Delete IAM User completely using AWS CLI

Today, I got a new requirement: to get rid of old and redundant IAM users so that the AWS environment is clean and tidy (we should do our bit).

As per the AWS documentation HERE, deleting the IAM user via command line is bit tedious than AWS GUI (which is simply select and delete, duh).

However, being a CLI buff myself, I made a shell script to clean up the IAM users, one by one.

Script to delete IAM user

Copy the below script to a file, say: delete_iam_user.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#!/bin/bash

# This script will remove the IAM user from a particular AWS account

SCRIPT_NAME=$(basename $0)
usage () {
echo '
Usage: '"$SCRIPT_NAME"' "USERNAME" "AWS PROFILE NAME"

E.g.
'"$SCRIPT_NAME"' cb-varun some-random-aws-profile

Note:
- The username should not contain any special characters (except hyphen, -; tested)
- The script follows the rule of AWS on deleting IAM User.
- Test and use at your own risk, although I have tested this at my end without any issues.
'
}

if [ "$#" -ne 2 ]; then
usage
else
# Set the alias
alias aws=''`which aws`' --profile '"$2"' --output text'
shopt -s expand_aliases

# User name is the argument to the script
USER_NAME="$1"

# remove Access keys
ACC_KEY=$(aws iam list-access-keys --user-name "$USER_NAME" --output text --query 'AccessKeyMetadata[*].AccessKeyId')
if [ ! -z "$ACC_KEY" ]; then
echo "$ACC_KEY" | while read -r KEY_LIST; do
aws iam delete-access-key --user-name "$USER_NAME" --access-key-id "$KEY_LIST"
done
fi

# remove certificates
CERT_ID=$(aws iam list-signing-certificates --user-name "$USER_NAME" --output text --query 'Certificates[*].CertificateId')
if [ ! -z "$CERT_ID" ]; then
echo "$CERT_ID" | while read -r CERT_LIST; do
aws iam delete-signing-certificate --user-name "$USER_NAME" --certificate-id "$CERT_LIST"
done
fi

# remove login profile/password
aws iam delete-login-profile --user-name "$USER_NAME"

# remove MFA devices
MFA_ID=$(aws iam list-mfa-devices --user-name "$USER_NAME" --query 'MFADevices[*].SerialNumber')
if [ ! -z "$MFA_ID" ]; then
echo "$MFA_ID" | while read -r MFA_LIST; do
aws iam deactivate-mfa-device --user-name "$USER_NAME" --serial-number "$MFA_LIST"
done
fi

# detach user policies
USER_POLICY=$(aws iam list-attached-user-policies --user-name "$USER_NAME" --query 'AttachedPolicies[*].PolicyArn')
if [ ! -z "$USER_POLICY" ]; then
echo "$USER_POLICY" | while read -r POLICIES; do
aws iam detach-user-policy --user-name "$USER_NAME" --policy-arn "$POLICIES"
done
fi

# remove user from groups
GRP_NAME=$(aws iam list-groups-for-user --user-name "$USER_NAME" --query 'Groups[*].GroupName' | tr -s '\t' '\n')
if [ ! -z "$GRP_NAME" ]; then
echo "$GRP_NAME" | while read -r GRP; do
aws iam remove-user-from-group --user-name "$USER_NAME" --group-name "$GRP"
done
fi

# delete the user
aws iam delete-user --user-name "$USER_NAME"

# unset the alias
unalias aws
fi

Once copied, mark the file as executable as follows:

1
chmod +x delete_iam_user.sh

Run the script to see the usage:

1
bash delete_iam_user.sh

Output would be like this:

1
2
3
4
5
6
7
8
9
Usage: delete_iam_user.sh "USERNAME" "AWS PROFILE NAME"

E.g.
delete_iam_user.sh cb-varun some-random-aws-profile

Note:
- The username should not contain any special characters (except hyphen, -; tested)
- The script follows the rule of AWS on deleting IAM User.
- Test and use at your own risk, although I have tested this at my end without any issues.

Note: The script requires 2 arguments:

  • 1st argument: IAM username
  • 2nd argument: AWS CLI profile name (or default; not tested)

Feel free to test it out and let me know in case of any issues.

amazon web services aws cloud command linux ubuntu iam