Main Points of AWS IAM Deletion Process Using Ansible
In case you've followed all the steps from Part 2 till Part 5 and you wanna remove them all. Here I'm gonna show you how to do it. I'll add variables and tasks for deletion in one tag. If you just wanna delete specific task, you can add and use more specific tag just like the creation tasks.
Main points of this deletion process are:
- Use the same task, then change the state from present to absent.
- We have to remove the policy first before we delete user, group, or even role.
- We have to remove the group's members first before we delete group.
- We have to remove the login profile and access key if exist before we delete user.
Why we have to do all of them? Because CLI is not as simple as Console which we can do anything directly.
Alright, all we need is just 2 simple things.
1. Access Key of All Users
We have 6 users created in total and all of them have access key. So we need to delete the access key first. To run the delete access key task, we need the access key value of each user. Remember that we have a file named key_list.txt that contains all users access keys and secret access keys. So, we can copy directly from the file or we can simply running the following task to get more simple output from the file (optional).
- name: list user's key
shell: 'cat key_list.txt | grep "UserName\|AccessKeyId" | awk "{ print $2 }" | sed "s/,$//"'
register: output_key
tags:
- iam_user_key_list
- debug:
var: output_key.stdout_lines
tags:
- iam_user_key_list
$ ansible-playbook -i host.yml iam.yml -t iam_user_key_list
PLAY [iam] *********************************************************************
TASK [list user's key] *********************************************************
changed: [localhost]
TASK [debug] *******************************************************************
ok: [localhost] => {
"output_key.stdout_lines": [
" \"UserName\": \"nurul\"",
" \"AccessKeyId\": \"AKIAZ44MXOFLL5MRZWON\"",
" \"UserName\": \"rama\"",
" \"AccessKeyId\": \"AKIAZ44MXOFLL36LYJKV\"",
" \"UserName\": \"beny\"",
" \"AccessKeyId\": \"AKIAZ44MXOFLCMV33DHV\"",
" \"UserName\": \"rahman\"",
" \"AccessKeyId\": \"AKIAZ44MXOFLDJASSSVD\"",
" \"UserName\": \"aira\"",
" \"AccessKeyId\": \"AKIAZ44MXOFLNSZ6RO3F\"",
" \"UserName\": \"daffa\"",
" \"AccessKeyId\": \"AKIAZ44MXOFLB6U2TTEU\""
]
}
2. Create deletion tasks
Note*: Please update the access key values of delete user's key task.
- name: remove all managed policies from role
community.aws.iam_role:
name: "{{ item.name }}"
assume_role_policy_document: "{{ item.file }}"
managed_policies: []
loop:
- { name: IAM_Policy, file: "{{ lookup('file','role_policy.json') }}" }
tags:
- iam_deletion
- name: delete role
community.aws.iam_role:
name: "{{ item.name }}"
assume_role_policy_document: "{{ item.file }}"
state: absent
loop:
- { name: IAM, file: "{{ lookup('file','role_policy.json') }}" }
- { name: IAM_Policy, file: "{{ lookup('file','role_policy.json') }}" }
tags:
- iam_deletion
- name: remove all group members from group with policy attached
community.aws.iam_group:
name: "{{ item.name }}"
managed_policies: "{{ item.policy }}"
purge_users: true
state: present
loop:
- { name: "{{ group3 }}", policy: arn:aws:iam::aws:policy/IAMReadOnlyAccess }
- { name: "{{ group1 }}", policy: arn:aws:iam::01234567890:policy/IAMGetUser_Only }
tags:
- iam_deletion
- name: remove all policies from group
community.aws.iam_group:
name: "{{ item.name }}"
purge_policies: true
state: present
loop:
- { name: "{{ group1 }}" }
- { name: "{{ group2 }}" }
- { name: "{{ group3 }}" }
tags:
- iam_deletion
- name: remove all policies from user
community.aws.iam_user:
name: "{{ item.name }}"
purge_policies: true
state: present
loop:
- { name: "{{ user5 }}" }
- { name: "{{ user3 }}" }
tags:
- iam_deletion
- name: delete inline policy
community.aws.iam_policy:
iam_type: user
iam_name: "{{ item.user }}"
policy_name: "{{ item.name }}"
state: absent
loop:
- { name: IAMListUsers_Roles, user: "{{ user6 }}" }
tags:
- iam_deletion
- name: delete managed policy
community.aws.iam_managed_policy:
policy_name: "{{ item.name }}"
state: absent
loop:
- { name: IAMGetUser_Only }
tags:
- iam_deletion
- name: delete user's login profile
command: aws iam delete-login-profile --user-name "{{ item.name }}"
loop:
- { name: "{{ user1 }}" }
- { name: "{{ user2 }}" }
- { name: "{{ user3 }}" }
- { name: "{{ user4 }}" }
tags:
- iam_deletion
- name: delete user's key
command: aws iam delete-access-key --user-name "{{ item.name }}" --access-key-id "{{ item.key }}"
loop:
- { name: "{{ user1 }}", key: AKIAZ44MXOFLL5MRZWON }
- { name: "{{ user2 }}", key: AKIAZ44MXOFLL36LYJKV }
- { name: "{{ user3 }}", key: AKIAZ44MXOFLCMV33DHV }
- { name: "{{ user4 }}", key: AKIAZ44MXOFLDJASSSVD }
- { name: "{{ user5 }}", key: AKIAZ44MXOFLNSZ6RO3F }
- { name: "{{ user6 }}", key: AKIAZ44MXOFLB6U2TTEU }
tags:
- iam_deletion
- name: delete all users
community.aws.iam_user:
name: "{{ item }}"
state: absent
loop:
- "{{ user1 }}"
- "{{ user2 }}"
- "{{ user3 }}"
- "{{ user4 }}"
- "{{ user5 }}"
- "{{ user6 }}"
tags:
- iam_deletion
- name: delete all groups
community.aws.iam_group:
name: "{{ item }}"
state: absent
loop:
- "{{ group1 }}"
- "{{ group2 }}"
- "{{ group3 }}"
tags:
- iam_deletion
3. Run the Playbook
$ ansible-playbook -i host.yml iam.yml -t iam_deletion
PLAY [iam] *********************************************************************
TASK [remove all managed policies from role] ***********************************
changed: [localhost] => (item={'name': 'IAM_Policy', 'file': {'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow', 'Action': 'sts:AssumeRole', 'Principal': {'AWS': 'arn:aws:iam::680510583126:user/aira'}}]}})
TASK [delete role] *************************************************************
changed: [localhost] => (item={'name': 'IAM', 'file': '{\n "Version": "2012-10-17",\n "Statement": [\n {\n "Effect": "Allow",\n "Action": "sts:AssumeRole",\n "Principal": { "AWS": "arn:aws:iam::"{{ role_account_id }}":user/"{{ role_user }}"" },\n }\n ]\n}'})
changed: [localhost] => (item={'name': 'IAM_Policy', 'file': '{\n "Version": "2012-10-17",\n "Statement": [\n {\n "Effect": "Allow",\n "Action": "sts:AssumeRole",\n "Principal": { "AWS": "arn:aws:iam::"{{ role_account_id }}":user/"{{ role_user }}"" },\n }\n ]\n}'})
TASK [remove all group members from group with policy attached] ****************
changed: [localhost] => (item={'name': 'engineer', 'policy': 'arn:aws:iam::aws:policy/IAMReadOnlyAccess'})
changed: [localhost] => (item={'name': 'developer', 'policy': 'arn:aws:iam::680510583126:policy/IAMGetUser_Only'})
TASK [remove all policies from group] ******************************************
changed: [localhost] => (item={'name': 'developer'})
changed: [localhost] => (item={'name': 'programmer'})
changed: [localhost] => (item={'name': 'engineer'})
TASK [remove all policies from user] *******************************************
changed: [localhost] => (item={'name': 'aira'})
changed: [localhost] => (item={'name': 'beny'})
TASK [delete inline policy] ****************************************************
changed: [localhost] => (item={'name': 'IAMListUsers_Roles', 'user': 'daffa'})
TASK [delete managed policy] ***************************************************
changed: [localhost] => (item={'name': 'IAMGetUser_Only'})
TASK [delete user's login profile] *********************************************
changed: [localhost] => (item={'name': 'nurul', 'pass': 'passwordup2U!'})
changed: [localhost] => (item={'name': 'rama', 'pass': 'passwordup2U!'})
changed: [localhost] => (item={'name': 'beny', 'pass': 'passwordup2U!'})
changed: [localhost] => (item={'name': 'rahman', 'pass': 'passwordup2U!'})
TASK [delete user's key] *******************************************************
changed: [localhost] => (item={'name': 'nurul', 'key': 'AKIAZ44MXOFLL5MRZWON'})
changed: [localhost] => (item={'name': 'rama', 'key': 'AKIAZ44MXOFLL36LYJKV'})
changed: [localhost] => (item={'name': 'beny', 'key': 'AKIAZ44MXOFLCMV33DHV'})
changed: [localhost] => (item={'name': 'rahman', 'key': 'AKIAZ44MXOFLDJASSSVD'})
changed: [localhost] => (item={'name': 'aira', 'key': 'AKIAZ44MXOFLNSZ6RO3F'})
changed: [localhost] => (item={'name': 'daffa', 'key': 'AKIAZ44MXOFLB6U2TTEU'})
TASK [delete all users] ********************************************************
changed: [localhost] => (item=nurul)
changed: [localhost] => (item=rama)
changed: [localhost] => (item=beny)
changed: [localhost] => (item=rahman)
changed: [localhost] => (item=aira)
changed: [localhost] => (item=daffa)
TASK [delete all groups] *******************************************************
changed: [localhost] => (item=developer)
changed: [localhost] => (item=programmer)
changed: [localhost] => (item=engineer)
That's a wrap! Thanks for following the whole of this series. Follow me to get notified when new post is published by me! Thank you.