search

istioworkshop / istio-workshop

Sources for the Istio workshop website
https://istioworkshop.github.io
8 stars 0 forks source link

Unable to delete cluster: AccessDenied #9

Open piotrek-szczygiel opened 3 years ago

piotrek-szczygiel commented 3 years ago 
$ kops delete cluster istio-workshop.k8s.local --yes

error listing IAM OIDC Providers: AccessDenied: User: arn:aws:sts::757321306050:assumed-role/vocstartsoft/user1365736=296691@student.agh.edu.pl is not authorized to perform: iam:ListOpenIDConnectProviders on resource: arn:aws:iam::757321306050:oidc-provider/* with an explicit deny
        status code: 403, request id: afaaaaa1-1366-4a77-927c-fe4b3de6dd8f

Possible AWS Educate permissions issue.

bzurkowski commented 3 years ago

@piotrek-szczygiel Please check if AWS credentials are valid https://github.com/istioworkshop/istio-workshop/issues/8#issuecomment-826951573.

piotrek-szczygiel commented 3 years ago

They are valid, aws ec2 describe-instances returns long list of instances. I tried refreshing the credentials, but it didn't help.

wsl@gu36:~$ vim ~/.aws/credentials
wsl@gu36:~$ aws s3api list-buckets --region us-east-1
--------------------------------------------------------------------------------------------------------
|                                              ListBuckets                                             |
+------------------------------------------------------------------------------------------------------+
||                                               Buckets                                              ||
|+------------------------------------+---------------------------------------------------------------+|
||            CreationDate            |                             Name                              ||
|+------------------------------------+---------------------------------------------------------------+|
||  2021-04-26T13:20:14+00:00         |  istio-workshop-31194-kops-cluster-state-store                ||
||  2021-04-25T19:57:31+00:00         |  suu-k8s-kops-cluster-state-store-296691                      ||
|+------------------------------------+---------------------------------------------------------------+|
||                                                Owner                                               ||
|+-------------------------------+--------------------------------------------------------------------+|
||          DisplayName          |                                ID                                  ||
|+-------------------------------+--------------------------------------------------------------------+|
||  awslabsc0w1866727t1613905120 |  1a7db9e0fb0b4fd5e1b364f66bc483131f7e872f129ad3ce6ed87460b40d8595  ||
|+-------------------------------+--------------------------------------------------------------------+|
wsl@gu36:~$ BUCKET_NAME=istio-workshop-31194-kops-cluster-state-store
wsl@gu36:~$ export KOPS_STATE_STORE=s3://$BUCKET_NAME
wsl@gu36:~$ kops delete cluster istio-workshop.k8s.local --yes

error listing IAM OIDC Providers: AccessDenied: User: arn:aws:sts::757321306050:assumed-role/vocstartsoft/user1365736=296691@student.agh.edu.pl is not authorized to perform: iam:ListOpenIDConnectProviders on resource: arn:aws:iam::757321306050:oidc-provider/* with an explicit deny
        status code: 403, request id: 593d67f2-9300-423b-8c9f-4330b509c427
bzurkowski commented 3 years ago

Possible AWS Educate permissions issue.

@piotrek-szczygiel Might be.

The error originates at this point in code (ListIAMOIDCProviders). The method is used in ListResourcesAWS method here which is used in the main AWS collector which is used in the cluster delete command.

Temporarily, please delete EC2 instances manually. In the meantime, I will consult the permission issue with the lab owner.

Did similar issue occurred in the previous lab related to K8S cluster provisioning?