Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFE] Add the new 'assume-root' feature #455

Open
alexandrosgkesos opened this issue Dec 10, 2024 · 1 comment
Open

[RFE] Add the new 'assume-root' feature #455

alexandrosgkesos opened this issue Dec 10, 2024 · 1 comment
Labels
kind/feature

Comments

@alexandrosgkesos
Copy link

AWS introduced a feature to assume-root of child accounts mainly in order to "fix" bad Deny All S3/SQS policies
It would be good to have this feature implemented in aws-nuke

If "AccessDenied" while listing/deleting SQS/S3,

  • assume root with related "task-policy-arn",
  • remove or set a default policy
  • retry cleanup

Pre-requisites:

  • Need to have "IAM - Root access management" Enabled
  • IAM entity who cleans up, should have "sts:AssumeRoot" on "arn:aws:iam::*:root"
@ekristen
Copy link
Owner

Interesting idea. Not sure about the feasibility the way the authentication is currently written. I'd need to implement a way to track task to a particular resource, and a specific error detection w/ secondary auth, but auth happens higher in the stack and we are lower down when the error occurs.

I'm willing to look into this further, but likely won't be for a while.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ekristen @alexandrosgkesos