Skip to content

Commit 37651b4

Browse files
btiplingagustin-conductor
btipling
and
agustin-conductor
authored
paginate access keys (#90)
* paginate access keys there's a limit of two per user, but this is based on PR feedback * add pagination to all lists calls in delete iam user --------- Co-authored-by: agustin-conductor <agustin.sosa@conductorone.com>
1 parent 0d35d69 commit 37651b4

File tree

1 file changed

+98
-35
lines changed

1 file changed

+98
-35
lines changed

pkg/connector/iam_user.go

Lines changed: 98 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -338,41 +338,68 @@ func (o *iamUserResourceType) Delete(ctx context.Context, resourceId *v2.Resourc
338338

339339
// Delete all access keys
340340
// Permission needed: iam:ListAccessKeys, iam:DeleteAccessKey
341-
keys, err := iamClient.ListAccessKeys(ctx, &iam.ListAccessKeysInput{UserName: awsStringUserName})
342-
if err != nil {
343-
return nil, fmt.Errorf("aws-connector: failed to list access keys: %w", err)
341+
listKeysInput := &iam.ListAccessKeysInput{UserName: awsStringUserName}
342+
accessKeyMetadata := make([]iamTypes.AccessKeyMetadata, 0)
343+
for {
344+
keys, err := iamClient.ListAccessKeys(ctx, listKeysInput)
345+
if err != nil {
346+
return nil, fmt.Errorf("aws-connector: failed to list access keys: %w", err)
347+
}
348+
accessKeyMetadata = append(accessKeyMetadata, keys.AccessKeyMetadata...)
349+
if keys.Marker == nil || len(*keys.Marker) == 0 {
350+
break
351+
}
352+
listKeysInput.Marker = keys.Marker
344353
}
345354

346-
for _, key := range keys.AccessKeyMetadata {
347-
_, err = iamClient.DeleteAccessKey(ctx, &iam.DeleteAccessKeyInput{UserName: awsStringUserName, AccessKeyId: awsSdk.String(awsSdk.ToString(key.AccessKeyId))})
355+
for _, key := range accessKeyMetadata {
356+
_, err = iamClient.DeleteAccessKey(ctx, &iam.DeleteAccessKeyInput{UserName: awsStringUserName, AccessKeyId: key.AccessKeyId})
348357
if err != nil {
349358
return nil, fmt.Errorf("aws-connector: failed to delete access key: %w", err)
350359
}
351360
}
352361

353362
// Delete all signing certificates
354363
// Permission needed: iam:ListSigningCertificates, iam:DeleteSigningCertificate
355-
certificates, err := iamClient.ListSigningCertificates(ctx, &iam.ListSigningCertificatesInput{UserName: awsStringUserName})
356-
if err != nil {
357-
return nil, fmt.Errorf("aws-connector: failed to list signing certificates: %w", err)
364+
listCertificatesInput := &iam.ListSigningCertificatesInput{UserName: awsStringUserName}
365+
certificates := make([]iamTypes.SigningCertificate, 0)
366+
for {
367+
certs, err := iamClient.ListSigningCertificates(ctx, listCertificatesInput)
368+
if err != nil {
369+
return nil, fmt.Errorf("aws-connector: failed to list signing certificates: %w", err)
370+
}
371+
certificates = append(certificates, certs.Certificates...)
372+
if certs.Marker == nil || len(*certs.Marker) == 0 {
373+
break
374+
}
375+
listCertificatesInput.Marker = certs.Marker
358376
}
359377

360-
for _, certificate := range certificates.Certificates {
361-
_, err = iamClient.DeleteSigningCertificate(ctx, &iam.DeleteSigningCertificateInput{UserName: awsStringUserName, CertificateId: awsSdk.String(awsSdk.ToString(certificate.CertificateId))})
378+
for _, certificate := range certificates {
379+
_, err = iamClient.DeleteSigningCertificate(ctx, &iam.DeleteSigningCertificateInput{UserName: awsStringUserName, CertificateId: certificate.CertificateId})
362380
if err != nil {
363381
return nil, fmt.Errorf("aws-connector: failed to delete signing certificate: %w", err)
364382
}
365383
}
366384

367385
// Delete all SSH public keys
368386
// Permission needed: iam:ListSSHPublicKeys, iam:DeleteSSHPublicKey
369-
sshKeys, err := iamClient.ListSSHPublicKeys(ctx, &iam.ListSSHPublicKeysInput{UserName: awsStringUserName})
370-
if err != nil {
371-
return nil, fmt.Errorf("aws-connector: failed to list SSH public keys: %w", err)
387+
listSSHKeysInput := &iam.ListSSHPublicKeysInput{UserName: awsStringUserName}
388+
sshKeys := make([]iamTypes.SSHPublicKeyMetadata, 0)
389+
for {
390+
keys, err := iamClient.ListSSHPublicKeys(ctx, listSSHKeysInput)
391+
if err != nil {
392+
return nil, fmt.Errorf("aws-connector: failed to list SSH public keys: %w", err)
393+
}
394+
sshKeys = append(sshKeys, keys.SSHPublicKeys...)
395+
if keys.Marker == nil || len(*keys.Marker) == 0 {
396+
break
397+
}
398+
listSSHKeysInput.Marker = keys.Marker
372399
}
373400

374-
for _, key := range sshKeys.SSHPublicKeys {
375-
_, err = iamClient.DeleteSSHPublicKey(ctx, &iam.DeleteSSHPublicKeyInput{UserName: awsStringUserName, SSHPublicKeyId: awsSdk.String(awsSdk.ToString(key.SSHPublicKeyId))})
401+
for _, key := range sshKeys {
402+
_, err = iamClient.DeleteSSHPublicKey(ctx, &iam.DeleteSSHPublicKeyInput{UserName: awsStringUserName, SSHPublicKeyId: key.SSHPublicKeyId})
376403
if err != nil {
377404
return nil, fmt.Errorf("aws-connector: failed to delete SSH public key: %w", err)
378405
}
@@ -390,7 +417,7 @@ func (o *iamUserResourceType) Delete(ctx context.Context, resourceId *v2.Resourc
390417
ctx,
391418
&iam.DeleteServiceSpecificCredentialInput{
392419
UserName: awsStringUserName,
393-
ServiceSpecificCredentialId: awsSdk.String(awsSdk.ToString(credential.ServiceSpecificCredentialId)),
420+
ServiceSpecificCredentialId: credential.ServiceSpecificCredentialId,
394421
},
395422
)
396423
if err != nil {
@@ -400,26 +427,44 @@ func (o *iamUserResourceType) Delete(ctx context.Context, resourceId *v2.Resourc
400427

401428
// If user has MFA, deactivate them
402429
// Permission needed: iam:ListMFADevices, iam:DeactivateMFADevice
403-
mfaDevices, err := iamClient.ListMFADevices(ctx, &iam.ListMFADevicesInput{UserName: awsStringUserName})
404-
if err != nil {
405-
return nil, fmt.Errorf("aws-connector: failed to list MFA devices: %w", err)
430+
listMFADevicesInput := &iam.ListMFADevicesInput{UserName: awsStringUserName}
431+
mfaDevices := make([]iamTypes.MFADevice, 0)
432+
for {
433+
devices, err := iamClient.ListMFADevices(ctx, listMFADevicesInput)
434+
if err != nil {
435+
return nil, fmt.Errorf("aws-connector: failed to list MFA devices: %w", err)
436+
}
437+
mfaDevices = append(mfaDevices, devices.MFADevices...)
438+
if devices.Marker == nil || len(*devices.Marker) == 0 {
439+
break
440+
}
441+
listMFADevicesInput.Marker = devices.Marker
406442
}
407443

408-
for _, device := range mfaDevices.MFADevices {
409-
_, err = iamClient.DeactivateMFADevice(ctx, &iam.DeactivateMFADeviceInput{UserName: awsStringUserName, SerialNumber: awsSdk.String(awsSdk.ToString(device.SerialNumber))})
444+
for _, device := range mfaDevices {
445+
_, err = iamClient.DeactivateMFADevice(ctx, &iam.DeactivateMFADeviceInput{UserName: awsStringUserName, SerialNumber: device.SerialNumber})
410446
if err != nil {
411447
return nil, fmt.Errorf("aws-connector: failed to deactivate MFA device: %w", err)
412448
}
413449
}
414450

415451
// Delete users inline policies
416452
// Permission needed: iam:ListUserPolicies, iam:DeleteUserPolicy
417-
userPolicies, err := iamClient.ListUserPolicies(ctx, &iam.ListUserPoliciesInput{UserName: awsStringUserName})
418-
if err != nil {
419-
return nil, fmt.Errorf("aws-connector: failed to list user policies: %w", err)
453+
listUserPoliciesInput := &iam.ListUserPoliciesInput{UserName: awsStringUserName}
454+
userPolicies := make([]string, 0)
455+
for {
456+
policies, err := iamClient.ListUserPolicies(ctx, listUserPoliciesInput)
457+
if err != nil {
458+
return nil, fmt.Errorf("aws-connector: failed to list user policies: %w", err)
459+
}
460+
userPolicies = append(userPolicies, policies.PolicyNames...)
461+
if policies.Marker == nil || len(*policies.Marker) == 0 {
462+
break
463+
}
464+
listUserPoliciesInput.Marker = policies.Marker
420465
}
421466

422-
for _, policy := range userPolicies.PolicyNames {
467+
for _, policy := range userPolicies {
423468
_, err = iamClient.DeleteUserPolicy(ctx, &iam.DeleteUserPolicyInput{UserName: awsStringUserName, PolicyName: awsSdk.String(policy)})
424469
if err != nil {
425470
return nil, fmt.Errorf("aws-connector: failed to delete user policy: %w", err)
@@ -428,27 +473,45 @@ func (o *iamUserResourceType) Delete(ctx context.Context, resourceId *v2.Resourc
428473

429474
// List and detach all attached policies
430475
// Permission needed: iam:ListAttachedUserPolicies, iam:DetachUserPolicy
431-
attachedPolicies, err := iamClient.ListAttachedUserPolicies(ctx, &iam.ListAttachedUserPoliciesInput{UserName: awsStringUserName})
432-
if err != nil {
433-
return nil, fmt.Errorf("aws-connector: failed to list attached user policies: %w", err)
476+
listAttachedPoliciesInput := &iam.ListAttachedUserPoliciesInput{UserName: awsStringUserName}
477+
attachedPolicies := make([]iamTypes.AttachedPolicy, 0)
478+
for {
479+
policies, err := iamClient.ListAttachedUserPolicies(ctx, listAttachedPoliciesInput)
480+
if err != nil {
481+
return nil, fmt.Errorf("aws-connector: failed to list attached user policies: %w", err)
482+
}
483+
attachedPolicies = append(attachedPolicies, policies.AttachedPolicies...)
484+
if policies.Marker == nil || len(*policies.Marker) == 0 {
485+
break
486+
}
487+
listAttachedPoliciesInput.Marker = policies.Marker
434488
}
435489

436-
for _, policy := range attachedPolicies.AttachedPolicies {
437-
_, err = iamClient.DetachUserPolicy(ctx, &iam.DetachUserPolicyInput{UserName: awsStringUserName, PolicyArn: awsSdk.String(awsSdk.ToString(policy.PolicyArn))})
490+
for _, policy := range attachedPolicies {
491+
_, err = iamClient.DetachUserPolicy(ctx, &iam.DetachUserPolicyInput{UserName: awsStringUserName, PolicyArn: policy.PolicyArn})
438492
if err != nil {
439493
return nil, fmt.Errorf("aws-connector: failed to detach user policy: %w", err)
440494
}
441495
}
442496

443497
// Remove the user from any IAM groups
444498
// Permission needed: iam:ListGroupsForUser, iam:RemoveUserFromGroup
445-
userGroups, err := iamClient.ListGroupsForUser(ctx, &iam.ListGroupsForUserInput{UserName: awsStringUserName})
446-
if err != nil {
447-
return nil, fmt.Errorf("aws-connector: failed to list groups for user: %w", err)
499+
listUserGroupsInput := &iam.ListGroupsForUserInput{UserName: awsStringUserName}
500+
userGroups := make([]iamTypes.Group, 0)
501+
for {
502+
groups, err := iamClient.ListGroupsForUser(ctx, listUserGroupsInput)
503+
if err != nil {
504+
return nil, fmt.Errorf("aws-connector: failed to list groups for user: %w", err)
505+
}
506+
userGroups = append(userGroups, groups.Groups...)
507+
if groups.Marker == nil || len(*groups.Marker) == 0 {
508+
break
509+
}
510+
listUserGroupsInput.Marker = groups.Marker
448511
}
449512

450-
for _, group := range userGroups.Groups {
451-
_, err = iamClient.RemoveUserFromGroup(ctx, &iam.RemoveUserFromGroupInput{UserName: awsStringUserName, GroupName: awsSdk.String(awsSdk.ToString(group.GroupName))})
513+
for _, group := range userGroups {
514+
_, err = iamClient.RemoveUserFromGroup(ctx, &iam.RemoveUserFromGroupInput{UserName: awsStringUserName, GroupName: group.GroupName})
452515
if err != nil {
453516
return nil, fmt.Errorf("aws-connector: failed to remove user from group: %w", err)
454517
}

0 commit comments

Comments
 (0)