2

I was able to run aws-nuke on one account using AWS CLI. Now I am trying to run aws-nuke to delete all the resources using IAM role assuming

I am trying to run command

 aws-nuke -c config/nuke-config.yaml 

config/nuke-config.yaml
    ---
    regions:
    - "global" # This is for all global resource types e.g. IAM
    
    
    account-blacklist:
    - "999999999999" # production
    
    
    # optional: restrict nuking to these resources
    resource-types:
      targets:
      - S3Bucket
      - S3Object
      - EC2Instance
      - CloudFormationStack
    
    accounts:
     "555133742123" #IAM alias is "test-account":

Got this Error:

Error: The specified account doesn't have an alias. For safety reasons you need to specify an account alias. Your production account should contain the term 'prod'.

You can see the Error message in the screenshot below.

enter image description here

I also ran aws-nuke on another account and it was able to identify the IAM Alias without any issue. What's missing here?

Jeff
  • 493
  • 3
  • 19
  • 2
    I see you got an IAM alias in your comment section. So, It should have prompted an IAM alias when you run AWS-Nuke on the AWS CLI. – SeniorEngineer Dec 18 '20 at 02:48
  • 2
    Have you reached out to the author of the aws-nuke and see what's the error mean? – SeniorEngineer Dec 18 '20 at 02:49
  • 1
    Yes. I also reached out and made a post here on aws-nuke on GitHub https://github.com/rebuy-de/aws-nuke/discussions/583 – Jeff Dec 18 '20 at 04:13
  • 1
    Hi. I found this post from aws-nuke author for similar issue, but this seems to be resolved by entering IAM Alias. But just wanted to let you know that you can try this: https://stackoverflow.com/a/54322848/14820394 – SeniorEngineer Dec 18 '20 at 04:32
  • glad to see that your issue is resolved. – SeniorEngineer Jan 13 '21 at 18:06

3 Answers3

2

I was able to look at the source of the error, which is shown the error on aws-nuke code line 100.

From there I would look at the calls to ValidateAccount(). The relevant call is on line 43.

Once narrowing down the issue and error message, I would figure out why the Account.Aliases() is empty. It looks like "Account" is a resource type in AWS. So I would reproduce the call to fetch the account resource, e.g. using boto3 or the AWS CLI. Then I'd confirm that it's also empty there. Then I'd figure out how to set the alias

JeffreyC
  • 625
  • 1
  • 8
  • 19
2

To check if the account aliases is empty: You can run this AWS CLI:

aws iam list-account-aliases

If it is empty list, it means that the IAM Alias is missing.

Then, you need to assign IAM Alias to the AWS account that needs to be nuked. Use you can use this AWS CLI:

aws sts get-caller-identity

This will let you know which account you are signed in into using CLI

Once you have assigned an IAM alias to the AWS account, this should resolve the aws-nuke error that you sees.

Error: The specified account doesn't have an alias. For safety reasons you need to specify an account alias. Your production account should contain the term 'prod'.

SeniorEngineer
  • 308
  • 1
  • 10
1

I found the author of aws-nuke in the discussion here and another post.

Disclaimer: Here's what the aws-nuke author says:

This is not a configuration problem of the YAML file, but it's a missing setting in the AWS account.

AWS IAM Alias is a globally unique name for the AWS Account. aws-nuke requires this as a safety guard, so this do not accidentally destroy the production accounts. The idea is that every production account contains at least the substring prod.

Follow the AWS docs to specify the Alias via the web console, or use the AWS CLI:

aws iam create-account-alias --profile demo --account-alias aws-nuke-test-account-8gmst3`
Jeff
  • 493
  • 3
  • 19