无法删除带有Boto3的AWS角色策略-NoSuchEntity

Question

我无法从Boto3的AWS账户中删除角色策略。我收到错误消息：

botocore.errorfactory.NoSuchEntityException：调用DeleteRolePolicy操作时发生错误（NoSuchEntity）：找不到名称为potatoman9000Policy的角色策略。

在同一脚本中创建和删除策略和角色。在此特定的代码位出现之前，将分离策略。我不确定为什么它会找到策略名称。

这是创作物：

# Create IAM policy and Role
def iam_creation(client_name):
    iam_client = boto3.client('iam')

    # Policy template
    client_onboarding_policy = {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowListingOfUserFolder",
                "Action": [
                    "s3:ListBucket",
                    "s3:GetBucketLocation"
                ],
                "Effect": "Allow",
                "Resource": [
                    f"arn:aws:s3:::{client_name}"
                ]
            },
            {
                "Sid": "HomeDirObjectAccess",
                "Effect": "Allow",
                "Action": [
                    "s3:PutObject",
                    "s3:GetObject",
                    "s3:DeleteObjectVersion",
                    "s3:DeleteObject",
                    "s3:GetObjectVersion"
                    ],
                    "Resource": f"arn:aws:s3:::{client_name}/*"
            }
        ]
    }

    # Role template
    role_onboarding_policy = {
        "Version": "2012-10-17",
        "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "transfer.amazonaws.com",
                    "s3.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
        ]
    }

    # Create policy from template
    iam_client.create_policy(
        PolicyName=f'{client_name}Policy',
        PolicyDocument=json.dumps(client_onboarding_policy)
    )

    # Create Role from template and create trust relationships
    iam_client.create_role(
        RoleName=f'{client_name}',
        AssumeRolePolicyDocument=json.dumps(role_onboarding_policy)
    )

    # Attach created policy to created role
    iam_client.attach_role_policy(
        PolicyArn=f'arn:aws:iam::111111111111:policy/{client_name}Policy',
        RoleName=f'{client_name}'
    )

创建顺利进行，没有任何问题。这是删除

# Delete IAM policy and role
def iam_delete(client_name):
    iam_client = boto3.client('iam')
    iam_resource = boto3.resource('iam')
    role_policy = iam_resource.RolePolicy(f'{client_name}', f'{client_name}Policy')
    role = iam_resource.Role(f'{client_name}')

    # Detach policy from role
    iam_client.detach_role_policy(
        PolicyArn=f'arn:aws:iam::111111111111:policy/{client_name}Policy',
        RoleName=f'{client_name}'
    )

    # Delete policy
    role_policy.delete()

    # Delete role
    role.delete()

我想这与我命名角色策略或未命名角色策略有关。我已经确认IAM中确实存在角色potatoman9000以及策略potatoman9000Policy。任何帮助将不胜感激

Answer 1

RolePolicy适用于内联策略，而非托管策略。

调用delete时，它会出错，因为您正在使用托管策略。 来自有关delete的文档：

删除嵌入在指定IAM角色中的指定内联策略。

要删除托管策略，您应该使用delete_policy。

删除指定的托管策略。