Menu
AWS Identity and Access Management
User Guide

Deleting Roles or Instance Profiles

If you no longer need a role, we recommend that you delete the role and its associated permissions. That way you don’t have an unused entity that is not actively monitored or maintained.

If the role was associated with an EC2 instance, then you can also remove the role from the instance profile and then delete the instance profile.

Warning

Make sure you do not have any Amazon EC2 instances running with the role or instance profile you are about to delete. Deleting a role or instance profile that is associated with a running instance will break any applications running on the instance.

If the role is a service-linked role , the role can be deleted only from the service that depends on the role. See the AWS documentation for your service to learn how to delete the role.

Deleting a Role (Console)

When you use the AWS Management Console to delete a role, IAM also automatically deletes the policies associated with the role. It also deletes any Amazon EC2 instance profile that contains the role.

Important

If a role is associated with an Amazon EC2 instance profile, and the role and the instance profile have the exact same name, then you can use the AWS console to delete the role and the instance profile. This linkage happens automatically for roles and instance profiles that you create them in the console. If you created the role from the AWS CLI, Tools for Windows PowerShell, or the AWS API, then the role and the instance profile might have different names. In that case you cannot use the console to delete them. Instead, you must use the AWS CLI, Tools for Windows PowerShell, or AWS API to first remove the role from the instance profile. You must then take a separate step to delete the role.

To delete a role

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles, and then select the check box next to the role name that you want to delete, not the name or row itself.

  3. For Role actions at the top of the page, choose Delete role.

  4. In the confirmation dialog box, review the service last accessed data, which shows when each of the selected roles last accessed an AWS service. This helps you to confirm whether the role is currently active. If you want to proceed, choose Yes, Delete. If you are sure, you can proceed with the deletion even if the service last accessed data is still loading.

Note

You cannot use the console to delete an instance profile, except when it has the exact same name as the role. In addition, you must delete the instance profile as part of the process of deleting a role as described in the preceding procedure. To delete an instance profile without also deleting the role, you must use the AWS CLI, Tools for Windows PowerShell, or AWS API. For more information, see the following sections.

Deleting a Role (AWS CLI)

When you use the AWS CLI to delete a role, you must first delete the policies associated with the role. Also, if you want to delete the associated instance profile that contains the role, you must delete it separately.

To use the AWS CLI to delete a role

  1. If you don't know the name of the role that you want to delete, type the following command to list the roles in your account:

    Copy
    $ aws iam list-roles

    A list of roles with their Amazon Resource Name (ARN) is displayed. Use the role name, not the ARN, to refer to roles with the CLI commands. For example, if a role has the following ARN: arn:aws:iam::123456789012:role/myrole, you refer to the role as myrole.

  2. Remove the role from all instance profiles that the role is in.

    1. To list all instance profiles that the role is associated with, type the following command:

      Copy
      $ aws iam list-instance-profiles-for-role --role-name role-name
    2. To remove the role from an instance profile, type the following command for each instance profile:

      Copy
      $ aws iam remove-role-from-instance-profile --instance-profile-name instance-profile-name --role-name role-name
  3. Delete all policies that are associated with the role.

    1. To list all policies that are in the role, type the following command:

      Copy
      $ aws iam list-role-policies --role-name role-name
    2. To delete each policy from the role, type the following command for each policy:

      Copy
      $ aws iam delete-role-policy --role-name role-name --policy-name policy-name
  4. Type the following command to delete the role:

    Copy
    $ aws iam delete-role --role-name role-name
  5. If you do not plan to reuse the instance profiles that were associated with the role, you can type the following command to delete them:

    Copy
    $ aws iam delete-instance-profile --instance-profile-name instance-profile-name

Deleting a Role (Tools for Windows PowerShell)

When you use Windows PowerShell to delete a role, you must first delete the policies associated with the role. Also, if you want to delete the associated instance profile that contains the role, you must delete it separately.

To use the Tools for Windows PowerShell to delete a role

  1. If you don't know the name of the role that you want to delete, type the following command to list the roles in your account:

    Copy
    PS C:\> Get-IAMRoles | Select RoleName

    Use the role name, not the ARN, to refer to roles with the PowerShell cmdlets. For example, if a role has the following ARN: arn:aws:iam::123456789012:role/myrole, you refer to the role as myrole.

  2. Remove the role from all instance profiles that the role is in. The following command gets the list of all instance profiles that contain the role, removes the role from each instance profile in the list, and then deletes the now empty instance profiles. If you plan to reuse the instance profiles, then you can omit the last cmdlet in the command.

    Copy
    PS C:\> Get-IAMInstanceProfileForRole -RoleName RoleName | Remove-IAMRoleFromInstanceProfile -RoleName RoleName | Remove-IAMInstanceProfile
  3. Delete all policies that are associated with the role. The following command gets the list of all policies that are attached to the role and detaches each one.

    Copy
    PS C:\> Get-IAMAttachedRolePolicies -RoleName RoleName | Unregister-IAMRolePolicy -RoleName RoleName
  4. Type the following command to delete the role:

    Copy
    PS C:\> Remove-IAMRole -RoleName RoleName

Deleting a Role (AWS API)

When you use the IAM API to delete a role, you must first delete the policies associated with the role. Also, if you want to delete the associated instance profile that contains the role, you must delete it separately.

To use the AWS API to delete a role

  1. To list all instance profiles that a role is in, call ListInstanceProfilesForRole.

    To remove the role from all instance profiles that the role is in, call RemoveRoleFromInstanceProfile. You must pass the role name and instance profile name.

    If you are not going to reuse an instance profile that was associated with the role, you call DeleteInstanceProfile to delete it.

  2. To list all policies for a role, call ListRolePolicies.

    To delete all policies that are associated with the role, call DeleteRolePolicy. You must pass the role name and policy name.

  3. Call DeleteRole to delete the roll.

For general information about instance profiles, see Using Instance Profiles.