Menu
AWS Identity and Access Management
User Guide

Deleting Roles or Instance Profiles

If you no longer need a role, we recommend that you delete the role and its associated permissions so that you don’t have an unused entity that is not actively monitored or maintained.

If the role was associated with an EC2 instance, then you can also remove the role from the instance profile and then delete the instance profile.

Caution

Make sure you do not have any Amazon EC2 instances running with the role or instance profile you are about to delete. Deleting a role or instance profile that is associated with a running instance will break any applications running on the instance.

Deleting a Role (AWS Management Console)

When you use the AWS Management Console to delete a role, IAM also automatically deletes the policies associated with the role as well as any Amazon EC2 instance profile that contains the role.

Important

If a role is associated with an Amazon EC2 instance profile, and the role and the instance profile have the exact same name, then you can use the AWS console to delete the role and the instance profile. This happens automatically if you create them in the console. If you created the role from the AWS CLI, Tools for Windows PowerShell, or the AWS API, then the role and the instance profile might have different names, and you cannot use the console to delete them. Instead, you must use the AWS CLI, Tools for Windows PowerShell, or AWS API to first remove the role from the instance profile and then (as a separate step) delete the role.

To use the AWS Management Console to delete a role

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles, and then select the check box next to the role name that you want to delete, not the name or row itself.

  3. For Role Actions at the top of the page, choose Delete Role.

  4. In the confirmation dialog box, review the service last accessed data, which shows when each of the selected roles last accessed an AWS service. This helps you to confirm whether the role is currently active. If you want to proceed, choose Yes, Delete. If you are sure, you can proceed with the deletion even if the service last accessed data is still loading.

Note

You cannot use the console to delete an instance profile, except when it has the exact same name as the role and you delete it as part of the process of deleting a role as described in the preceding procedure. To delete an instance profile without also deleting the role, you must use the AWS CLI, Tools for Windows PowerShell, or AWS API. For more information, see the following sections.

Deleting a Role (AWS CLI)

When you use the AWS CLI to delete a role, you must first delete the policies associated with the role. Also, if you want to delete the associated instance profile that contains the role, you must delete it separately.

To use the AWS CLI to delete a role

  1. If you don't know the name of the role that you want to delete, type the following command to list the roles in your account:

    Copy to clipboard
    aws iam list-roles

    A list of roles with their Amazon Resource Name (ARN) is displayed. Use the role name, not the ARN, to refer to roles with the CLI commands. For example, if a role has the following ARN: arn:aws:iam::123456789012:role/myrole, you refer to the role as myrole.

  2. Remove the role from all instance profiles that the role is in.

    1. To list all instance profiles that the role is associated with, type the following command:

      Copy to clipboard
      aws iam list-instance-profiles-for-role --role-name role-name
    2. To remove the role from an instance profile, type the following command for each instance profile:

      Copy to clipboard
      aws iam remove-role-from-instance-profile --instance-profile-name instance-profile-name --role-name role-name
  3. Delete all policies that are associated with the role.

    1. To list all policies that are in the role, type the following command:

      Copy to clipboard
      aws iam list-role-policies --role-name role-name
    2. To delete each policy from the role, type the following command for each policy:

      Copy to clipboard
      aws iam delete-role-policy --role-name role-name --policy-name policy-name
  4. Type the following command to delete the role:

    Copy to clipboard
    aws iam delete-role --role-name role-name
  5. If you do not plan to reuse the instance profiles that were associated with the role, you can type the following command to delete them:

    Copy to clipboard
    aws iam delete-instance-profile --instance-profile-name instance-profile-name

Deleting a Role (Tools for Windows PowerShell)

When you use Windows PowerShell to delete a role, you must first delete the policies associated with the role. Also, if you want to delete the associated instance profile that contains the role, you must delete it separately.

To use the Tools for Windows PowerShell to delete a role

  1. If you don't know the name of the role that you want to delete, type the following command to list the roles in your account:

    Copy to clipboard
    PS C:\> Get-IAMRoles | Select RoleName

    Use the role name, not the ARN, to refer to roles with the PowerShell cmdlets. For example, if a role has the following ARN: arn:aws:iam::123456789012:role/myrole, you refer to the role as myrole.

  2. Remove the role from all instance profiles that the role is in. The following command gets the list of all instance profiles that contain the role, removes the role from each instance profile in the list, and then deletes the now empty instance profiles. If you plan to reuse the instance profiles, then you can omit the last cmdlet in the command.

    Copy to clipboard
    PS C:\> Get-IAMInstanceProfileForRole -RoleName RoleName | Remove-IAMRoleFromInstanceProfile -RoleName RoleName | Remove-IAMInstanceProfile
  3. Delete all policies that are associated with the role. The following command gets the list all policies that are attached to the role and detaches each one.

    Copy to clipboard
    PS C:\> Get-IAMAttachedRolePolicies -RoleName RoleName | Unregister-IAMRolePolicy -RoleName RoleName
  4. Type the following command to delete the role:

    Copy to clipboard
    PS C:\> Remove-IAMRole -RoleName RoleName

Deleting a Role (AWS API)

When you use the IAM API to delete a role, you must first delete the policies associated with the role. Also, if you want to delete the associated instance profile that contains the role, you must delete it separately.

To use the AWS API to delete a role

  1. To list all instance profiles that a role is in, call ListInstanceProfilesForRole.

    To remove the role from all instance profiles that the role is in, call RemoveRoleFromInstanceProfile. You must pass the role name and instance profile name.

    If you are not going to reuse an instance profile that was associated with the role, you call DeleteInstanceProfile to delete it.

  2. To list all policies for a role, call ListRolePolicies.

    To delete all policies that are associated with the role, call DeleteRolePolicy. You must pass the role name and policy name.

  3. Call DeleteRole to delete the roll.

For general information about instance profiles, see Using Instance Profiles.