AWS CDK destroy无法删除机密

时间:2020-03-25 04:45:31

标签: amazon-web-services aws-cdk aws-secrets-manager

我有一个CDK脚本,可以创建S3存储桶,VPC和RDS实例。部署正在运行,但是销毁失败,并出现一个错误,提示我的用户无权使用secretsmanager:DeleteSecret

我使用了IAM策略测试工具进行检查并通过。我可以通过用户界面删除机密。但是,CDK destroy命令仍然失败。有什么想法吗?

CDK脚本:

class AcmeCdkStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // create a general purpose bucket for use with the app
    new s3.Bucket(this, 'app-bucket', {
      versioned: true
    });

    // create a vpc for our application
    const vpc = new ec2.Vpc(this, 'app-vpc, {
      cidr: "10.0.0.0/16",
    });

    // create a database instance
    const db = new rds.DatabaseInstance(this, `app-db`, {
      engine: rds.DatabaseInstanceEngine.POSTGRES,
      instanceClass: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MICRO),
      vpc,
      masterUsername: `dbadmin`,
      deleteAutomatedBackups: false,
      deletionProtection: false,
      // https://github.com/aws/aws-cdk/issues/4036
      removalPolicy: cdk.RemovalPolicy.DESTROY,
    });
  }
}

const app = new cdk.App();

new AcmeCdkStack(app, 'app-stack;);

错误:

User: arn:aws:iam::0000000000:user/user@acme.com is not authorized to perform: secretsmanager:DeleteSecret on resource: arn:aws:secretsmanager:us-east-1:0000000000:secret:appdbdemoSecret0261-mjgIXOsp5rLL-HxFng1 (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: 000000000)

1 个答案:

答案 0 :(得分:3)

根据评论,问题在于CDK使用的凭据与预期不同。解决方案是使用正确的AWS_PROFILE

相关问题
最新问题