我尝试通过以下方式删除用户:
- name: "Remove user abc"
iam_user:
name: abc
state: absent
它给了我以下错误:
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: DeleteConflictException: An error occurred (DeleteConflict) when calling the DeleteUser operation: Cannot delete entity, must delete access keys first.
fatal: [localhost]: FAILED! => {
"changed": false,
"error": {
"code": "DeleteConflict",
"message": "Cannot delete entity, must delete access keys first.",
"type": "Sender"
},
"response_metadata": {
"http_headers": {
"content-length": "298",
"content-type": "text/xml",
"date": "Thu, 12 Jul 2018 20:53:02 GMT",
"x-amzn-requestid": "91913df0-8615-11e8-b3e7-b16567885120"
},
"http_status_code": 409,
"request_id": "91913df0-8615-11e8-b3e7-b16567885120",
"retry_attempts": 0
}
}
味精:
无法删除用户intelerad-billing-mzhao-client-creator-user:调用DeleteUser操作时发生错误(DeleteConflict):无法删除实体,必须首先删除访问密钥。
似乎甚至没有删除访问密钥的模块。
有什么提示吗?
答案 0 :(得分:3)
关于用户删除,AWS IAM API非常挑剔。如果为用户分配了访问密钥或用户的登录配置文件不存在,则可以阻止删除。
有趣的是,Ansible有两个模块可用于删除用户:iam和iam_user,但是一个访问密钥错误,另一个在不存在的登录配置文件中错误。
因此,让我们继续使用AWS CLI。
这本剧本对我有用,可以创建和删除具有密钥的用户。
---
- name: Create / Delete IAM user with keys
hosts: localhost
connection: local
vars:
username: foo
tasks:
- name: Create user with keys
iam:
iam_type: user
name: "{{ username }}"
state: present
access_key_state: create
key_count: 2
- name: Get all the access keys
shell: aws iam list-access-keys --user-name {{ username }} --query 'AccessKeyMetadata[*].AccessKeyId'
register: access_key_list
- name: Delete each key
shell: aws iam delete-access-key --access-key-id {{ item }} --user-name {{ username }}
loop: "{{ access_key_list.stdout | from_json }}"
- name: Delete user
iam_user:
name: "{{ username }}"
state: absent
请注意,删除任务为iam_user。这是因为如果用户登录配置文件不存在,纯iam将会出错。
希望有帮助!