问题
I am trying to run aws-nuke to delete all the resources.
I am trying to run command
aws-nuke -c config/example.yaml --profile demo
config/example.yaml
---
regions:
- "global" # This is for all global resource types e.g. IAM
- "eu-west-1"
account-blacklist:
- "999999999999" # production
# optional: restrict nuking to these resources
resource-types:
targets:
- IAMUser
- IAMUserPolicyAttachment
- IAMUserAccessKey
- S3Bucket
- S3Object
- Route53HostedZone
- EC2Instance
- CloudFormationStack
accounts:
555133742123#demo:
filters:
IAMUser:
- "admin"
IAMUserPolicyAttachment:
- property: RoleName
value: "admin"
IAMUserAccessKey:
- property: UserName
value: "admin"
S3Bucket:
- "s3://my-bucket"
S3Object:
- type: "glob"
value: "s3://my-bucket/*"
Route53HostedZone:
- property: Name
type: "glob"
value: "*.zone.loc."
CloudFormationStack:
- property: "tag:team"
value: "myTeam"
Errors screenshot below.What is this missing
回答1:
Disclaimer: I am an author of aws-nuke.
This is not an configuration problem of your YAML file, but a missing setting in your AWS account.
The IAM Alias is a globally unique name for your AWS Account. aws-nuke requires this as a safety guard, so you do not accidentally destroy your production accounts. The idea is that every production account contains at least the substring prod.
This might sound a bit unnecessary to demand this account, but we are very passionate to not nuke any production account.
You can follow the docs to specify the Alias via the web console, or you use the CLI:
aws iam create-account-alias --profile demo --account-alias my-test-account-8gmst3`
I guess we need to improve the error message.
来源:https://stackoverflow.com/questions/54301200/unable-to-run-aws-nuke