Skip to content
This repository has been archived by the owner on May 11, 2024. It is now read-only.

IRSA Custom Resource "delete role" operation fails #8

Closed
max-boehm opened this issue May 15, 2021 · 1 comment
Closed

IRSA Custom Resource "delete role" operation fails #8

max-boehm opened this issue May 15, 2021 · 1 comment

Comments

@max-boehm
Copy link
Contributor

When using the IRSA Custom Resource in a CloudFormation template I get an error when deleting the stack. Example:

AWSTemplateFormatVersion: '2010-09-09'

Parameters:
  ClusterName:
    Description: EKS cluster name
    Type: String

Resources:
  IAMRole:
    Type: Custom::ServiceAccountRole
    Properties:
      RoleName: !Sub "${ClusterName}-default-role"
      ServiceToken: !ImportValue EKSIRSARoleCreationFunction
      ClusterName: !Ref ClusterName
      ServiceAccount: default
      Namespace: default
      ManagedPolicyArns:
        - !Ref IAMPolicy
  IAMPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: IAM policy for the service account
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action: s3:*
            Resource: '*'

When deleting the stack I get:

Received response status [FAILED] from custom resource. Message returned: Cannot delete entity, must detach all policies first. (RequestId: ef5d25cc-8883-4d0c-a24e-9ccb35a221b8)

I think the deleteRole() function in the lambda handler needs to detach the role policies first. I had created a PR with a fix, but it has not been discussed and was just closed, see #7.
@otterley
Copy link
Contributor

Closed by #9

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@otterley @max-boehm