How do I troubleshoot IAM resource deletion failures?

Resolution

IAM resource deletion failures can occur for several reasons. Use the following sections to troubleshoot your issue.

Resolve "DeleteConflict" errors for IAM roles, users, and groups

If you receive a "DeleteConflict" error when you try to delete an IAM role, user, or group, then you must remove dependencies before you delete the IAM resource. The error occurs when IAM resources have attached policies, credentials, group memberships, or instance profiles.

To resolve this error, use the AWS Management Console to delete the resource. IAM automatically detaches managed policies, deletes inline policies, removes credentials, and removes group memberships. However, if you use the AWS CLI or AWS API, then you must manually remove all attached items before you delete the resource.

Note: If an IAM role has an Amazon Elastic Compute Cloud (Amazon EC2) instance profile with a different name, then remove the role before you delete it. The association occurs when you use the AWS CLI, AWS Tools for Windows PowerShell, or the AWS API to create the role.

For specific IAM resource deletion procedures, see:

• Delete an IAM role
• Delete an IAM user
• Delete an IAM group

Resolve "Access Denied" errors during deletion

If you receive "Access Denied" errors when you delete IAM resources, then your IAM policies don't include the required deletion permissions. Your IAM policies must include the following deletion permissions:

• iam:DeleteRole
• iam:DeleteUser
• iam:DeletePolicy
• iam:DeleteGroup

To resolve this error, verify that your IAM policies explicitly allow permissions for specific deletion operations. Add the required IAM identity permissions if your policies don't include the correct permissions.

Resolve service-linked role deletion errors

If you receive an error when you try to delete a service-linked role, then the associated AWS service still has active resources that use the role. You can only delete service-linked roles after the associated AWS service no longer has active resources that use them.

To resolve this error, check your service-linked role to determine if the service automatically deletes the role when you remove resources. For more information about how to delete service-linked roles, see Now Use AWS IAM to Delete a Service-Linked Role When You No Longer Require an AWS Service to Perform Actions on Your Behalf.

Resolve MFA device deletion errors

If you receive an error when you create an MFA device, then an unassigned MFA device with that name already exists. Unassigned MFA devices remain in your account even after you deactivate them.

To resolve this error, delete unassigned MFA devices before you create a new device with the same name.