Leaving a resource share - Amazon Resource Access Manager
Prerequisites for leaving a resource shareHow to leave a resource share
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Leaving a resource share

If you no longer need access to resources that are shared with you, you can leave a resource share at any time. When you leave a resource share, you lose access to the shared resources.

Prerequisites for leaving a resource share

  • You can leave a resource share only if it was shared with you as an individual Amazon Web Services account and not in the context of an organization. You can't leave a resource share if you were added to it by an Amazon Web Services account inside your organization and sharing with Amazon Organizations is enabled. Access to resource shares within an organization is automatic.

  • To leave a resource share, verify that the resource share is either empty or that it contains only resource types that support leaving a share.

    The following resource types do not support leaving a resource share. If the resource share contains one or more of these, ask the owner of the resource share to remove your principal from those with permission to the share.

    Service Resource type

    Amazon App Mesh

    appmesh:Mesh

    Amazon Private Certificate Authority

    acm-pca:CertificateAuthority

    Amazon CodeBuild

    codebuild:Project

    codebuild:ReportGroup

    EC2 Image Builder

    imagebuilder:Component

    imagebuilder:ContainerRecipe

    imagebuilder:Image

    imagebuilder:ImageRecipe

    Amazon Glue

    glue:Catalog

    glue:Database

    glue:Table

    Amazon Network Firewall

    network-firewall:FirewallPolicy

    network-firewall:StatefulRuleGroup

    network-firewall:StatelessRuleGroup

    Amazon Resource Groups

    resource-groups:Group

    Amazon Route 53

    route53resolver:FirewallRuleGroup

    route53resolver:ResolverQueryLogConfig

    Amazon Systems Manager Incident Manager

    ssm-contacts:Contact

    ssm-incidents:ResponsePlan

How to leave a resource share

Console
To leave a resource share

  1. Navigate to the Shared with me : Resource shares page in the Amazon RAM console.

  2. Because Amazon RAM resource shares exist in specific Amazon Web Services Regions, choose the appropriate Amazon Web Services Region from the dropdown list in the upper-right corner of the console. To see resource shares that contain global resources, you must set the Amazon Web Services Region to US East (N. Virginia), (us-east-1). For more information about sharing global resources, see Sharing Regional resources compared to global resources.

  3. Select the resource share you want to leave.

  4. Choose Leave resource share, and in the confirmation dialog box, choose Leave.

Amazon CLI
To leave a resource share

You can use the disassociate-resource-share command to leave a resource share.

The following example commands causes the Amazon Web Services account that calls the command to lose access to the resources shared by the resource share specified by the ARN. You must direct the request to the service endpoint in the Amazon Web Services Region that contains the resource share that you want to leave.

  1. First, retrieve the list of resource shares to retrieve the ARN of the resource share that you want to leave.

    $ aws ram get-resource-shares \
    --region us-east-1 \
    --resource-owner OTHER-ACCOUNTS
{
    "resourceShares": [
        {
            "resourceShareArn": "arn:aws-cn:ram:us-east-1:111111111111:resource-share/8b831ba0-63df-4608-be3c-19096b1ee16e",
            "name": "Prod Environment Shared Licenses",
            "owningAccountId": "111111111111",
            "allowExternalPrincipals": true,
            "status": "ACTIVE",
            "creationTime": "2021-09-21T08:50:41.308000-07:00",
            "lastUpdatedTime": "2021-09-21T08:50:41.308000-07:00",
            "featureSet": "STANDARD"
        }
    ]
}

  2. Then, you can run the command to leave that resource share. Note that you must also specify your account ID, 123456789012, as the principal to disassociate from the specified resource share, which is shared by account 111111111111.

    $ aws ram disassociate-resource-share \
    --region us-east-1 \
    --resource-share-arn arn:aws-cn:ram:us-east-1:111111111111:resource-share/8b831ba0-63df-4608-be3c-19096b1ee16e \
    --principals 123456789012 
                        {
    "resourceShareAssociations": [
        {
            "resourceShareArn": "arn:aws-cn:ram:us-east-1:111111111111:resource-share/8b831ba0-63df-4608-be3c-19096b1ee16e",
            "associatedEntity": "123456789012",
            "associationType": "PRINCIPAL",
            "status": "DISASSOCIATING",
            "external": false
        }
    ]
}