6

I am trying to run aws-nuke to delete all the resources.

I am trying to run command 

 aws-nuke -c config/example.yaml --profile demo

config/example.yaml
    ---
    regions:
    - "global" # This is for all global resource types e.g. IAM
    - "eu-west-1"


    account-blacklist:
    - "999999999999" # production


    # optional: restrict nuking to these resources
    resource-types:
      targets:
      - IAMUser
      - IAMUserPolicyAttachment
      - IAMUserAccessKey
      - S3Bucket
      - S3Object
      - Route53HostedZone
      - EC2Instance
      - CloudFormationStack

    accounts:
     555133742123#demo:
        filters:
          IAMUser:
          - "admin"
          IAMUserPolicyAttachment:
          - property: RoleName
            value: "admin"
          IAMUserAccessKey:
          - property: UserName
            value: "admin"
          S3Bucket:
          - "s3://my-bucket"
          S3Object:
          - type: "glob"
            value: "s3://my-bucket/*"
          Route53HostedZone:
          - property: Name
            type: "glob"
            value: "*.zone.loc."
          CloudFormationStack:
          - property: "tag:team"
            value: "myTeam"

Errors screenshot below.What is this missing

enter image description here

enter image description here

onkar
  • 4,427
  • 10
  • 52
  • 89
  • The error message is complaining about an alias. Try changing `555133742123#demo:` into `"555133742123" # demo:` – John Rotenstein Jan 22 '19 at 05:42
  • @JohnRotenstein yes, but I have already mentioned there as prod (please check 999999999999 in account-blacklist section ) – onkar Jan 22 '19 at 05:43
  • But your command-line is specifying `demo`, but the template might be in the wrong format to mark the demo account. Thus, I was suggesting to fix the formatting on `demo` to match the formatting shown in the documentation. – John Rotenstein Jan 22 '19 at 16:53
  • @JohnRotenstein `demo` is alias that we are using. please refer image 2 for that. – onkar Jan 23 '19 at 03:33
  • The error message says: "The specified account doesn't have an alias." Therefore, the problem is something to do with an alias. Your command line references `demo`, so it is likely related to that. I don't know aws-nuke, but I'm attempting to help by suggesting a fix related to the error message. The nuke documentation shows the format as `"000000000000": # aws-nuke-example`, so I'm suggesting that you try to match that formatting for `demo` by making it: `"555133742123": # demo` – John Rotenstein Jan 23 '19 at 05:52

1 Answers1

14

Disclaimer: I am an author of aws-nuke.

This is not an configuration problem of your YAML file, but a missing setting in your AWS account.

The IAM Alias is a globally unique name for your AWS Account. aws-nuke requires this as a safety guard, so you do not accidentally destroy your production accounts. The idea is that every production account contains at least the substring prod.

This might sound a bit unnecessary to demand this account, but we are very passionate to not nuke any production account.

You can follow the docs to specify the Alias via the web console, or you use the CLI:

aws iam create-account-alias --profile demo --account-alias my-test-account-8gmst3`

I guess we need to improve the error message.

svenwltr
  • 17,002
  • 12
  • 56
  • 68
  • Could you help me with best practices for using nuke & assume role for nuke.. I have installed it on prod and will be trying to nuke sandbox resources – onkar Jan 25 '19 at 03:02
  • Best practice is to never ever run it on prod. This is a very dangerous tool, hence the name `nuke`. For using sandbox resources, I advise to create a separate AWS account. These are free, you can easily create some with [AWS Organizations](https://aws.amazon.com/organizations/) and can even consolidate the billing. – svenwltr Jan 25 '19 at 09:22
  • I'm now able to execute Nuke. Below is the setup: Nuke is installed on Acc A. In the config file Account to nuke is given as Acc B. Created a profile for Acc B. While executing nuke we give Acc B profile. This is all working fine and nuke targets Acc B. Can we work without creating a profile for Account B i.e create a role in Account B and give assume role access to Account A user into Account B and while executing nuke execute with Profile A. e.g: `aws-nuke -c config/config.yaml --profile AccountA` With the above option nuke is trying to delete Account A. Is this possible in nuke? – onkar Jan 29 '19 at 07:44