This repository has been archived by the owner on Oct 15, 2024. It is now read-only.
fix: skip kms keys if describe is disallowed #1248
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
43 tasks
|
@mKeRix this has been implemented via ekristen/aws-nuke#260 - this is now the active fork of aws-nuke. This project has now been deprecated in favor of this fork. Sven kindly granted me access to directly answer and close pull requests and issues so that we can notify users if their issues have been addressed or not. Please see the welcome issue for more information. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We noticed that aws-nuke will abort listing KMS keys if it does not have permissions to read one of them, which means that a single key with a key policy that does not allow reading is all it takes for all keys to not be nuked anymore. This change updates the behavior so that these keys will be skipped, allowing other keys to still be nuked. This is done because it can be intentional that some keys will not be readable by their key policy, and aws-nuke should be able to handle that.