DisassociatePrincipalFromPortfolio - AWS Service Catalog


Disassociates a previously associated principal ARN from a specified portfolio.

The PrincipalType and PrincipalARN must match the AssociatePrincipalWithPortfolio call request details. For example, to disassociate an association created with a PrincipalARN of PrincipalType IAM you must use the PrincipalType IAM when calling DisassociatePrincipalFromPortfolio.

For portfolios that have been shared with principal name sharing enabled: after disassociating a principal, share recipient accounts will no longer be able to provision products in this portfolio using a role matching the name of the associated principal.

For more information, review associate-principal-with-portfolio in the AWS CLI Command Reference.


If you disassociate a principal from a portfolio, with PrincipalType as IAM, the same principal will still have access to the portfolio if it matches one of the associated principals of type IAM_PATTERN. To fully remove access for a principal, verify all the associated Principals of type IAM_PATTERN, and then ensure you disassociate any IAM_PATTERN principals that match the principal whose access you are removing.

Request Syntax

{ "AcceptLanguage": "string", "PortfolioId": "string", "PrincipalARN": "string", "PrincipalType": "string" }

Request Parameters

The request accepts the following data in JSON format.


The language code.

  • jp - Japanese

  • zh - Chinese

Type: String

Length Constraints: Maximum length of 100.

Required: No


The portfolio identifier.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 100.

Pattern: ^[a-zA-Z0-9_\-]*

Required: Yes


The ARN of the principal (user, role, or group). This field allows an ARN with no accountID with or without wildcard characters if PrincipalType is IAM_PATTERN.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1000.

Required: Yes


The supported value is IAM if you use a fully defined ARN, or IAM_PATTERN if you specify an IAM ARN with no AccountId, with or without wildcard characters.

Type: String

Valid Values: IAM | IAM_PATTERN

Required: No

Response Elements

If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.



One or more parameters provided to the operation are not valid.

HTTP Status Code: 400


The specified resource was not found.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: