[RFE] Add the new 'assume-root' feature #455
Comments
|
Interesting idea. Not sure about the feasibility the way the authentication is currently written. I'd need to implement a way to track task to a particular resource, and a specific error detection w/ secondary auth, but auth happens higher in the stack and we are lower down when the error occurs. I'm willing to look into this further, but likely won't be for a while. |
|
This centralized root access can only be assumed from an entity in the organization management account or a delegated admin. Personally, I wouldn't feel comfortable giving aws-nuke cross account access to a role in the organization management account or a delegated admin. Also if this is supported, steps would need to be taken to ensure it can't assume root in accounts that it's not meant to be able to nuke. Are bad S3/SQS policies happening often enough that you can't easily go in and clean them up manually? Root access is meant to be for select dangerous tasks that rarely needed to be performed. I would prefer to use things like this as an opportunity to educate users and refer them to example policies that work. |
|
Thanks for the feedback @mdgm88. @alexandrosgkesos I'm worried about the complexity of implementing something like this especially given the cross account and assume role nature that would be required, while the tool supports assuming roles already, knowing how to assume specific roles for specific resources seems to be getting into a pretty niche area that I'm not sure is of high need. I'm willing to leave this open for now to get some more feedback from the community. |
AWS introduced a feature to assume-root of child accounts mainly in order to "fix" bad Deny All S3/SQS policies
It would be good to have this feature implemented in aws-nuke
If "AccessDenied" while listing/deleting SQS/S3,
Pre-requisites:
The text was updated successfully, but these errors were encountered: