- 最新
- 最多得票
- 最多評論
If you haven't already, try to delete IAM Identity Center (IdC) resources used by the AWSServiceRoleForSSO role by:
- Removing user and group access for all users and groups that have access to the AWS account.
- Deleting permission sets that you have associated with the AWS account.
See the steps here: https://docs.aws.amazon.com/singlesignon/latest/userguide/using-service-linked-roles.html#delete-slr
While you can manually delete a service-linked role (SLR) the role must not be in use when trying to delete it. See this link for details on manually deleting a SLR via IAM: https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role
Role AWSServiceRoleForSSO is an AWS managed policy, which you can not delete, also looks like your account is running under an organisation, and the management account would have access to the Directory Instance where you can manage principals and roles from, so you would need to have the correct permissions to do any modifications, and not falling under any SCPs
I have deleted the role AWSServiceRoleForSSO in the past, so it is definitely possible. The error message also says it's possible to delete the SLR.
AWS Organizations and IAM Identity Center are both disabled on the account, so neither of those should be blocking the SLR deletion.
相關內容
AWS 官方已更新 1 年前
IAM Identity Center was entirely disabled by me over 24 hours ago, the only option I get when visiting the IAM Identity Center is to enable it, which I don't want to do. I can only assume that all users, groups and permission sets within it were deleted and should not be using the AWSServiceRoleForSSO role. What else could be blocking the SLR deletion?
Assume you tried to "Delete IAM Identity Center configuration" as per guidance here: https://docs.aws.amazon.com/singlesignon/latest/userguide/regions.html?icmpid=docs_sso_console
The AWSServiceRoleForSSO SLR should have been deleted when deleting the IdC instance.
Try re-enabling IdC then, after ~30 minutes or so, delete the IdC instance again to re-attempt the automated AWSServiceRoleForSSO SLR deletion process.