2

我正在尝试删除具有多个版本的命令行的策略,如下所示:

function iam-list-versions () {
  aws iam list-policy-versions --query "Versions[].VersionId" --policy-arn $1 --output text 
}

function iam-delete-policy-versions () {
  iam-list-versions $1 | xargs -n 1 -I{} aws iam delete-policy-version --policy-arn $1 --version-id {}
}

function iam-delete-policy () {
  iam-delete-policy-versions $1
  aws iam delete-policy --policy-arn $1
}

然后运行 iam-delete-policy arn:aws:iam::123456789012:policy/... 但我不断收到错误:

An error occurred (DeleteConflict) when calling the DeletePolicyVersion operation: Cannot delete the default version of a policy.

An error occurred (DeleteConflict) when calling the DeletePolicy operation: This policy has more than one version. Before you delete a policy, you must delete the policy's versions. The default version is deleted with the policy.

看起来我的iam-delete-policy-versions功能不起作用。希望他们能简单地添加一个--force标志。

4

3 回答 3

2

错误消息表明:

  • 您不能删除策略的默认版本。相反,请删除策略本身。
  • 当有多个版本时,您无法删除策略。

我还注意到list-policy-versions返回一个名为的字段,该字段IsDefaultVersion指示策略是否是默认版本。

因此,您需要执行以下操作:

  • 称呼list-policy-versions
  • 对于每个响应IsDefaultVersion = False,请致电delete-policy-version
  • 删除所有版本后,调用delete-policy每个策略(或,每个IsDefaultVersion = True

这在 Python 脚本中可能会更容易。

于 2020-06-27T02:12:25.297 回答
1

@John Rotenstein 实际上在这里给了我这个问题的答案:How to I loop through AWS CLI output?

因为由于需要,版本没有正确迭代:setopt shwordsplit在我的 zshell 中,这个删除版本命令会这样运行:aws iam delete-policy-version --policy-arn $1 --version-id v3 v2 v1它只会尝试和 delete v3

因为v3是角色的默认版本,所以此命令将失败,导致:

An error occurred (DeleteConflict) when calling the DeletePolicyVersion operation: Cannot delete the default version of a policy.

随后删除策略将失败,因为策略上还有其他版本,因为之前的命令无效。

我会接受约翰的回答,因为他应该得到所有的分数!最终脚本如下:

setopt shwordsplit

function iam-list-versions () {
  aws iam list-policy-versions --query "Versions[?@.IsDefaultVersion == \`false\`].VersionId" --policy-arn $1 --output text
}

function iam-delete-policy-versions () {
  iam-list-versions $1 | xargs -n 1 -I{} aws iam delete-policy-version --policy-arn $1 --version-id {}
}

function iam-delete-policy () {
  iam-delete-policy-versions $1
  aws iam delete-policy --policy-arn $1
}
于 2020-06-27T05:27:21.610 回答
0

请使用以下 boto3 代码一次删除策略列表。请在变量 pol_list=[] 中传递策略列表。另外不要忘记在策略 ARN 中添加您的账户 ID。此脚本将删除该策略及其所有版本。

import boto3
client = boto3.client("iam")
###Pass the list of IAM policy name on the following variable
pol_list=[]
for arn in pol_list:
    print(arn)
    try:
        response = client.list_policy_versions(
            PolicyArn="arn:aws:iam::accountID:policy/" + arn

        )

        # print(response)
        for ver in response['Versions']:
            # print(ver['VersionId'])
            if ver['IsDefaultVersion'] is True:
                pass
            else:
                delete = client.delete_policy_version(
                    PolicyArn="arn:aws:iam::accountID:policy/" + arn,
                    VersionId=ver['VersionId']
                )
                print(delete)

        pol_delete = client.delete_policy(
            PolicyArn="arn:aws:iam::accountID:policy/" + arn
        )
        print("Policy Deleted Successfully!!")
    except Exception as E:
        print("Already Deleted!")
于 2021-05-26T06:49:44.580 回答