Comments (8)
It is hard to tell what exactly went wrong here.
- Does it actually work with
--no-dry-run
? - How exactly did you invoke
aws-nuke
? - Does it work if you specify
--target S3Bucket
? - Does it work if you specify
--target S3Object
?
We also might to add more verbose logging for debugging such problems.
from aws-nuke.
Thanks for the reply! Apologies for the delayed response, answers to your questions below:
Does it actually work with --no-dry-run?
Pretty much the same result, errors are listed below, and it doesnt list any s3 buckets or objects in the audit run.
=============
Listing with resources.ResourceLister failed:
AccessDenied: Access Denied
status code: 403, request id: 6E881626BBEBF73F, host id: P/LrmCt2w+pjIykQqeN446olnmyNcsGakXU8Sft9jprJkN7mlM6G4500j38P8HxuvXcvb39ZKjk=
Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.
=============
=============
Listing with resources.ResourceLister failed:
AccessDenied: Access Denied
status code: 403, request id: EA8FD2CD9079DF2A, host id: +2brNsStmgithKFZq+2aE/ib/f5YJT9GqaVzKlPo8xCIIJjdGB+W5s+AXEM8UAObNzqsrJQbjD4=
Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.
=============
How exactly did you invoke aws-nuke?
aws-nuke -c ~/projects/aws-nuke/nuke-config-all-regions.yml --profile default | tee ~/projects/aws-nuke/troubleshoot.out
Does it work if you specify --target S3Bucket?
No, results below:
=============
Listing with resources.ResourceLister failed:
AccessDenied: Access Denied
status code: 403, request id: 8C488CECC3A34077, host id: ATSLs5LKOE79NyhxetwG3GUXWBKeSYIN5Et/InLle8YQoxfihYoA8LTTVfAs0dIR9Zs3YN5qixs=
Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.
=============
=============
Listing with resources.ResourceLister failed:
AccessDenied: Access Denied
status code: 403, request id: 45575840981F817E, host id: rJVQ+caSm4N53PqxNqz9sC84YUmc/TmUUW/S2xX+Dvr78UUdRyhJK6vwte1mctx2xPKzN33LMr4=
Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.
=============
Does it work if you specify --target S3Object?
No, results below:
=============
Listing with resources.ResourceLister failed:
AccessDenied: Access Denied
status code: 403, request id: 6CABD0F62C60469B, host id: 7SF2YZxlTP+05aZwaBTVKs9+lMPmNBdh6UbyK4Pk5o3liUfERFtk7yKr5pY/36PgPJn64T0aoNk=
Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.
=============
=============
Listing with resources.ResourceLister failed:
AccessDenied: Access Denied
status code: 403, request id: C9687105AE6E2883, host id: F4aTggxd/GGlcZVrTU5aUB20kDQJOfFcZgy0id+v7FbAHzUD8GMeiRMiSMBL2dhIyFmeT/lfNZY=
Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.
=============
I've confirmed the account I'm running the script under has full access to s3 - I can create and delete buckets etc with it no problems. Happy to turn on verbose logging and share the results - just let me know the beast way to go about it?
from aws-nuke.
It looks like we have to improve logging to figure out which request fails.
Looking into the code, there are done some other requests. You could try these aws
CLI commands:
aws s3api list-buckets
aws s3api get-bucket-location --bucket your-bucket
None of these commands should fail. Otherwise theses are the missing permissions.
from aws-nuke.
Yes, both those commands work fine, so doesn't look like a permissions problems.
from aws-nuke.
Version v1.4.0-rc2 has a verbose flag (-v
), which logs all AWS requests. You should see the broken requests there.
When using -v
you should also specify a target --target S3Bucket
to limit the output.
from aws-nuke.
I ran again using v1.4.0-rc2 and noticed the following in the verbose output:
DEBU[0009] sending AWS request:
> GET /xyzbucket?location= HTTP/1.1
> Host: s3.eu-west-1.amazonaws.com
> Authorization:
> User-Agent: aws-sdk-go/1.12.74 (go1.8.7; darwin; amd64)
> X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> X-Amz-Date: 20180214T100752Z
> X-Amz-Security-Token: XYZetc
DEBU[0009] received AWS response:
< HTTP/1.1 403 Forbidden
< Transfer-Encoding: chunked
< Content-Type: application/xml
< Date: Wed, 14 Feb 2018 10:07:51 GMT
< Server: AmazonS3
< X-Amz-Id-2: 23eW90YDaCcPm1AcqirNH9Utb9FsJEP1iqFWtOzu9hHz52ctMPM7yIpPCK2T2+YnTJnizvo+K2w=
< X-Amz-Request-Id: D58A30194FCC2EFA
<
< f3
<
< AccessDenied
Access DeniedD58A30194FCC2EFA23eW90YDaCcPm1AcqirNH9Utb9FsJEP1iqFWtOzu9hHz52ctMPM7yIpPCK2T2+YnTJnizvo+K2w=
< 0
ERRO[0009] Listing with resources.ResourceLister failed. Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.
!!! AccessDenied: Access Denied
!!! status code: 403, request id: D58A30194FCC2EFA, host id: 23eW90YDaCcPm1AcqirNH9Utb9FsJEP1iqFWtOzu9hHz52ctMPM7yIpPCK2T2+YnTJnizvo+K2w=
Checking deeper on the bucket I found a deny rule in the policy which was also limiting the User with full access to the account from accessing the bucket. Once this rule was deleted aws-nuke could then see the bucket and was able to delete it using the -no-dry-run flag.
So it was a permissions problem in the end on the bucket, which then caused the nuke script to bail out of any s3 related reporting or deletions. Which i guess is something perhaps worth investigating into why it did that, instead of flagging that bucket, moving onto the next and then offering all other s3 buckets/objects as items to nuke?
Thanks very much for your help on this though, much appreciated!
from aws-nuke.
So the issue only appeared on a single bucket? It is true that it is not necessary to fail on all buckets then. We should change that.
Thank you for your feedback!
from aws-nuke.
A single bucket had the "deny" set in the policy, but it caused all s3 buckets to be ignored in all runs (i.e. with/without the -- no-dry-run parameter).
from aws-nuke.
Related Issues (20)
- Allow presets to use other presets in them
- Please Allow "non-prod" in the account alias HOT 1
- aws-nuke is trying to remove AWS provided Opensearch Packages (OSPackage) HOT 4
- Deleting Cloudwatch Event Rules
- Deletion of SecretsManager secret with replica
- Support for CloudFront Response Headers Policy
- Support for Eventbridge Schedules HOT 1
- SIGSEGV: segmentation violation HOT 3
- EKS related IAM Roles are not deleted HOT 2
- Unable to delete IAMRoles and IAMPolicies HOT 3
- aws-nuke resource-types not reporting all known resource types
- Adding support for CloudFront Cache Policy
- Failure to Delete AWS ECR Public Repositories Containing Images using Cloud Control
- Lack of pagination support for multiple list functions
- ERRO[0972] HOT 1
- Filter for all resource types.
- How to filter a resources using 2 property HOT 1
- Add support for Glue SecurityConfiguration
- GO error HOT 1
- Add support for Budget Actions
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-nuke.