Clean Up Cloud Identity¶
This guide will walk you through cleaning up the cloud identity resources of Rok.
Note
If you have already cleaned up Rok’s cloud identity, expand this note to fast-forward.
Choose one of the following options, based on your cloud provider:
Specify the IAM roles you have created for ExtenalDNS, the AWS Load Balancer Controller and the Cluster Autoscaler:
root@rok-tools:~# export EXTERNAL_DNS_ROLE=eks-external-dns-${EKS_CLUSTER?} root@rok-tools:~# export LOAD_BALANCER_ROLE=eks-aws-load-balancer-controller-${EKS_CLUSTER?} root@rok-tools:~# export AUTOSCALER_ROLE=cluster-autoscaler-${EKS_CLUSTER?}Proceed to the Verify section.
- Proceed to the Verify section.
- Proceed to the Verify section.
Overview
What You’ll Need¶
- A configured management environment.
Procedure¶
Choose one of the following options, based on your cloud provider.
Delete the Rok cloud identity:
root@rok-tools:~# aws cloudformation delete-stack --stack-name ${AWS_CF_S3_RESOURCES?}Specify the IAM roles you have created for ExtenalDNS, the AWS Load Balancer Controller, and the Cluster Autoscaler:
root@rok-tools:~# export EXTERNAL_DNS_ROLE=eks-external-dns-${EKS_CLUSTER?} root@rok-tools:~# export LOAD_BALANCER_ROLE=eks-aws-load-balancer-controller-${EKS_CLUSTER?} root@rok-tools:~# export AUTOSCALER_ROLE=cluster-autoscaler-${EKS_CLUSTER?}Clean up all attached role policies and roles in the above list. To do that, repeat the following steps for each role in the list.
Pick an IAM role from the list:
root@rok-tools:~# export IAM_ROLE_NAME=<ROLE>Detach the attached policies:
root@rok-tools:~# aws iam list-attached-role-policies \ > --role-name ${IAM_ROLE_NAME?} | \ > jq -r '.AttachedPolicies[].PolicyArn' | \ > xargs -r -n1 -I{} \ > aws iam detach-role-policy \ > --role-name ${IAM_ROLE_NAME?} \ > --policy-arn {}Delete the role:
root@rok-tools:~# aws iam delete-role --role-name ${IAM_ROLE_NAME?}Go back to step 1, and repeat the steps for the remaining roles.
Remove the Pod identity that Rok uses:
root@rok-tools:~# az aks pod-identity delete \ > --resource-group ${AZ_RESOURCE_GROUP?} \ > --cluster-name ${AKS_CLUSTER?} \ > --namespace ${ROK_CLUSTER_NAMESPACE?} \ > --name ${POD_IDENTITY_NAME?}Troubleshooting
The command failed with an authorization error
If the above command fails with an error message similar to the following:
(AuthorizationFailed) The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/write' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319/resourceGroups/arrikto/providers/Microsoft.ContainerService/managedClusters/arrikto-cluster' or the scope is invalid. If access was recently granted, please refresh your credentials.it means that your identity does not have sufficient permissions to delete a Pod identity.
To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has
Owner
permissions. If you only haveReader
permissions, contact your administrator to grantOwner
permissions to your identity or to delete the Pod identity for you.Delete the Azure Managed Identity that Rok uses:
root@rok-tools:~# az identity delete --name ${AZ_MANAGED_IDENTITY?} \ > --resource-group ${AZ_RESOURCE_GROUP?}Troubleshooting
The command failed with an authorization error
If the above command fails with an error message similar to the following:
The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.ManagedIdentity/userAssignedIdentities/delete' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319/resourceGroups/arrikto/providers/Microsoft.ManagedIdentity/userAssignedIdentities/rok-arrikto-cluster' or the scope is invalid. If access was recently granted, please refresh your credentials.it means that your identity does not have sufficient permissions to delete a Managed identity.
To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has
Owner
permissions. If you only haveReader
permissions, contact your administrator to grantOwner
permissions to your identity or to delete the Managed identity for you.
Verify¶
Choose one of the following options, based on your cloud provider.
Retrieve the ExternalDNS role and ensure it does not exist:
root@rok-tools:~# aws iam get-role --role-name ${EXTERNAL_DNS_ROLE?} An error occurred (NoSuchEntity) when calling the GetRole operation: The role with name eks-external-dns-arrikto-cluster cannot be found.Retrieve the AWS Load Balancer Controller role and ensure it does not exist:
root@rok-tools:~# aws iam get-role --role-name ${LOAD_BALANCER_ROLE?} An error occurred (NoSuchEntity) when calling the GetRole operation: The role with name eks-aws-load-balancer-controller-arrikto-cluster cannot be found.Retrieve the Cluster Autoscaler role and ensure it does not exist:
root@rok-tools:~# aws iam get-role --role-name ${AUTOSCALER_ROLE?} An error occurred (NoSuchEntity) when calling the GetRole operation: The role with name cluster-autoscaler-arrikto-cluster cannot be found.
Specify a filter for the name and namespace of Rok:
root@rok-tools:~# export FILTER="name=='${ROK_CLUSTER_NAME?}' && namespace=='${ROK_CLUSTER_NAMESPACE?}'"List the Pod identities of Rok and ensure none exists:
root@rok-tools:~# az aks pod-identity list --cluster-name ${AKS_CLUSTER?} \ > --resource-group ${AZ_RESOURCE_GROUP?} \ > --query "podIdentityProfile.userAssignedIdentities[?${FILTER?}]" []Troubleshooting
The command failed with an authorization error
If the above command fails with an error message similar to the following:
(AuthorizationFailed) The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/read' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319/resourceGroups/arrikto/providers/Microsoft.ContainerService/managedClusters/arrikto-cluster' or the scope is invalid. If access was recently granted, please refresh your credentials.it means that your identity does not have sufficient permissions to list Pod identities.
To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has either
Owner
orReader
permissions. If you do not have the required permissions, contact your administrator to grant them to your identity.Attempt to retrieve the managed identity of Rok and verify it does not exist:
root@rok-tools:~# az identity show --name ${AZ_MANAGED_IDENTITY?} \ > --resource-group ${AZ_RESOURCE_GROUP?} The Resource 'Microsoft.ManagedIdentity/userAssignedIdentities/rok-arrikto-cluster' under resource group 'arrikto' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFixTroubleshooting
The command failed with an authorization error
If the above command fails with an error message similar to the following:
ERROR: The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.ManagedIdentity/userAssignedIdentities/read' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319/resourceGroups/arrikto/providers/Microsoft.ManagedIdentity/userAssignedIdentities/rok-arrikto-cluster' or the scope is invalid. If access was recently granted, please refresh your credentials.it means that your identity does not have sufficient permissions retrieve a Managed identity.
To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has either
Owner
orReader
permissions. If you do not have the required permissions, contact your administrator to grant them to your identity.
Summary¶
You have successfully deleted the cloud identity resources of Rok.