-53040283b59d
The attachment with the custom IAM policy is not detected.
Thanks. That helped. It is indeed a separate API call for inline policies.
ok you need to add IAMRolePolicy
resource. It's a separate resource to handle inline policies.
resource-types:
includes:
- IAMRolePolicyAttachment
- IAMRole
- IAMRolePolicy
Thanks for the hint @ekristen , however this is more destructive then it should be. Log output:
global - IAMRolePolicy - OrganizationAccountAccessRole -> AdministratorAccess - [PolicyName: "AdministratorAccess", role:Path: "/", role:RoleID: "AROAQUR64X3RNKJAYUF76", role:RoleName: "OrganizationAccountAccessRole"] - would remove
This should not touch the OrganizationAccountAccessRole
, but it does.
Config excerpt:
resource-types:
includes:
- IAMRolePolicyAttachment
- IAMRolePolicy
- IAMRole
presets:
common:
filters:
IAMRole:
- OrganizationAccountAccessRole
IAMRolePolicyAttachment:
- OrganizationAccountAccessRole
IAMRolePolicy:
- OrganizationAccountAccessRole
This is where filters get a little complicated. Everything between the resource type and the []
is the "Legacy Resource Name", everything within the []
are properties.
When you do a bare filter like - OrganizationAccountAccessRole
it's an exact match on the Legacy Resource Name, in this case that means OrganizationAccountAccessRole -> AdministratorAccess
which it won't match. You'd need to add that whole string or add a filter type and use the operator contains
for example. IAMRolePolicyAttachment
is the same way, if you look at the output you previously provided it has <role> -> <policy>
.
Ah, thanks for the explanation.
Changing the filter to use property role:RoleName
fixed the problem.
The error:
Deletion of the resource
IAMRole
fails, even when also specifyingIAMRolePolicyAttachment
in the resource types.My config:
Output for
aws-nuke run --config test.yaml --profile my-profile --assume-role-arn arnn:aws:iam::987654321098:role/OrganizationAccountAccessRole --assume-role-session-name nuker --no-prompt -no-dry-run -l debug
: