Merge pull request openshift#7180 from sadasu/aws-sts-uninstall

openshift-merge-robot · web-flow · commit 484aeec0dcf8 · 2023-05-26T14:46:00.000-04:00
OCPBUGS-1769: Ignore IAM Roles that the Installer is not authorized to access
diff --git a/pkg/destroy/aws/iamhelpers.go b/pkg/destroy/aws/iamhelpers.go
@@ -2,6 +2,7 @@ package aws
 
 import (
 	"context"
+	"strings"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/arn"
@@ -13,11 +14,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 )
 
-const (
-	// ErrCodeAccessDeniedException is the access denied error code returned by IAM.
-	ErrCodeAccessDeniedException = "AccessDeniedException"
-)
-
 type iamRoleSearch struct {
 	client    *iam.IAM
 	filters   []Filter
@@ -46,10 +42,14 @@ func (search *iamRoleSearch) find(ctx context.Context) (arns []string, names []s
 				if err != nil {
 					var awsErr awserr.Error
 					if errors.As(err, &awsErr) {
-						switch awsErr.Code() {
-						case ErrCodeAccessDeniedException, iam.ErrCodeNoSuchEntityException:
-							// Installer does not have access to this IAM role or the
-							// the role does not exist.
+						switch {
+						case awsErr.Code() == iam.ErrCodeNoSuchEntityException:
+							// The role does not exist.
+							// Ignore this IAM Role and donot report this error via
+							// lastError
+							search.unmatched[*role.Arn] = exists
+						case strings.Contains(err.Error(), "AccessDenied"):
+							// Installer does not have access to this IAM role
 							// Ignore this IAM Role and donot report this error via
 							// lastError
 							search.unmatched[*role.Arn] = exists
