[aws-issue] cannot delete opsworks stack

Question

# Motivation
We want to cleanup some unused stacks in OpsWorks.

# Steps to reproduce the issue
## Problem
The IAM roles for the target stacks were somehow deleted. The missing IAM role is blocking the stack from being deleted.

> Error: The IAM role for this stack is missing

We attempted to fix the issue by recreating the role, but the issue still persists.

# Attempted Resolution
## IAM 
1. Roles
2. Create Role
3. AWS service 
4. Select appropriate polices
5. Name the role matching the missing one

## OpsWorks 
### Verify role is bound to the stack 
1. select the target stack
2. stack settings
3. Advanced options
4. click on the IAM role to verify it exists [PASSED]

### Delete the stack 
1. Select delete stack
2. Stop all instances [FAILED]

> Error: The IAM role for this stack is missing

We also attempted to attach AdminAccess policy to the role to rule out permissions but issue still persists

Answer

## Update
So the `instance profile` was missing permissions, it wasn't the stack, though the error is still misleading

Answer

Did you also add the trust policy to the role when you recreated it? If the role exists without the trust policy, the OpsWorks service will not be able to assume the role.

From: https://docs.aws.amazon.com/opsworks/latest/userguide/opsworks-security-servicerole.html
```
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "StsAssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": "opsworks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
```

Answer

Sounds like the approach I would take...   Curious to know if you have you tried this method?  https://aws.amazon.com/premiumsupport/knowledge-center/cloudformation-stack-delete-failed/

[aws-issue] cannot delete opsworks stack

Motivation

Steps to reproduce the issue

Problem

Attempted Resolution

IAM

OpsWorks

Verify role is bound to the stack

Delete the stack

Update

相關內容