AWS

IAMDeleteConflict - IAM Delete Conflict

Hitting an **IAMDeleteConflict** error means the IAM entity (user, role, or policy) you're trying to delete is still in use—it has attached policies, group memberships, access keys, or other dependencies that must be removed first. This client-side error (4xx) happens when AWS validates IAM entity dependencies before deletion. Most common when users have attached policies, but also appears when users are members of groups, users have access keys, roles have attached policies, or policies are attached to entities.

#Common Causes

→Identity: IAM entity has dependencies. Service Control Policy (SCP) enforces dependency removal.
→Network: VPC endpoint IAM entity restrictions. Entity still in use.
→Limits: User has attached policies. User is member of groups. User has access keys. Role has attached policies. Policy attached to entities.

✓Solutions

1Step 1: Diagnose - Check user dependencies: List attached policies: aws iam list-attached-user-policies --user-name USER_NAME. List inline policies: aws iam list-user-policies --user-name USER_NAME. List group memberships: aws iam get-groups-for-user --user-name USER_NAME. List access keys: aws iam list-access-keys --user-name USER_NAME.
2Step 2: Diagnose - Check role dependencies: List attached policies: aws iam list-attached-role-policies --role-name ROLE_NAME. List inline policies: aws iam list-role-policies --role-name ROLE_NAME. Check instance profiles: aws iam list-instance-profiles-for-role --role-name ROLE_NAME.
3Step 3: Diagnose - Check policy dependencies: List entities with policy: aws iam list-entities-for-policy --policy-arn POLICY_ARN. Check attached to users, groups, or roles.
4Step 4: Fix - Remove user dependencies: Detach managed policies: aws iam detach-user-policy --user-name USER_NAME --policy-arn POLICY_ARN. Delete inline policies: aws iam delete-user-policy --user-name USER_NAME --policy-name POLICY_NAME. Remove from groups: aws iam remove-user-from-group --user-name USER_NAME --group-name GROUP_NAME. Delete access keys: aws iam delete-access-key --user-name USER_NAME --access-key-id KEY_ID.
5Step 5: Fix - Remove role or policy dependencies: For roles: Detach policies, remove from instance profiles. For policies: Detach from all entities. Then delete: aws iam delete-user --user-name USER_NAME.

</>Code Examples

Check IAM User Dependencies

1#!/bin/bash
2USER_NAME="my-user"
3
4echo "=== Checking IAM User Dependencies ==="
5echo "User: ${USER_NAME}"
6
7# List attached policies
8echo "\n=== Attached Policies ==="
9aws iam list-attached-user-policies --user-name ${USER_NAME} \
10  --query 'AttachedPolicies[*].PolicyArn' \
11  --output table
12
13# List inline policies
14echo "\n=== Inline Policies ==="
15aws iam list-user-policies --user-name ${USER_NAME} \
16  --query 'PolicyNames' \
17  --output table
18
19# List group memberships
20echo "\n=== Group Memberships ==="
21aws iam get-groups-for-user --user-name ${USER_NAME} \
22  --query 'Groups[*].GroupName' \
23  --output table
24
25# List access keys
26echo "\n=== Access Keys ==="
27aws iam list-access-keys --user-name ${USER_NAME} \
28  --query 'AccessKeyMetadata[*].[AccessKeyId,Status]' \
29  --output table
30
31echo "\n=== Summary ==="
32echo "Remove all dependencies before deleting user (IAMDeleteConflict)"

Remove All User Dependencies Before Deletion

1#!/bin/bash
2USER_NAME="my-user"
3
4echo "=== Removing User Dependencies ==="
5
6# Detach managed policies
7echo "\n=== Detaching Managed Policies ==="
8aws iam list-attached-user-policies --user-name ${USER_NAME} \
9  --query 'AttachedPolicies[*].PolicyArn' \
10  --output text | while read POLICY_ARN; do
11  if [ ! -z "${POLICY_ARN}" ]; then
12    echo "Detaching: ${POLICY_ARN}"
13    aws iam detach-user-policy --user-name ${USER_NAME} --policy-arn ${POLICY_ARN}
14  fi
15done
16
17# Delete inline policies
18echo "\n=== Deleting Inline Policies ==="
19aws iam list-user-policies --user-name ${USER_NAME} \
20  --query 'PolicyNames' \
21  --output text | while read POLICY_NAME; do
22  if [ ! -z "${POLICY_NAME}" ]; then
23    echo "Deleting: ${POLICY_NAME}"
24    aws iam delete-user-policy --user-name ${USER_NAME} --policy-name ${POLICY_NAME}
25  fi
26done
27
28# Remove from groups
29echo "\n=== Removing from Groups ==="
30aws iam get-groups-for-user --user-name ${USER_NAME} \
31  --query 'Groups[*].GroupName' \
32  --output text | while read GROUP_NAME; do
33  if [ ! -z "${GROUP_NAME}" ]; then
34    echo "Removing from: ${GROUP_NAME}"
35    aws iam remove-user-from-group --user-name ${USER_NAME} --group-name ${GROUP_NAME}
36  fi
37done
38
39# Delete access keys
40echo "\n=== Deleting Access Keys ==="
41aws iam list-access-keys --user-name ${USER_NAME} \
42  --query 'AccessKeyMetadata[*].AccessKeyId' \
43  --output text | while read KEY_ID; do
44  if [ ! -z "${KEY_ID}" ]; then
45    echo "Deleting key: ${KEY_ID}"
46    aws iam delete-access-key --user-name ${USER_NAME} --access-key-id ${KEY_ID}
47  fi
48done
49
50echo "\n=== Ready to Delete User ==="
51echo "aws iam delete-user --user-name ${USER_NAME}"

Check Policy Dependencies Before Deletion

1#!/bin/bash
2POLICY_ARN="arn:aws:iam::123456789012:policy/my-policy"
3
4echo "=== Checking Policy Dependencies ==="
5echo "Policy: ${POLICY_ARN}"
6
7# List entities with policy
8echo "\n=== Entities with Policy ==="
9aws iam list-entities-for-policy --policy-arn ${POLICY_ARN} \
10  --query 'PolicyUsers[*].UserName' \
11  --output table
12
13aws iam list-entities-for-policy --policy-arn ${POLICY_ARN} \
14  --query 'PolicyGroups[*].GroupName' \
15  --output table
16
17aws iam list-entities-for-policy --policy-arn ${POLICY_ARN} \
18  --query 'PolicyRoles[*].RoleName' \
19  --output table
20
21echo "\n=== Detach Policy from All Entities ==="
22echo "Detach from users, groups, and roles before deletion (IAMDeleteConflict)"

↗Related Errors

DeleteConflict InvalidParameterValue

Provider Information

This error code is specific to AWS services. For more information, refer to the official AWS documentation.