Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deleting Global Resources in Govcloud Account Doesn't Work #832

Open
joelmccoy opened this issue Feb 14, 2025 · 2 comments
Open

Deleting Global Resources in Govcloud Account Doesn't Work #832

joelmccoy opened this issue Feb 14, 2025 · 2 comments
Assignees
@james03160927

Comments

@joelmccoy
Copy link

It looks like the default region for creating the session is always set to us-east-1 here.

However, when in govcloud, you will need to use a govcloud region to get sts creds. Right now I am getting failures to delete global resources in govcloud with error messages like:

  ERROR   Unable to retrieve iam-group, operation error IAM: ListGroups, https response error StatusCode: 403, RequestID: ab6ffbb4-4b82-48a2-b13a-7714f433a227, api error InvalidClientTokenId: The security token included in the request is invalid
  ERROR   Unable to retrieve iam-policy, operation error IAM: ListPolicies, https response error StatusCode: 403, RequestID: 1c19965c-6fd6-4861-a32a-112eb3c70c88, api error InvalidClientTokenId: The security token included in the request is invalid
  ERROR   Unable to retrieve iam-role, operation error IAM: ListRoles, https response error StatusCode: 403, RequestID: 32306d72-b7e2-499e-a608-3f212f79a668, api error InvalidClientTokenId: The security token included in the request is invalid

I think there should be added logic in to check if we are in govcloud. And if so, us us-gov-west-1 as the default region.
@james03160927 james03160927 self-assigned this Feb 17, 2025
@james03160927
Copy link
Contributor

HI @joelmccoy, you should be able to pass in the region you want to run the operation in: https://github.com/gruntwork-io/cloud-nuke/blob/master/commands/cli.go#L47.

@joelmccoy
Copy link
Author

I understand that. But I run into issues with global resource in govcloud. I am running a command that looks like this:

cloud-nuke aws --region aws-gov-west-1,global

And it fails to delete global resources because of these lines of code:

cloud-nuke/aws/region.go

Lines 52 to 55 in 63bbc48

// Note: As there is no actual region named `global` we have to pick one valid region and create the session.
if region == GlobalRegion {
return externalcreds.Get(DefaultRegion)
}

When it tries to get STS creds for the global region it defaults to us-east-1 and those creds don't work for govcloud.

I believe the default region honor the default profile in the local AWS Profile or even the AWS_REGION environment variable. As it looks right now, we just get sts creds from us-east-1 no matter what.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@james03160927 james03160927

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joelmccoy @james03160927