-
Notifications
You must be signed in to change notification settings - Fork 395
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deleting an IAM Role Should Not Fail if Permission Boundary Cannot Be Removed #959
Comments
Files identified in the description:
If these files are inaccurate, please update the |
I'm happy to submit a PR removing the offending lines of code. |
@phene Looking at the docs, you're probably correct that it's not necessary to remove the permissions boundary, it is however necessary to detach the managed policies and remove the inline policies (a weird quirk of roles, this isn't true for most AWS resources). If you can create the PR that would be the fastest way to get this added. Since we can't review and merge our own PRs, two maintainers need to get involved if a maintainer writes the PR, if you submit the PR it just takes one maintainer to approve and merge the PR. It looks like the integration tests already check that we can delete a role with a boundary policy attached: https://github.com/ansible-collections/community.aws/blob/main/tests/integration/targets/iam_role/tasks/boundary_policy.yml#L49-L82 so the only additional thing you'll need beyond the change is to add a changelog entry: https://docs.ansible.com/ansible/latest/community/development_process.html#changelogs-how-to |
@tremble PR submitted. |
IAM Role Removal Does Not Require Removal of Permission Boundary SUMMARY Removes unnecessary removal of permission boundary from a role when deleting a role. Unlike inline policies, permission boundaries do not need to be removed from an IAM role before deleting the IAM role. This behavior causes issues when a permission boundary is inherited that prevents removal of the permission boundary. Fixes #959 ISSUE TYPE Bugfix Pull Request COMPONENT NAME iam_role Reviewed-by: Markus Bergholz <git@osuv.de> Reviewed-by: Mark Chappell <None>
IAM Role Removal Does Not Require Removal of Permission Boundary SUMMARY Removes unnecessary removal of permission boundary from a role when deleting a role. Unlike inline policies, permission boundaries do not need to be removed from an IAM role before deleting the IAM role. This behavior causes issues when a permission boundary is inherited that prevents removal of the permission boundary. Fixes #959 ISSUE TYPE Bugfix Pull Request COMPONENT NAME iam_role Reviewed-by: Markus Bergholz <git@osuv.de> Reviewed-by: Mark Chappell <None> (cherry picked from commit e670b34)
IAM Role Removal Does Not Require Removal of Permission Boundary SUMMARY Removes unnecessary removal of permission boundary from a role when deleting a role. Unlike inline policies, permission boundaries do not need to be removed from an IAM role before deleting the IAM role. This behavior causes issues when a permission boundary is inherited that prevents removal of the permission boundary. Fixes #959 ISSUE TYPE Bugfix Pull Request COMPONENT NAME iam_role Reviewed-by: Markus Bergholz <git@osuv.de> Reviewed-by: Mark Chappell <None> (cherry picked from commit e670b34)
… (#999) [PR #961/e670b348 backport][stable-2] IAM Role Removal Does Not Require Removal of Permission Boundary This is a backport of PR #961 as merged into main (e670b34). SUMMARY Removes unnecessary removal of permission boundary from a role when deleting a role. Unlike inline policies, permission boundaries do not need to be removed from an IAM role before deleting the IAM role. This behavior causes issues when a permission boundary is inherited that prevents removal of the permission boundary. Fixes #959 ISSUE TYPE Bugfix Pull Request COMPONENT NAME iam_role
… (#1000) [PR #961/e670b348 backport][stable-3] IAM Role Removal Does Not Require Removal of Permission Boundary This is a backport of PR #961 as merged into main (e670b34). SUMMARY Removes unnecessary removal of permission boundary from a role when deleting a role. Unlike inline policies, permission boundaries do not need to be removed from an IAM role before deleting the IAM role. This behavior causes issues when a permission boundary is inherited that prevents removal of the permission boundary. Fixes #959 ISSUE TYPE Bugfix Pull Request COMPONENT NAME iam_role
…ible-collections#961) IAM Role Removal Does Not Require Removal of Permission Boundary SUMMARY Removes unnecessary removal of permission boundary from a role when deleting a role. Unlike inline policies, permission boundaries do not need to be removed from an IAM role before deleting the IAM role. This behavior causes issues when a permission boundary is inherited that prevents removal of the permission boundary. Fixes ansible-collections#959 ISSUE TYPE Bugfix Pull Request COMPONENT NAME iam_role Reviewed-by: Markus Bergholz <git@osuv.de> Reviewed-by: Mark Chappell <None> This commit was initially merged in https://github.com/ansible-collections/community.aws See: ansible-collections@e670b34
Summary
I have a role with a permission boundary that disallows removing permission boundaries. This role is then able to create a new role, which inherits that permissions boundary. If I want to delete that role, the
iam_role
plugin fails due to the inability to delete the permission boundary.Deleting the permission boundary is not actually a prerequisite to deleting the role and there's nothing in AWS that requires removing permission boundaries from roles before deleting them. This comment is not true when it comes to inherited permission boundaries.
Issue Type
Bug Report
Component Name
iam_role
Ansible Version
Collection Versions
AWS SDK versions
Configuration
No response
OS / Environment
No response
Steps to Reproduce
Expected Results
I expect the be able to delete the role.
Actual Results
Unable to remove permission boundary for role test: An error occurred (AccessDenied) when calling the DeleteRolePermissionsBoundary operation: User: arn:aws:iam::<elided>:role/manager is not authorized to perform: iam:DeleteRolePermissionsBoundary on resource: role test with an explicit deny
Code of Conduct
The text was updated successfully, but these errors were encountered: