Deleting an IAM Role Should Not Fail if Permission Boundary Cannot Be Removed

[phene]

Summary

I have a role with a permission boundary that disallows removing permission boundaries. This role is then able to create a new role, which inherits that permissions boundary. If I want to delete that role, the iam_role plugin fails due to the inability to delete the permission boundary.

Deleting the permission boundary is not actually a prerequisite to deleting the role and there's nothing in AWS that requires removing permission boundaries from roles before deleting them. This comment is not true when it comes to inherited permission boundaries.

Issue Type

Bug Report

Component Name

iam_role

Ansible Version

$ ansible --version
ansible 2.10.8
  config file = None
  configured module search path = [ "elided" ]
  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.9.10 (main, Jan 15 2022, 11:48:00) [Clang 13.0.0 (clang-1300.0.29.3)]

Collection Versions

$ ansible-galaxy collection list
amazon.aws                    1.4.1
community.aws                 1.4.0

AWS SDK versions

$ pip show boto boto3 botocore
Name: boto3
Version: 1.18.48
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /usr/lib/python3.7/site-packages
Requires: botocore, jmespath, s3transfer
Required-by:
---
Name: botocore
Version: 1.21.48
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /usr/lib/python3.7/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: awscli, boto3, s3transfer

Configuration

No response

OS / Environment

No response

Steps to Reproduce

- name: Create Manager Role
  community.aws.iam_role:
    aws_access_key: "{{ aws_access_key }}"
    aws_secret_key: "{{ aws_secret_key }}"
    security_token: "{{ aws_session_token }}"
    name: "manager"
    assume_role_policy_document: |
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "AWS": "{{ aws_account_id }}"
            },
            "Action": "sts:AssumeRole"
          }
        ]
      }
    boundary: |
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "NoBoundaryPolicyDelete",
            "Effect": "Deny",
            "Action": [
                "iam:DeleteRolePermissionsBoundary"
            ],
            "Resource": "*"
          },
        ]
      }
    create_instance_profile: false
  register: manager_role

- name: Assume role
  community.aws.sts_assume_role:
    aws_access_key: "{{ aws_access_key }}"
    aws_secret_key: "{{ aws_secret_key }}"
    aws_security_token: "{{ aws_session_token }}"
    role_arn: "manager"
    role_session_name: "manager"
  register: _ansible_role

- name: Update credentials
  set_fact:
    aws_access_key: "{{ _ansible_role.sts_creds.access_key }}"
    aws_secret_key: "{{ _ansible_role.sts_creds.secret_key }}"
    aws_session_token: "{{ _ansible_role.sts_creds.session_token }}"

- name: Create test role # Inherits permission boundary from manager
  community.aws.iam_role:
    aws_access_key: "{{ aws_access_key }}"
    aws_secret_key: "{{ aws_secret_key }}"
    security_token: "{{ aws_session_token }}"
    name: "test"
    assume_role_policy_document: |
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "AWS": "{{ manager_role.iam_role.arn }}"
            },
            "Action": "sts:AssumeRole"
          }
        ]
      }

- name: Delete test role # Fails because it cannot delete the inherited permission boundary
  community.aws.iam_role:
    aws_access_key: "{{ aws_access_key }}"
    aws_secret_key: "{{ aws_secret_key }}"
    security_token: "{{ aws_session_token }}"
    name: "test"
    state: absent

Expected Results

I expect the be able to delete the role.

Actual Results

Unable to remove permission boundary for role test: An error occurred (AccessDenied) when calling the DeleteRolePermissionsBoundary operation: User: arn:aws:iam::<elided>:role/manager is not authorized to perform: iam:DeleteRolePermissionsBoundary on resource: role test with an explicit deny

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:

• [plugins/modules/iam_role.py](https://github.com/['ansible-collections/amazon.aws', 'ansible-collections/community.aws', 'ansible-collections/community.vmware']/blob/main/plugins/modules/iam_role.py)

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @jillr @markuman @s-hertel @tremble
click here for bot help

[phene]

I'm happy to submit a PR removing the offending lines of code.

[tremble]

@phene Looking at the docs, you're probably correct that it's not necessary to remove the permissions boundary, it is however necessary to detach the managed policies and remove the inline policies (a weird quirk of roles, this isn't true for most AWS resources).

If you can create the PR that would be the fastest way to get this added. Since we can't review and merge our own PRs, two maintainers need to get involved if a maintainer writes the PR, if you submit the PR it just takes one maintainer to approve and merge the PR.

It looks like the integration tests already check that we can delete a role with a boundary policy attached: https://github.com/ansible-collections/community.aws/blob/main/tests/integration/targets/iam_role/tasks/boundary_policy.yml#L49-L82 so the only additional thing you'll need beyond the change is to add a changelog entry: https://docs.ansible.com/ansible/latest/community/development_process.html#changelogs-how-to

[phene]

@tremble PR submitted.