aws-nuke
aws-nuke copied to clipboard
rebuy-de
SIGSEGV: segmentation violation
Starting from October 24th, I started seeing failures:
error="AccessDenied: User: arn:aws:sts::REDACTED:assumed-role/REDACTED/REDACTED is not authorized to perform: iam:GetRole on resource: role OrganizationAccountAccessRole with an explicit deny in a service control policy
The errors occur because I have a service control policy in place that denies access to OrganizationAccountAccessRole:
{
"Statement": [
{
"Action": "*",
"Effect": "Deny",
"Resource": "arn:aws:iam::*:role/OrganizationAccountAccessRole",
"Sid": "ProtectAccessRole"
},
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowAllActionsByDefault"
}
],
"Version": "2012-10-17"
}
However, aws-nuke shouldn't be trying to access it because I've got a filter in place:
config = {
'regions': regions,
'account-blocklist': [REDACTED],
'accounts': {
target_account_id: {
'filters': {
'IAMRole': ['OrganizationAccountAccessRole']
}
}
}
}
yaml_config = yaml.dump(config)
Prior to October 24th I didn't receive any errors and after that I started receiving them. I haven't updated my application or aws-nuke recently, so perhaps it's due to a change on the AWS side?
Tested on the following aws-nuke versions:
- aws-nuke-v2.19.0-linux-amd64
- aws-nuke-v2.25.0-linux-amd64
Actually I'm not sure that's what's causing the issue anymore. I edited my SCP to get rid of those SCP-based failures, but it's still failing:
{
"Statement": [
{
"NotAction": [
"iam:getRole",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies"
],
"Effect": "Deny",
"Resource": "arn:aws:iam::*:role/OrganizationAccountAccessRole",
"Sid": "DenyExceptSpecifiedActions"
},
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowAllActionsByDefault"
}
],
"Version": "2012-10-17"
}
The stderr output is massive, but looking at the end of the stderr output, I can see this:
level=info msg="MachineLearningBranchPrediction: AmazonML is no longer available to new customers. Ignore if you haven\'t set it up."
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x3b13692]
goroutine 1 [running]:
github.com/rebuy-de/aws-nuke/v2/resources.(*Route53ResolverRule).Filter(0xc0012d7430?)
\t/home/runner/work/aws-nuke/aws-nuke/resources/route53-resolver-rules.go:103 +0x12
github.com/rebuy-de/aws-nuke/v2/cmd.(*Nuke).Filter(0xc000617340, 0xc001ba3300)
\t/home/runner/work/aws-nuke/aws-nuke/cmd/nuke.go:196 +0x53
github.com/rebuy-de/aws-nuke/v2/cmd.(*Nuke).Scan(0xc000617340)
\t/home/runner/work/aws-nuke/aws-nuke/cmd/nuke.go:173 +0x9cb
github.com/rebuy-de/aws-nuke/v2/cmd.(*Nuke).Run(0xc000617340)
\t/home/runner/work/aws-nuke/aws-nuke/cmd/nuke.go:61 +0x325
github.com/rebuy-de/aws-nuke/v2/cmd.NewRootCommand.func2(0xc0003ac700?, {0x57e047d?, 0x4?, 0x57e0481?})
\t/home/runner/work/aws-nuke/aws-nuke/cmd/root.go:92 +0x613
github.com/spf13/cobra.(*Command).execute(0xc000004600, {0xc00003e0c0, 0xa, 0xa})
\t/home/runner/work/aws-nuke/aws-nuke/vendor/github.com/spf13/cobra/command.go:940 +0x87c
github.com/spf13/cobra.(*Command).ExecuteC(0xc000004600)
\t/home/runner/work/aws-nuke/aws-nuke/vendor/github.com/spf13/cobra/command.go:1068 +0x3a5
github.com/spf13/cobra.(*Command).Execute(0xc0000061a0?)
\t/home/runner/work/aws-nuke/aws-nuke/vendor/github.com/spf13/cobra/command.go:992 +0x13
main.main()
\t/home/runner/work/aws-nuke/aws-nuke/main.go:10 +0x18
'"
This occurred with aws-nuke-v2.19.0-linux-amd64.
I just recently started to get a similar stacktrace within the past week:
ERRO[0017] Listing AWS::AppRunner::Service failed:
TypeNotFoundException: The type 'AWS::AppRunner::Service' cannot be found.
us-west-1 - MemoryDBUser - default - [Name: "default"] - Cannot delete default user
ERRO[0017] Listing AWS::Timestream::ScheduledQuery failed:
TypeNotFoundException: The type 'AWS::Timestream::ScheduledQuery' cannot be found.
INFO[0017] MGNSourceServer: Account not initialized for Application Migration Service. Ignore if you haven't set it up.
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x4715352]
goroutine 1 [running]:
github.com/rebuy-de/aws-nuke/v2/resources.(*Route53ResolverRule).Filter(0x5823500?)
github.com/rebuy-de/aws-nuke/v2/resources/route53-resolver-rules.go:103 +0x12
github.com/rebuy-de/aws-nuke/v2/cmd.(*Nuke).Filter(0xc0000d3340, 0xc0005483c0)
github.com/rebuy-de/aws-nuke/v2/cmd/nuke.go:196 +0x53
github.com/rebuy-de/aws-nuke/v2/cmd.(*Nuke).Scan(0xc0000d3340)
github.com/rebuy-de/aws-nuke/v2/cmd/nuke.go:173 +0x9cb
github.com/rebuy-de/aws-nuke/v2/cmd.(*Nuke).Run(0xc0000d3340)
github.com/rebuy-de/aws-nuke/v2/cmd/nuke.go:61 +0x325
github.com/rebuy-de/aws-nuke/v2/cmd.NewRootCommand.func2(0xc0003c0700?, {0x63e4ef9?, 0x4?, 0x63e4efd?})
github.com/rebuy-de/aws-nuke/v2/cmd/root.go:92 +0x613
github.com/spf13/cobra.(*Command).execute(0xc000124600, {0xc00011c690, 0xc, 0xc})
github.com/spf13/[email protected]/command.go:940 +0x87c
github.com/spf13/cobra.(*Command).ExecuteC(0xc000124600)
github.com/spf13/[email protected]/command.go:1068 +0x3a5
github.com/spf13/cobra.(*Command).Execute(0xc0000061a0?)
github.com/spf13/[email protected]/command.go:992 +0x13
main.main()
github.com/rebuy-de/aws-nuke/v2/main.go:10 +0x18
I'm on 2.25.0 via Homebrew on MacOS:
❯ aws-nuke version
version: 2.25.0
build date: 2023-08-31
scm hash: 2bd22d5e5c0cf6a4011b3c08a5b1c25e2e6c75bd
environment: Homebrew
go version: go1.21.0
@glarizza faced a similar issue, is a part of https://github.com/rebuy-de/aws-nuke/pull/1134
