Error when running script - without no-dry-run parameter about aws-nuke HOT 8 CLOSED

It is hard to tell what exactly went wrong here.

• Does it actually work with --no-dry-run?
• How exactly did you invoke aws-nuke?
• Does it work if you specify --target S3Bucket?
• Does it work if you specify --target S3Object?

We also might to add more verbose logging for debugging such problems.

from aws-nuke.

Thanks for the reply! Apologies for the delayed response, answers to your questions below:

Does it actually work with --no-dry-run?

Pretty much the same result, errors are listed below, and it doesnt list any s3 buckets or objects in the audit run.

=============

Listing with resources.ResourceLister failed:

AccessDenied: Access Denied
status code: 403, request id: 6E881626BBEBF73F, host id: P/LrmCt2w+pjIykQqeN446olnmyNcsGakXU8Sft9jprJkN7mlM6G4500j38P8HxuvXcvb39ZKjk=

Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.

=============

=============

Listing with resources.ResourceLister failed:

AccessDenied: Access Denied
status code: 403, request id: EA8FD2CD9079DF2A, host id: +2brNsStmgithKFZq+2aE/ib/f5YJT9GqaVzKlPo8xCIIJjdGB+W5s+AXEM8UAObNzqsrJQbjD4=

Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.

=============

How exactly did you invoke aws-nuke?

aws-nuke -c ~/projects/aws-nuke/nuke-config-all-regions.yml --profile default | tee ~/projects/aws-nuke/troubleshoot.out

Does it work if you specify --target S3Bucket?

No, results below:

=============

Listing with resources.ResourceLister failed:

AccessDenied: Access Denied
status code: 403, request id: 8C488CECC3A34077, host id: ATSLs5LKOE79NyhxetwG3GUXWBKeSYIN5Et/InLle8YQoxfihYoA8LTTVfAs0dIR9Zs3YN5qixs=

Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.

=============

=============

Listing with resources.ResourceLister failed:

AccessDenied: Access Denied
status code: 403, request id: 45575840981F817E, host id: rJVQ+caSm4N53PqxNqz9sC84YUmc/TmUUW/S2xX+Dvr78UUdRyhJK6vwte1mctx2xPKzN33LMr4=

Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.

=============

Does it work if you specify --target S3Object?

No, results below:

=============

Listing with resources.ResourceLister failed:

AccessDenied: Access Denied
status code: 403, request id: 6CABD0F62C60469B, host id: 7SF2YZxlTP+05aZwaBTVKs9+lMPmNBdh6UbyK4Pk5o3liUfERFtk7yKr5pY/36PgPJn64T0aoNk=

Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.

=============

=============

Listing with resources.ResourceLister failed:

AccessDenied: Access Denied
status code: 403, request id: C9687105AE6E2883, host id: F4aTggxd/GGlcZVrTU5aUB20kDQJOfFcZgy0id+v7FbAHzUD8GMeiRMiSMBL2dhIyFmeT/lfNZY=

Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.

=============

I've confirmed the account I'm running the script under has full access to s3 - I can create and delete buckets etc with it no problems. Happy to turn on verbose logging and share the results - just let me know the beast way to go about it?

from aws-nuke.

It looks like we have to improve logging to figure out which request fails.

Looking into the code, there are done some other requests. You could try these aws CLI commands:

aws s3api list-buckets
aws s3api get-bucket-location --bucket your-bucket

None of these commands should fail. Otherwise theses are the missing permissions.

from aws-nuke.

Yes, both those commands work fine, so doesn't look like a permissions problems.

from aws-nuke.

Version v1.4.0-rc2 has a verbose flag (-v), which logs all AWS requests. You should see the broken requests there.

When using -v you should also specify a target --target S3Bucket to limit the output.

from aws-nuke.

I ran again using v1.4.0-rc2 and noticed the following in the verbose output:

DEBU[0009] sending AWS request:
> GET /xyzbucket?location= HTTP/1.1
> Host: s3.eu-west-1.amazonaws.com
> Authorization:
> User-Agent: aws-sdk-go/1.12.74 (go1.8.7; darwin; amd64)
> X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> X-Amz-Date: 20180214T100752Z
> X-Amz-Security-Token: XYZetc
DEBU[0009] received AWS response:
< HTTP/1.1 403 Forbidden
< Transfer-Encoding: chunked
< Content-Type: application/xml
< Date: Wed, 14 Feb 2018 10:07:51 GMT
< Server: AmazonS3
< X-Amz-Id-2: 23eW90YDaCcPm1AcqirNH9Utb9FsJEP1iqFWtOzu9hHz52ctMPM7yIpPCK2T2+YnTJnizvo+K2w=
< X-Amz-Request-Id: D58A30194FCC2EFA
<
< f3
<
< AccessDeniedAccess DeniedD58A30194FCC2EFA23eW90YDaCcPm1AcqirNH9Utb9FsJEP1iqFWtOzu9hHz52ctMPM7yIpPCK2T2+YnTJnizvo+K2w=
< 0
ERRO[0009] Listing with resources.ResourceLister failed. Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.
!!! AccessDenied: Access Denied
!!! status code: 403, request id: D58A30194FCC2EFA, host id: 23eW90YDaCcPm1AcqirNH9Utb9FsJEP1iqFWtOzu9hHz52ctMPM7yIpPCK2T2+YnTJnizvo+K2w=

Checking deeper on the bucket I found a deny rule in the policy which was also limiting the User with full access to the account from accessing the bucket. Once this rule was deleted aws-nuke could then see the bucket and was able to delete it using the -no-dry-run flag.

So it was a permissions problem in the end on the bucket, which then caused the nuke script to bail out of any s3 related reporting or deletions. Which i guess is something perhaps worth investigating into why it did that, instead of flagging that bucket, moving onto the next and then offering all other s3 buckets/objects as items to nuke?

Thanks very much for your help on this though, much appreciated!

from aws-nuke.

So the issue only appeared on a single bucket? It is true that it is not necessary to fail on all buckets then. We should change that.

Thank you for your feedback!

from aws-nuke.

A single bucket had the "deny" set in the policy, but it caused all s3 buckets to be ignored in all runs (i.e. with/without the -- no-dry-run parameter).

from aws-nuke.