【问题标题】:Unable to delete AWS Role Policy - NoSuchEntity with Boto3无法删除 AWS 角色策略 - 使用 Boto3 的 NoSuchEntity
【发布时间】:2020-04-28 19:59:22
【问题描述】:

我无法从 Boto3 的 AWS 账户中删除角色策略。我收到一个错误:

botocore.errorfactory.NoSuchEntityException:调用DeleteRolePolicy操作时发生错误(NoSuchEntity):找不到名为potatoman9000Policy的角色策略。

策略和角色在同一个脚本中创建和删除。该策略在此特定代码发生之前被分离。我不确定为什么要找到策略名称。

这是创作:

# Create IAM policy and Role
def iam_creation(client_name):
    iam_client = boto3.client('iam')

    # Policy template
    client_onboarding_policy = {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowListingOfUserFolder",
                "Action": [
                    "s3:ListBucket",
                    "s3:GetBucketLocation"
                ],
                "Effect": "Allow",
                "Resource": [
                    f"arn:aws:s3:::{client_name}"
                ]
            },
            {
                "Sid": "HomeDirObjectAccess",
                "Effect": "Allow",
                "Action": [
                    "s3:PutObject",
                    "s3:GetObject",
                    "s3:DeleteObjectVersion",
                    "s3:DeleteObject",
                    "s3:GetObjectVersion"
                    ],
                    "Resource": f"arn:aws:s3:::{client_name}/*"
            }
        ]
    }

    # Role template
    role_onboarding_policy = {
        "Version": "2012-10-17",
        "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "transfer.amazonaws.com",
                    "s3.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
        ]
    }

    # Create policy from template
    iam_client.create_policy(
        PolicyName=f'{client_name}Policy',
        PolicyDocument=json.dumps(client_onboarding_policy)
    )

    # Create Role from template and create trust relationships
    iam_client.create_role(
        RoleName=f'{client_name}',
        AssumeRolePolicyDocument=json.dumps(role_onboarding_policy)
    )

    # Attach created policy to created role
    iam_client.attach_role_policy(
        PolicyArn=f'arn:aws:iam::111111111111:policy/{client_name}Policy',
        RoleName=f'{client_name}'
    )

创作顺利进行。这里是删除

# Delete IAM policy and role
def iam_delete(client_name):
    iam_client = boto3.client('iam')
    iam_resource = boto3.resource('iam')
    role_policy = iam_resource.RolePolicy(f'{client_name}', f'{client_name}Policy')
    role = iam_resource.Role(f'{client_name}')

    # Detach policy from role
    iam_client.detach_role_policy(
        PolicyArn=f'arn:aws:iam::111111111111:policy/{client_name}Policy',
        RoleName=f'{client_name}'
    )

    # Delete policy
    role_policy.delete()

    # Delete role
    role.delete()

我想这与我命名角色策略或未命名它的方式有关。我已确认 IAM 中确实存在角色 potatoman9000 以及 Policy potatoman9000Policy。非常感谢任何帮助

【问题讨论】:

    标签: python-3.x amazon-web-services boto3 amazon-iam


    【解决方案1】:

    RolePolicy 用于内联策略,而非托管策略。

    当您调用 delete 时,它会出错,因为您使用的是托管策略。 来自关于 delete 的文档:

    删除嵌入在指定 IAM 角色中的指定内联策略

    要删除托管策略,您应该使用delete_policy

    删除指定的托管政策

    【讨论】:

    • 成功了!我发誓我以前做过 delete_policy 但我一定是搞砸了。感谢您的帮助
    • @Thatsnotamuffin 很高兴它成功了。接受答案将不胜感激。
    猜你喜欢
    • 1970-01-01
    • 2017-10-22
    • 1970-01-01
    • 2019-10-05
    • 2020-11-29
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2017-12-24
    相关资源
    最近更新 更多