Unable to delete AWS Role Policy - NoSuchEntity with Boto3

Question

I'm unable to delete a role policy from my AWS account with Boto3. I get an error:

botocore.errorfactory.NoSuchEntityException: An error occurred (NoSuchEntity) when calling the DeleteRolePolicy operation: The role policy with name potatoman9000Policy cannot be found.

The policy and role are created and deleted within the same script. The policy is detached prior to this particular bit of code occurs. I'm not sure why its finding the policy name.

Here is the creation:

# Create IAM policy and Role
def iam_creation(client_name):
    iam_client = boto3.client('iam')

    # Policy template
    client_onboarding_policy = {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowListingOfUserFolder",
                "Action": [
                    "s3:ListBucket",
                    "s3:GetBucketLocation"
                ],
                "Effect": "Allow",
                "Resource": [
                    f"arn:aws:s3:::{client_name}"
                ]
            },
            {
                "Sid": "HomeDirObjectAccess",
                "Effect": "Allow",
                "Action": [
                    "s3:PutObject",
                    "s3:GetObject",
                    "s3:DeleteObjectVersion",
                    "s3:DeleteObject",
                    "s3:GetObjectVersion"
                    ],
                    "Resource": f"arn:aws:s3:::{client_name}/*"
            }
        ]
    }

    # Role template
    role_onboarding_policy = {
        "Version": "2012-10-17",
        "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "transfer.amazonaws.com",
                    "s3.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
        ]
    }

    # Create policy from template
    iam_client.create_policy(
        PolicyName=f'{client_name}Policy',
        PolicyDocument=json.dumps(client_onboarding_policy)
    )

    # Create Role from template and create trust relationships
    iam_client.create_role(
        RoleName=f'{client_name}',
        AssumeRolePolicyDocument=json.dumps(role_onboarding_policy)
    )

    # Attach created policy to created role
    iam_client.attach_role_policy(
        PolicyArn=f'arn:aws:iam::111111111111:policy/{client_name}Policy',
        RoleName=f'{client_name}'
    )

The creation goes off without any issues. Here is the delete

# Delete IAM policy and role
def iam_delete(client_name):
    iam_client = boto3.client('iam')
    iam_resource = boto3.resource('iam')
    role_policy = iam_resource.RolePolicy(f'{client_name}', f'{client_name}Policy')
    role = iam_resource.Role(f'{client_name}')

    # Detach policy from role
    iam_client.detach_role_policy(
        PolicyArn=f'arn:aws:iam::111111111111:policy/{client_name}Policy',
        RoleName=f'{client_name}'
    )

    # Delete policy
    role_policy.delete()

    # Delete role
    role.delete()

I imagine it has something to do with the way I've named the role policy or not named it. I have confirmed that the Role potatoman9000 does exist in IAM as well as the Policy potatoman9000Policy. Any help is greatly appreciated

Answer 1

RolePolicy is for inline policies , not managed policies.

When you call delete , it errors out because you are using managed policies. From docs about delete :

Deletes the specified inline policy that is embedded in the specified IAM role.

To delete managed policy you should be using delete_policy .

Deletes the specified managed policy .