AWS CloudFormation: 无法删除堆栈

huangapple go评论83阅读模式
英文:

AWS cloudformation: Unable to delete a stack

问题

我已经创建了一个简单的CloudFormation堆栈:

```yaml
Resources:
  MyNewEC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0b16d80945b1a9c7d
      InstanceType: t2.micro
      SubnetId: subnet-0cc709c048a0ec292
      SecurityGroupIds:
        - sg-09cd08e7081541ada
      KeyName: stg-emr-test

堆栈已成功创建。我能够SSH连接到EC2实例,但现在我想要删除这个堆栈,即EC2实例。但尝试删除它时出现失败。

我在事件中看到了错误。


[![点击这里查看图像描述][1]][1]

[![点击这里查看图像描述][2]][2]

  [1]: https://i.stack.imgur.com/X5o0x.png
  [2]: https://i.stack.imgur.com/Vr723.png
英文:

I have created a simple cloudformation

Resources:
  MyNewEC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0b16d80945b1a9c7d
      InstanceType: t2.micro
      SubnetId: subnet-0cc709c048a0ec292
      SecurityGroupIds:
        - sg-09cd08e7081541ada
      KeyName: stg-emr-test

The stack was successfully created. I was able to ssh into the ec2 instance. but now i want to remove this stack. i.e the Ec2 instance

and later tried to delete it. Its failing

AWS CloudFormation: 无法删除堆栈

I saw the error in events
AWS CloudFormation: 无法删除堆栈

答案1

得分: 0

已登录用户具有创建权限,但不具有终止/删除权限。

确保正确的权限(通过AWS IAM)与用户关联,以执行AWS帐户内的任何操作。

英文:

The logged in user has the rights to create, but not terminate/delete.

Make sure that the correct permissions (via AWS IAM) are assoicated to the user to perform any action within the AWS account

答案2

得分: 0

按照上面的假设,策略中没有允许操作,或者有明确的拒绝操作。然而,如果你问我为什么能创建但不能删除,那很明显不是在IAM中。另外,通常情况下,编码的消息是AWS组织正在使用的迹象。

这必须是应用在您的帐户上的SCP。请查看策略评估逻辑
此外,再次检查权限边界和IAM策略以消除任何不确定性或疑虑。

建议解码错误消息:

aws sts decode-authorization-message --encoded-message dXNlcixhcm4sdXNlcl9jcmVhdGlvbl90aW1lLHBhc3N3b3JkX2VuYWJsZWQscGFzc3dvcmRfbGFzdF91c2VkLHBhc3N3b3JkX2xhc3RfY2hhbmdlZCxwYXNzd29yZF9uZXh0X3JvdGF0aW9uLG1mYV9hY3RpdmUsYWNjZXNzX2tleV8xX2FjdGl2ZSxhY2Nlc3Nfa2V5XzFfbGFzdF9yb3RhdGVkLGFjY2Vzc19rZXlfMV9sYXN0X3VzZWRfZGF0ZSxhY2Nlc3Nfa2V5XzFfbGFzdF91c2VkX3JlZ2lvbixhY2Nlc3Nfa2V5XzFfbGFzdF91c2VkX3NlcnZpY2UsYWNjZXNzX2tleV8yX2FjdGl2ZSxhY2Nlc3Nfa2V5XzJfbGFzdF9yb3RhdGVkLGFjY2Vzc19rZXlfMl9sYXN0X3VzZWRfZGF0ZSxhY2Nlc3Nfa2V5XzJfbGFzdF91c2VkX3JlZ2lvbixhY2Nlc3Nfa2V5XzJfbGFzdF91c2VkX3NlcnZpY2UsY2VydF8xX2FjdGl2ZSxjZXJ0XzFfbGFzdF9yb3RhdGVkLGNlcnRfMl9hY3RpdmUsY2VydF8yX2xhc3Rfcm90YXRlZAo8cm9vdF9hY2NvdW50Pixhcm46YXdzOmlhbTo6MjE2MTExMzY1MDU5OnJvb3QsMjAyMy0wMS0yNlQxMDowNDozNiswMDowMCxub3Rfc3VwcG9ydGVkLDIwMjMtMDEtMzBUMTA6MTQ6NDUrMDA6MDAsbm90X3N1cHBvcnRlZCxub3Rfc3VwcG9ydGVkLHRydWUsZmFsc2UsTi9BLE4vQSxOL0EsTi9BLGZhbHNlLE4vQSxOL0EsTi9BLE4vQSxmYWxzZSxOL0EsZmFsc2UsTi9BCnZhc3lsLmhlcm1hbkB1bmRlcmRlZmVuc2UuY29tLGFybjphd3M6aWFtOjoyMTYxMTEzNjUwNTk6dXNlci92YXN5bC5oZXJtYW5AdW5kZXJkZWZlbnNlLmNvbSwyMDIzLTAxLTI2VDEwOjE1OjM3KzAwOjAwLGZhbHNlLE4vQSxOL0EsTi9BLGZhbHNlLGZhbHNlLDIwMjMtMDEtMjZUMTA6MTY6MDYrMDA6MDAsMjAyMy0wMi0wNlQxODoxMTowMCswMDowMCx1cy1lYXN0LTEsc3RzLHRydWUsMjAyMy0wMy0wNlQwNzo1MDozMCswMDowMCwyMDIzLTA0LTEzVDEzOjAxOjAwKzAwOjAwLHVzLWVhc3QtMSxzdHMsZmFsc2UsTi9BLGZhbHNlLE4vQQ== --query DecodedMessage --output text

这可能会有所帮助。

英文:

As assumed above, there is no allow or there is an explicit deny action in a Policy. However, it's clear to me, it's not in IAM if you are asking how come i am able to create but not able to delete. Plus, an encoded message, usually, is a sign of AWS Organization being used.

It has to be an SCP applied on your account. Check the Policy evaluation logic.
Additionally, double-check Permissions boundaries and IAM Policy to alleviate any uncertainties or doubts

It's also advisable to decode the error:

aws sts decode-authorization-message --encoded-message dXNlcixhcm4sdXNlcl9jcmVhdGlvbl90aW1lLHBhc3N3b3JkX2VuYWJsZWQscGFzc3dvcmRfbGFzdF91c2VkLHBhc3N3b3JkX2xhc3RfY2hhbmdlZCxwYXNzd29yZF9uZXh0X3JvdGF0aW9uLG1mYV9hY3RpdmUsYWNjZXNzX2tleV8xX2FjdGl2ZSxhY2Nlc3Nfa2V5XzFfbGFzdF9yb3RhdGVkLGFjY2Vzc19rZXlfMV9sYXN0X3VzZWRfZGF0ZSxhY2Nlc3Nfa2V5XzFfbGFzdF91c2VkX3JlZ2lvbixhY2Nlc3Nfa2V5XzFfbGFzdF91c2VkX3NlcnZpY2UsYWNjZXNzX2tleV8yX2FjdGl2ZSxhY2Nlc3Nfa2V5XzJfbGFzdF9yb3RhdGVkLGFjY2Vzc19rZXlfMl9sYXN0X3VzZWRfZGF0ZSxhY2Nlc3Nfa2V5XzJfbGFzdF91c2VkX3JlZ2lvbixhY2Nlc3Nfa2V5XzJfbGFzdF91c2VkX3NlcnZpY2UsY2VydF8xX2FjdGl2ZSxjZXJ0XzFfbGFzdF9yb3RhdGVkLGNlcnRfMl9hY3RpdmUsY2VydF8yX2xhc3Rfcm90YXRlZAo8cm9vdF9hY2NvdW50Pixhcm46YXdzOmlhbTo6MjE2MTExMzY1MDU5OnJvb3QsMjAyMy0wMS0yNlQxMDowNDozNiswMDowMCxub3Rfc3VwcG9ydGVkLDIwMjMtMDEtMzBUMTA6MTQ6NDUrMDA6MDAsbm90X3N1cHBvcnRlZCxub3Rfc3VwcG9ydGVkLHRydWUsZmFsc2UsTi9BLE4vQSxOL0EsTi9BLGZhbHNlLE4vQSxOL0EsTi9BLE4vQSxmYWxzZSxOL0EsZmFsc2UsTi9BCnZhc3lsLmhlcm1hbkB1bmRlcmRlZmVuc2UuY29tLGFybjphd3M6aWFtOjoyMTYxMTEzNjUwNTk6dXNlci92YXN5bC5oZXJtYW5AdW5kZXJkZWZlbnNlLmNvbSwyMDIzLTAxLTI2VDEwOjE1OjM3KzAwOjAwLGZhbHNlLE4vQSxOL0EsTi9BLGZhbHNlLGZhbHNlLDIwMjMtMDEtMjZUMTA6MTY6MDYrMDA6MDAsMjAyMy0wMi0wNlQxODoxMTowMCswMDowMCx1cy1lYXN0LTEsc3RzLHRydWUsMjAyMy0wMy0wNlQwNzo1MDozMCswMDowMCwyMDIzLTA0LTEzVDEzOjAxOjAwKzAwOjAwLHVzLWVhc3QtMSxzdHMsZmFsc2UsTi9BLGZhbHNlLE4vQQ== --query DecodedMessage --output text

It may help.

huangapple
  • 本文由 发表于 2023年7月13日 19:08:51
  • 转载请务必保留本文链接:https://go.coder-hub.com/76678685.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定