Deleting roles or instance profiles - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Deleting roles or instance profiles

If you no longer need a role, we recommend that you delete the role and its associated permissions. That way you don't have an unused entity that is not actively monitored or maintained.

If the role was associated with an EC2 instance, you can also remove the role from the instance profile and then delete the instance profile.

Warning

Make sure that you do not have any Amazon EC2 instances running with the role or instance profile you are about to delete. Deleting a role or instance profile that is associated with a running instance will break any applications that are running on the instance.

If you prefer not to permanently delete a role, you can disable a role. To do this, change the role policies and then revoke all current sessions. For example, you could add a policy to the role that denied access to all of Amazon. You could also edit the trust policy to deny access to anyone attempting to assume the role. For more information about revoking sessions, see Revoking IAM role temporary security credentials.

View role access

Before you delete a role, we recommend that you review when the role was last used. You can do this using the Amazon Web Services Management Console, the Amazon CLI, or the Amazon API. You should view this information because you don't want to remove access from someone using the role.

The date of the role last activity might not match the last date reported in the Access Advisor tab. The Access Advisor tab reports activity only for services allowed by the role permissions policies. The date of the role last activity includes the last attempt to access any service in Amazon.

Note

The tracking period for a role last activity and Access Advisor data is for the trailing 400 days. This period can be shorter if your Region began supporting these features within the last year. The role might have been used more than 400 days ago. For more information about the tracking period, see Where Amazon tracks last accessed information.

To view when a role was last used (console)

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Roles.

  3. Find the row of the role with the activity you want to view. You can use the search field to narrow the results. View the Last activity column to see the number of days since the role was last used. If the role has not been used within the tracking period, then the table displays None.

  4. Choose the name of the role to view more information. The role Summary page also includes Last activity, which displays the last used date for the role. If the role has not been used within the last 400 days, then Last activity displays Not accessed in the tracking period.

To view when a role was last used (Amazon CLI)

aws iam get-role - Run this command to return information about a role, including the RoleLastUsed object. This object contains the LastUsedDate and the Region in which the role was last used. If RoleLastUsed is present but does not contain a value, then the role has not been used within the tracking period.

To view when a role was last used (Amazon API)

GetRole - Call this operation to return information about a role, including the RoleLastUsed object. This object contains the LastUsedDate and the Region in which the role was last used. If RoleLastUsed is present but does not contain a value, then the role has not been used within the tracking period.

Deleting a service-linked role

If the role is a service-linked role, review the documentation for the linked service to learn how to delete the role. You can view the service-linked roles in your account by going to the IAM Roles page in the console. Service-linked roles appear with (Service-linked role) in the Trusted entities column of the table. A banner on the role Summary page also indicates that the role is a service-linked role.

If the service does not include documentation for deleting the service-linked role, you can use the IAM console, Amazon CLI, or API to delete the role. For more information, see Deleting a service-linked role.

Deleting an IAM role (console)

When you use the Amazon Web Services Management Console to delete a role, IAM also automatically deletes the policies associated with the role. It also deletes any Amazon EC2 instance profile that contains the role.

Important

In some cases, a role might be associated with an Amazon EC2 instance profile, and the role and the instance profile might have the same name. In that case you can use the Amazon Web Services Management Console to delete the role and the instance profile. This linkage happens automatically for roles and instance profiles that you create in the console. If you created the role from the Amazon CLI, Tools for Windows PowerShell, or the Amazon API, then the role and the instance profile might have different names. In that case you cannot use the console to delete them. Instead, you must use the Amazon CLI, Tools for Windows PowerShell, or Amazon API to first remove the role from the instance profile. You must then take a separate step to delete the role.

To delete a role (console)

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Roles, and then select the check box next to the role name that you want to delete.

  3. At the top of the page, choose Delete.

  4. In the confirmation dialog box, review the last accessed information, which shows when each of the selected roles last accessed an Amazon service. This helps you to confirm if the role is currently active. If you want to proceed, enter the name of the role in the text input field and choose Delete. If you are sure, you can proceed with the deletion even if the last accessed information is still loading.

Note

You cannot use the console to delete an instance profile unless it has the same name as the role. The instance profile is deleted as part of the process of deleting a role as described in the preceding procedure. To delete an instance profile without also deleting the role, you must use the Amazon CLI or Amazon API. For more information, see the following sections.

Deleting an IAM role (Amazon CLI)

When you use the Amazon CLI to delete a role, you must first delete the policies associated with the role. Also, if you want to delete the associated instance profile that contains the role, you must delete it separately.

To delete a role (Amazon CLI)

  1. If you don't know the name of the role that you want to delete, enter the following command to list the roles in your account:

    aws iam list-roles

    The list includes the Amazon Resource Name (ARN) of each role. Use the role name, not the ARN, to refer to roles with the CLI commands. For example, if a role has the following ARN: arn:aws-cn:iam::123456789012:role/myrole, you refer to the role as myrole.

  2. Remove the role from all instance profiles that the role is in.

    1. To list all instance profiles that the role is associated with, enter the following command:

      aws iam list-instance-profiles-for-role --role-name role-name
    2. To remove the role from an instance profile, enter the following command for each instance profile:

      aws iam remove-role-from-instance-profile --instance-profile-name instance-profile-name --role-name role-name
  3. Delete all policies that are associated with the role.

    1. To list all policies that are in the role, enter the following command:

      aws iam list-role-policies --role-name role-name
    2. To delete each policy from the role, enter the following command for each policy:

      aws iam delete-role-policy --role-name role-name --policy-name policy-name
  4. Enter the following command to delete the role:

    aws iam delete-role --role-name role-name
  5. If you do not plan to reuse the instance profiles that were associated with the role, you can enter the following command to delete them:

    aws iam delete-instance-profile --instance-profile-name instance-profile-name

Deleting an IAM role (Amazon API)

When you use the IAM API to delete a role, you must first delete the policies associated with the role. Also, if you want to delete the associated instance profile that contains the role, you must delete it separately.

To delete a role (Amazon API)

  1. To list all instance profiles that a role is in, call ListInstanceProfilesForRole.

    To remove the role from all instance profiles that the role is in, call RemoveRoleFromInstanceProfile. You must pass the role name and instance profile name.

    If you are not going to reuse an instance profile that was associated with the role, call DeleteInstanceProfile to delete it.

  2. To list all policies for a role, call ListRolePolicies.

    To delete all policies that are associated with the role, call DeleteRolePolicy. You must pass the role name and policy name.

  3. Call DeleteRole to delete the role.

For general information about instance profiles, see Using instance profiles.

For general information about service-linked roles, see Using service-linked roles.