Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error when running script - without no-dry-run parameter #73

Closed
svassella123 opened this issue Jan 23, 2018 · 8 comments
Closed

Error when running script - without no-dry-run parameter #73

svassella123 opened this issue Jan 23, 2018 · 8 comments

Comments

@svassella123
Copy link

Awesome script, but got the following error when running the script:

=============

Listing with resources.ResourceLister failed:

AccessDenied: Access Denied
status code: 403, request id: 221279D5AEAA9865, host id: UDu8naECiceHFqf0MaRNWauGjWzCHoe+bZOPKENizG3OTcJe9LE+tCViZsv5gYut6W4NQ96mMSE=

Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.

=============

=============

Listing with resources.ResourceLister failed:

AccessDenied: Access Denied
status code: 403, request id: B95637B9B6988946, host id: WBJrDH6j6B7Xjzalz/zeAYZQA8aoB1d1yDmMKu9OVjUzIXJyFWLsRHouRsWW7RZXZSa2k//xulQ=

Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.

=============

The script does complete, though it fails to detect the S3 buckets and objects. The account the script is running under has full admin access and I can see the s3 buckets doing a "aws s3 ls" command.
@svenwltr
Copy link
Member

It is hard to tell what exactly went wrong here.

  • Does it actually work with --no-dry-run?
  • How exactly did you invoke aws-nuke?
  • Does it work if you specify --target S3Bucket?
  • Does it work if you specify --target S3Object?

We also might to add more verbose logging for debugging such problems.

@svassella123
Copy link
Author

Thanks for the reply! Apologies for the delayed response, answers to your questions below:

Does it actually work with --no-dry-run?

Pretty much the same result, errors are listed below, and it doesnt list any s3 buckets or objects in the audit run.

=============

Listing with resources.ResourceLister failed:

AccessDenied: Access Denied
status code: 403, request id: 6E881626BBEBF73F, host id: P/LrmCt2w+pjIykQqeN446olnmyNcsGakXU8Sft9jprJkN7mlM6G4500j38P8HxuvXcvb39ZKjk=

Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.

=============

=============

Listing with resources.ResourceLister failed:

AccessDenied: Access Denied
status code: 403, request id: EA8FD2CD9079DF2A, host id: +2brNsStmgithKFZq+2aE/ib/f5YJT9GqaVzKlPo8xCIIJjdGB+W5s+AXEM8UAObNzqsrJQbjD4=

Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.

=============

How exactly did you invoke aws-nuke?

aws-nuke -c ~/projects/aws-nuke/nuke-config-all-regions.yml --profile default | tee ~/projects/aws-nuke/troubleshoot.out

Does it work if you specify --target S3Bucket?

No, results below:

=============

Listing with resources.ResourceLister failed:

AccessDenied: Access Denied
status code: 403, request id: 8C488CECC3A34077, host id: ATSLs5LKOE79NyhxetwG3GUXWBKeSYIN5Et/InLle8YQoxfihYoA8LTTVfAs0dIR9Zs3YN5qixs=

Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.

=============

=============

Listing with resources.ResourceLister failed:

AccessDenied: Access Denied
status code: 403, request id: 45575840981F817E, host id: rJVQ+caSm4N53PqxNqz9sC84YUmc/TmUUW/S2xX+Dvr78UUdRyhJK6vwte1mctx2xPKzN33LMr4=

Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.

=============

Does it work if you specify --target S3Object?

No, results below:

=============

Listing with resources.ResourceLister failed:

AccessDenied: Access Denied
status code: 403, request id: 6CABD0F62C60469B, host id: 7SF2YZxlTP+05aZwaBTVKs9+lMPmNBdh6UbyK4Pk5o3liUfERFtk7yKr5pY/36PgPJn64T0aoNk=

Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.

=============

=============

Listing with resources.ResourceLister failed:

AccessDenied: Access Denied
status code: 403, request id: C9687105AE6E2883, host id: F4aTggxd/GGlcZVrTU5aUB20kDQJOfFcZgy0id+v7FbAHzUD8GMeiRMiSMBL2dhIyFmeT/lfNZY=

Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.

=============

I've confirmed the account I'm running the script under has full access to s3 - I can create and delete buckets etc with it no problems. Happy to turn on verbose logging and share the results - just let me know the beast way to go about it?

@svenwltr
Copy link
Member

svenwltr commented Feb 5, 2018

It looks like we have to improve logging to figure out which request fails.

Looking into the code, there are done some other requests. You could try these aws CLI commands:

aws s3api list-buckets
aws s3api get-bucket-location --bucket your-bucket

None of these commands should fail. Otherwise theses are the missing permissions.

@svassella123
Copy link
Author

Yes, both those commands work fine, so doesn't look like a permissions problems.

@svenwltr svenwltr mentioned this issue Feb 10, 2018
Merged
@svenwltr
Copy link
Member

Version v1.4.0-rc2 has a verbose flag (-v), which logs all AWS requests. You should see the broken requests there.

When using -v you should also specify a target --target S3Bucket to limit the output.

@svassella123
Copy link
Author

I ran again using v1.4.0-rc2 and noticed the following in the verbose output:

DEBU[0009] sending AWS request:
> GET /xyzbucket?location= HTTP/1.1
> Host: s3.eu-west-1.amazonaws.com
> Authorization:
> User-Agent: aws-sdk-go/1.12.74 (go1.8.7; darwin; amd64)
> X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> X-Amz-Date: 20180214T100752Z
> X-Amz-Security-Token: XYZetc
DEBU[0009] received AWS response:
< HTTP/1.1 403 Forbidden
< Transfer-Encoding: chunked
< Content-Type: application/xml
< Date: Wed, 14 Feb 2018 10:07:51 GMT
< Server: AmazonS3
< X-Amz-Id-2: 23eW90YDaCcPm1AcqirNH9Utb9FsJEP1iqFWtOzu9hHz52ctMPM7yIpPCK2T2+YnTJnizvo+K2w=
< X-Amz-Request-Id: D58A30194FCC2EFA
<
< f3
<
< AccessDeniedAccess DeniedD58A30194FCC2EFA23eW90YDaCcPm1AcqirNH9Utb9FsJEP1iqFWtOzu9hHz52ctMPM7yIpPCK2T2+YnTJnizvo+K2w=
< 0
ERRO[0009] Listing with resources.ResourceLister failed. Please report this to https://github.com/rebuy-de/aws-nuke/issues/new.
!!! AccessDenied: Access Denied
!!! status code: 403, request id: D58A30194FCC2EFA, host id: 23eW90YDaCcPm1AcqirNH9Utb9FsJEP1iqFWtOzu9hHz52ctMPM7yIpPCK2T2+YnTJnizvo+K2w=

Checking deeper on the bucket I found a deny rule in the policy which was also limiting the User with full access to the account from accessing the bucket. Once this rule was deleted aws-nuke could then see the bucket and was able to delete it using the -no-dry-run flag.

So it was a permissions problem in the end on the bucket, which then caused the nuke script to bail out of any s3 related reporting or deletions. Which i guess is something perhaps worth investigating into why it did that, instead of flagging that bucket, moving onto the next and then offering all other s3 buckets/objects as items to nuke?

Thanks very much for your help on this though, much appreciated!

@svenwltr
Copy link
Member

So the issue only appeared on a single bucket? It is true that it is not necessary to fail on all buckets then. We should change that.

Thank you for your feedback!

@svassella123
Copy link
Author

A single bucket had the "deny" set in the policy, but it caused all s3 buckets to be ignored in all runs (i.e. with/without the -- no-dry-run parameter).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@svenwltr @svassella123