aws-nuke
aws-nuke copied to clipboard
rebuy-de
GovCloud support
This tool currently does not work with GovCloud.
The only region I have specified in my config is us-gov-west-1. I get the following error:
Error: failed get caller identity: InvalidClientTokenId: The security token included in the request is invalid.
I've been working with GovCloud enough to know that this typically means it's using GovCloud credentials against the regular commercial AWS endpoints. I tried exporting AWS_DEFAULT_REGION to us-gov-west-1 in hopes that maybe the underlying golang SDK would pick up on this and use the proper endpoints but this did not work.
If you want to change the source and recompile you can make the following changes in pkg/awsutil/session.go:
- Replace
endpoints.UsEast1RegionIDwithendpoints.UsGovWest1RegionID - Replace
endpoints.AwsPartitionIDwithendpoints.AwsUsGovPartitionID
Hopefully when #391 is resolved GovCloud support will work too.
Another thing that might be worth mentioning is that since the GovCloud Administrator user is just a regular IAM user, aws-nuke will try to delete it as well as the Administrators group attachment (and the AdminPolicy policy attachment to that group). The API seems to happily allow these resources (and Login Profiles and Access Keys) to be deleted. You will want to ensure that these resources are excluded when running aws-nuke or that you have your GovCloud root access keys (though it is not necessarily typical to have them).
Native support for GovCloud regions would be immensely beneficial as the error is the same when pointing to us-gov-east-1 as well.
@ericfrederich @kylelaker @aghassemlouei - I have a pull request open which ought to address this for you. At least you could pull the code from my branch and compile it if that helps.
Yep, that's the trick. It requires that we specify that parameter even if the config has been updated with that region. So maybe the dev could eliminate the need for that --default-region statement?