search

rebuy-de / aws-nuke

Nuke a whole AWS account and delete all its resources.
MIT License
5.74k stars 719 forks source link

Cannot use aws-nuke with aws-vault #390

Open ozeebee opened 5 years ago

ozeebee commented 5 years ago

Hi,

Just trying to use aws-nuke with aws-vault without success so far:

$ aws-vault exec my-account -- aws-nuke -c nuke-config.yml --access-key-id ${AWS_ACCESS_KEY_ID} --secret-access-key ${AWS_SECRET_ACCESS_KEY} --session-token ${AWS_SESSION_TOKEN}

Error: flag needs an argument: --session-token

I also tried without a session token:

$ aws-vault exec my-account --no-session -- aws-nuke -c nuke-config.yml --access-key-id ${AWS_ACCESS_KEY_ID} --secret-access-key ${AWS_SECRET_ACCESS_KEY}

Error: failed get caller identity: EmptyStaticCreds: static credentials are empty

The environment is correctly defined with aws-vault:

$ aws-vault exec my-account -- env | grep AWS
AWS_VAULT=my-account
AWS_DEFAULT_REGION=eu-west-1
AWS_REGION=eu-west-1
AWS_ACCESS_KEY_ID=ASIAXXXXXXXXXXXXXX
AWS_SECRET_ACCESS_KEY=YYYYYYYYYYYYYYYYYYYYYYYYYY
AWS_SESSION_TOKEN=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
AWS_SECURITY_TOKEN=ZYXYZYXYZYYXYZYXYY

I tried to double-quote the arguments but I still get the error. Note that:

  1. if I pass directly the values from the environment, it works.
  2. aws-vault works with my other tools (aws cli and cdk)

Tried with the latest versions of these tools on macOS.

Suggestions are welcome,

thanks !

FernandoMiguel commented 5 years ago

aws-nuke --config config.yml --profile Default https://github.com/FernandoMiguel/kb/blob/master/aws-nuke/Readme.md

FernandoMiguel commented 5 years ago

aws-nuke --config config.yml --profile Default https://github.com/FernandoMiguel/kb/blob/master/aws-nuke/Readme.md

ozeebee commented 5 years ago

Thanks @FernandoMiguel,

I had no success with the "Default" profile but based on your document and after experimenting a lot, I finally succeeded.

I had to do it in 2 steps:

  1. Create a sub-shell with aws-vault: 
    aws-vault exec "${AWS_PROFILE:-default}" --no-session --
  2. Nuke the account with the credentials: 
    aws-nuke -c nuke-config.yml --access-key-id ${AWS_ACCESS_KEY_ID} --secret-access-key ${AWS_SECRET_ACCESS_KEY}

I had to work without session (--no-session flag), otherwise I had an InvalidClientTokenId. Any other attempt failed.

Too bad we cannot do it with a one-liner, but at least it works.

FernandoMiguel commented 5 years ago

That's a terrible way of doing this. I get it to work with my role just fine

jayunit100 commented 4 years ago

i had to do the --no-session thing to

pyguy commented 4 years ago

I have the same issue when running aws-nuke with aws-vault, any solutions?

nobl9-mikec commented 2 years ago

Came across the same issue in the latest version (2.16.0), --no-session approach workaround still seems to work