By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Unable to delete AWSServiceRoleForSSO role in IAM

0

I am unable to delete the AWSServiceRoleForSSO role in IAM. The error message is:

Errors during deleting roles. Role AWSServiceRoleForSSO not deleted. There is an Identity Center directory instance with management account xxxxxxxxxxxxx, Please delete the Identity Center directory instance first before requesting to delete the SLR.

I disabled the IAM Identity Center over 12 hours ago, so have some resources failed to successfully delete within it?

Edit: perhaps the word "delete" is misleading, I'm not trying to delete an Amazon-managed role globally, I am simply trying to stop it from applying to my own account.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Management ConsoleAWS IAM Identity CenterAWS Account ManagementIAM Policies
Language
English
triatic
asked 8 months ago604 views
2 Answers
0

If you haven't already, try to delete IAM Identity Center (IdC) resources used by the AWSServiceRoleForSSO role by:

  1. Removing user and group access for all users and groups that have access to the AWS account.
  2. Deleting permission sets that you have associated with the AWS account.

See the steps here: https://docs.aws.amazon.com/singlesignon/latest/userguide/using-service-linked-roles.html#delete-slr

While you can manually delete a service-linked role (SLR) the role must not be in use when trying to delete it. See this link for details on manually deleting a SLR via IAM: https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role

AWS
Kyong-AWS
answered 8 months ago
  • triatic
    8 months ago

    IAM Identity Center was entirely disabled by me over 24 hours ago, the only option I get when visiting the IAM Identity Center is to enable it, which I don't want to do. I can only assume that all users, groups and permission sets within it were deleted and should not be using the AWSServiceRoleForSSO role. What else could be blocking the SLR deletion?

  • Kyong-AWS
    8 months ago

    Assume you tried to "Delete IAM Identity Center configuration" as per guidance here: https://docs.aws.amazon.com/singlesignon/latest/userguide/regions.html?icmpid=docs_sso_console

    The AWSServiceRoleForSSO SLR should have been deleted when deleting the IdC instance.

    Try re-enabling IdC then, after ~30 minutes or so, delete the IdC instance again to re-attempt the automated AWSServiceRoleForSSO SLR deletion process.

0

Role AWSServiceRoleForSSO is an AWS managed policy, which you can not delete, also looks like your account is running under an organisation, and the management account would have access to the Directory Instance where you can manage principals and roles from, so you would need to have the correct permissions to do any modifications, and not falling under any SCPs

Mo-Ghait
answered 8 months ago
  • triatic
    8 months ago

    I have deleted the role AWSServiceRoleForSSO in the past, so it is definitely possible. The error message also says it's possible to delete the SLR.

    AWS Organizations and IAM Identity Center are both disabled on the account, so neither of those should be blocking the SLR deletion.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content