Open alpaca012 opened 4 months ago
Do you know if there's any way to programmatically know what accounts the directory is shared with, or is this information you have to know some other way?
Do you know if there's any way to programmatically know what accounts the directory is shared with, or is this information you have to know some other way?
We can use ds describe-shared-directories
. Here is the link to the CLI reference
$ aws ds describe-shared-directories --owner-directory-id d-xxxxxxxxxx
{
"SharedDirectories": [
{
"OwnerAccountId": "REDACTED",
"OwnerDirectoryId": "d-xxxxxxxxxx",
"ShareMethod": "HANDSHAKE",
"SharedAccountId": "REDACTED",
"SharedDirectoryId": "d-yyyyyyyyyy",
"ShareStatus": "REDACTED",
"ShareNotes": "REDACTED",
"CreatedDateTime": "REDACTED",
"LastUpdatedDateTime": "REDACTED"
}
]
}
We can get the shared account IDs from the SharedAccountId
key.
As per title, DirectoryServiceDirectory (AWS Managed Microsoft AD) fails to delete without any explanation why.
Upon investigation, it was because it is shared with other AWS accounts. Using the
unshare-directory
on AWS CLI,aws ds unshare-directory --directory-id d-xxxxxxxx --unshare-target Id=<account_id>,Type=ACCOUNT
, the account(s) are successfully unlinked.After that, running
aws-nuke
deletes the AD successfully.