[IAM Controller] can't remove user

[gecube]

{"level":"error","ts":"2024-12-11T00:55:29.773Z","msg":"Reconciler error","controller":"user","controllerGroup":"iam.services.k8s.aws","controllerKind":"User","User":{"name":"*****","namespace":"infra-tooling"},"namespace":"infra-tooling","name":"*****","reconcileID":"73e066c7-0af0-4813-b882-79d14295e263","error":"DeleteConflict: Cannot delete entity, must delete access keys first.\n\tstatus code: 409, request id: b3fef8ce-e08a-4e57-8ca5-01c67fd0f852","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:263\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:224"}
{"level":"info","ts":"2024-12-11T00:55:29.815Z","logger":"ackrt","msg":"updated resource","kind":"Role","namespace":"infra-tooling","name":"*****","account":"*****","role":"","region":"eu-west-2","is_adopted":false,"generation":8}

Expected behaviour:

• either proper interface for managing access keys from ACK
• or provide a way to remove user silently with access keys.

[gecube]

interesting fact: form web ui of cloud user could be deleted even the associated keys exist.

[TiberiuGC]

@gecube - managing access keys in ACK, either directly by supporting the CRD, or indirectly, by deleting them behind the scenes might no be desirable. I believe that managing sensitive information, such as access keys within a K8s controller is bad practice from a security standpoint.

Moreover, there's other ACK examples where this "bug" occurs, e.g. being unable to delete S3 buckets if they have objects.

[gecube]

@TiberiuGC Hi! Thanks for your considerations. Anyway I think that as a devops I want to have just ONE tool to manage the cloud, not the bunch of tools. Also it is logical that if we are providing ACK as a tool for preparation of ephemeral environments, I really will need some convenient way to pass a credentials to some of the legacy applications and then manage them...

Regarding this issue... There is no way to manage keys separately in ACK, as I remember. So it means that I can create something, and then I can't remove it. Even more - the ACK controller would spam Amazon API with unsuccessful attempts to remove the object. OMG.

[michaelhtm]

Hey @gecube
turns out, to delete an IAM user someone needs to do the following:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_remove.html#id_users_deleting_cli

This can be doable, maybe by setting an annotation deciding whether or not to force delete the User..
@a-hilaly @rushmash91 what do you think?