Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS Role deletion fails #4078

Closed
dvianello opened this issue May 29, 2019 · 5 comments · Fixed by #4220
Closed

AWS Role deletion fails #4078

dvianello opened this issue May 29, 2019 · 5 comments · Fixed by #4220

Comments

@dvianello
Copy link
Contributor

@dvianello dvianello commented May 29, 2019

We're trying to code a policy that immediately deletes any role trusting a non-whitelisted account id, something along the lines of:

policies:
  - name: iam-delete-roles-with-unauthorized-cross-account-access
    resource: iam-role
    description: |
      Remove roles trusting an unauthorized account
    region: eu-west-1
    filters:
      - type: cross-account
        whitelist:
          - "XXXXXXXXXXX" 
          - "YYYYYYYYYYY" 
          - "WWWWWWWW"
    actions:
      - delete

Filtering works all right, but we get an error when deleting the role that says:

2019-05-29 15:22:06,751: custodian.actions:WARNING Role:arn:aws:iam::506838722335:role/xxxxxxxxxx cannot be deleted, must remove role from instance profile first
2019-05-29 15:22:06,826: c7n_org:ERROR Exception running policy:iam-delete-roles-with-unauthorized-cross-account-access account:Prod region:eu-west-1 error:An error occurred (DeleteConflict) when calling the DeleteRole operation: Cannot delete entity, must detach all policies first.

First error doesn't make sense for a cross-account role, as they're not linked to instance policies, and it's actually caused by a hardcoded message in Custodian's code here.The second error makes more sense as there's a policy attached to this role, but we'd expected Custodian to detach policies and then delete the role. After all, I'm not sure how frequently roles will be empty when attempting to delete them. Or am I missing something somewhere?

@PratMis

This comment has been minimized.

Copy link
Collaborator

@PratMis PratMis commented May 31, 2019

Hello @dvianello , when you create an IAM role through the console, AWS automatically creates an instance profile and gives it the same name as the role. Afaics, you shouldn't be able to delete the role until the instance profile is deleted since instance profile contains the iam role. I think the first error won't be seen if you try to delete a role which isn't linked to any instance profile.

@dvianello

This comment has been minimized.

Copy link
Contributor Author

@dvianello dvianello commented May 31, 2019

Hi @PratMis,

it think that's the default for roles that have ec2 as a trust, not for roles where the trust is a different AWS account. Manually trying to delete the role through the CLI fails with an error mentioning that there are still policies attached to the role and it can't be deleted, and I assume that's the error Custodian is getting too, but it's partially masked by how the code is currently dealing with DeleteConflictException.

@PratMis

This comment has been minimized.

Copy link
Collaborator

@PratMis PratMis commented Jun 3, 2019

Ah, got it! Thanks for the clarification. I'll put a PR to make the error message more explicit if that works.

@kapilt

This comment has been minimized.

Copy link
Collaborator

@kapilt kapilt commented Jun 4, 2019

more relevant than the logging is actually handling the scenario for detaching associated resources from the role aka force: true

@PratMis

This comment has been minimized.

Copy link
Collaborator

@PratMis PratMis commented Jun 4, 2019

Sounds good!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.