AWS CDK destroy 无法删除秘密
AWS CDK destroy fails to delete secret
我有一个创建 S3 存储桶、VPC 和 RDS 实例的 CDK 脚本。部署工作正常,但销毁失败并显示我的用户无权 secretsmanager:DeleteSecret.
的错误
我用IAM策略测试工具检查过,通过了。我可以通过 UI 删除秘密。 CDK destroy 命令仍然失败。有什么想法吗?
CDK 脚本:
class AcmeCdkStack extends cdk.Stack {
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// create a general purpose bucket for use with the app
new s3.Bucket(this, 'app-bucket', {
versioned: true
});
// create a vpc for our application
const vpc = new ec2.Vpc(this, 'app-vpc, {
cidr: "10.0.0.0/16",
});
// create a database instance
const db = new rds.DatabaseInstance(this, `app-db`, {
engine: rds.DatabaseInstanceEngine.POSTGRES,
instanceClass: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MICRO),
vpc,
masterUsername: `dbadmin`,
deleteAutomatedBackups: false,
deletionProtection: false,
// https://github.com/aws/aws-cdk/issues/4036
removalPolicy: cdk.RemovalPolicy.DESTROY,
});
}
}
const app = new cdk.App();
new AcmeCdkStack(app, 'app-stack;);
错误:
User: arn:aws:iam::0000000000:user/user@acme.com is not authorized to perform: secretsmanager:DeleteSecret on resource: arn:aws:secretsmanager:us-east-1:0000000000:secret:appdbdemoSecret0261-mjgIXOsp5rLL-HxFng1 (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: 000000000)
根据评论,问题是 CDK 使用的凭证与预期的不同。解决方案是使用正确的 AWS_PROFILE.
我有一个创建 S3 存储桶、VPC 和 RDS 实例的 CDK 脚本。部署工作正常,但销毁失败并显示我的用户无权 secretsmanager:DeleteSecret.
我用IAM策略测试工具检查过,通过了。我可以通过 UI 删除秘密。 CDK destroy 命令仍然失败。有什么想法吗?
CDK 脚本:
class AcmeCdkStack extends cdk.Stack {
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// create a general purpose bucket for use with the app
new s3.Bucket(this, 'app-bucket', {
versioned: true
});
// create a vpc for our application
const vpc = new ec2.Vpc(this, 'app-vpc, {
cidr: "10.0.0.0/16",
});
// create a database instance
const db = new rds.DatabaseInstance(this, `app-db`, {
engine: rds.DatabaseInstanceEngine.POSTGRES,
instanceClass: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MICRO),
vpc,
masterUsername: `dbadmin`,
deleteAutomatedBackups: false,
deletionProtection: false,
// https://github.com/aws/aws-cdk/issues/4036
removalPolicy: cdk.RemovalPolicy.DESTROY,
});
}
}
const app = new cdk.App();
new AcmeCdkStack(app, 'app-stack;);
错误:
User: arn:aws:iam::0000000000:user/user@acme.com is not authorized to perform: secretsmanager:DeleteSecret on resource: arn:aws:secretsmanager:us-east-1:0000000000:secret:appdbdemoSecret0261-mjgIXOsp5rLL-HxFng1 (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: 000000000)
根据评论,问题是 CDK 使用的凭证与预期的不同。解决方案是使用正确的 AWS_PROFILE.