Cannot delete group or policies after deleting all users

Question

Cannot delete group or policies after deleting all users

dkilcy opened this issue 8 years ago · 6 comments

I have an account 'acct2' (reguilar vault account, no SSO) that had 3 users assigned to a group and different policies. I wanted to 'clean out' the account and delete everything.

I was able to delete all the users successfully
I am unable to delete the group or policy now

See output below.

Interesting in the error message below, you see " The error message describes these entities."...but there is no error message displayed.

[devops@ws2 ~]$ aws --endpoint-url http://app1.lab.local:8600 iam list-users
{
    "Users": []
}
[devops@ws2 ~]$ aws --endpoint-url http://app1.lab.local:8600 iam list-groups
{
    "Groups": [
        {
            "Path": "/", 
            "CreateDate": "2016-08-25T22:13:09Z", 
            "GroupId": "EHJCYAYXDUG02QSWM6BCCJ1RN20QTK0G", 
            "Arn": "arn:aws:iam::060034739872:group/DirAccess", 
            "GroupName": "DirAccess"
        }
    ]
}
[devops@ws2 ~]$ aws --endpoint-url http://app1.lab.local:8600 iam list-policies
{
    "Policies": [
        {
            "PolicyName": "godmode", 
            "CreateDate": "2016-08-25T22:20:45Z", 
            "AttachmentCount": 1, 
            "IsAttachable": true, 
            "PolicyId": "XAJFIW9UGEK5ZAAREC59PNVKAH5XS5AS", 
            "DefaultVersionId": "v1", 
            "Path": "/", 
            "Arn": "arn:aws:iam::060034739872:policy/godmode", 
            "UpdateDate": "2016-08-25T22:20:45Z"
        }, 
        {
            "PolicyName": "homedir", 
            "CreateDate": "2016-08-25T22:12:54Z", 
            "AttachmentCount": 1, 
            "IsAttachable": true, 
            "PolicyId": "5XH3KUVA1XO6TO2XNWGSECF83WN2B4UE", 
            "DefaultVersionId": "v1", 
            "Path": "/", 
            "Arn": "arn:aws:iam::060034739872:policy/homedir", 
            "UpdateDate": "2016-08-25T22:12:54Z"
        }
    ]
}
[devops@ws2 ~]$  aws --endpoint-url http://app1.lab.local:8600 iam delete-group --group-name DirAccess

An error occurred (DeleteConflict) when calling the DeleteGroup operation: The request was rejected because it attempted to delete a resource that has attached subordinate entities. The error message describes these entities.
[devops@ws2 ~]$ 
[devops@ws2 ~]$ aws --endpoint-url http://app1.lab.local:8600 iam delete-policy --policy-arn arn:aws:iam::060034739872:policy/godmode

An error occurred (DeleteConflict) when calling the DeletePolicy operation: The request was rejected because it attempted to delete a resource that has attached subordinate entities. The error message describes these entities.
[devops@ws2 ~]$ aws --endpoint-url http://app1.lab.local:8600 iam delete-policy --policy-arn arn:aws:iam::060034739872:policy/homedir

An error occurred (DeleteConflict) when calling the DeletePolicy operation: The request was rejected because it attempted to delete a resource that has attached subordinate entities. The error message describes these entities.
[devops@ws2 ~]$

Checked to make sure the policy was not attached to the group, it is not...

[devops@ws2 ~]$ aws --endpoint-url http://app1.lab.local:8600 iam list-group-policies --group-name DirAccess
{
    "PolicyNames": []
}
[devops@ws2 ~]$

Answer 1 · 2016-08-26T16:48:42.000Z

list-group-policies lists inline policies. You need list-attached-group-policies for the policies you created. You need to detach the policy from the group before deleting.

Answer 2 · 2016-08-26T17:23:50.000Z

Thanks, I was able to detach and remove the policy, but still can't delete the group...

[devops@ws2 ~]$ aws --endpoint-url http://app1.lab.local:8600 iam list-attached-group-policies --group-name DirAccess 
{
    "AttachedPolicies": [
        {
            "PolicyName": "homedir", 
            "PolicyArn": "arn:aws:iam::060034739872:policy/homedir"
        }
    ]
}
[devops@ws2 ~]$  aws --endpoint-url http://app1.lab.local:8600 iam detach-group-policy --group-name DirAccess --policy-arn arn:aws:iam::060034739872:policy/homedir
[devops@ws2 ~]$  aws --endpoint-url http://app1.lab.local:8600 iam list-attached-group-policies --group-name DirAccess 
{
    "AttachedPolicies": []
}
[devops@ws2 ~]$  aws --endpoint-url http://app1.lab.local:8600 iam delete-group --group-name DirAccess

An error occurred (DeleteConflict) when calling the DeleteGroup operation: The request was rejected because it attempted to delete a resource that has attached subordinate entities. The error message describes these entities.
[devops@ws2 ~]$

Answer 3 · 2016-08-26T17:52:39.000Z

Will you please try: aws iam get-group --group-name DirAccess

Answer 4 · 2016-08-26T17:58:26.000Z

Le sigh...

[devops@ws2 ~]$ aws --endpoint-url http://app1.lab.local:8600 iam  get-group --group-name DirAccess

An error occurred (NoSuchEntity) when calling the GetGroup operation: The request was rejected because it referenced an entity that does not exist. The error message describes the entity.
[devops@ws2 ~]$ aws --endpoint-url http://app1.lab.local:8600 iam list-groups
{
    "Groups": [
        {
            "Path": "/", 
            "CreateDate": "2016-08-25T22:13:09Z", 
            "GroupId": "EHJCYAYXDUG02QSWM6BCCJ1RN20QTK0G", 
            "Arn": "arn:aws:iam::060034739872:group/DirAccess", 
            "GroupName": "DirAccess"
        }
    ]
}
[devops@ws2 ~]$

Answer 5 · 2016-08-26T18:33:39.000Z

@dkilcy Do you mind re-opening this issue in Vault?

Answer 6 · 2016-08-26T18:44:49.000Z

Closing. Reopening in Vault
https://github.com/scality/Vault/issues/564