Delete IAM User completely using AWS CLI

Today, I got a new requirement: to get rid of old and redundant IAM users so that the AWS environment is clean and tidy (we should do our bit).

As per the AWS documentation HERE, deleting the IAM user via command line is bit tedious than AWS GUI (which is simply select and delete, duh).

However, being a CLI buff myself, I made a shell script to clean up the IAM users, one by one.

Script to delete IAM user

Copy the below script to a file, say: delete_iam_user.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#!/bin/bash

# This script will remove the IAM user from a particular AWS account

SCRIPT_NAME=$(basename $0)
usage () {
echo '
Usage: '"$SCRIPT_NAME"' "USERNAME" "AWS PROFILE NAME"

E.g.
'"$SCRIPT_NAME"' cb-varun some-random-aws-profile

Note: 
	- The username should not contain any special characters (except hyphen, -; tested)
	- The script follows the rule of AWS on deleting IAM User.
	- Test and use at your own risk, although I have tested this at my end without any issues.
'
}

if [ "$#" -ne 2 ]; then
	usage
else
	# Set the alias
	alias aws=''`which aws`' --profile '"$2"' --output text'
	shopt -s expand_aliases

	# User name is the argument to the script
	USER_NAME="$1"

	# remove Access keys
	ACC_KEY=$(aws iam list-access-keys --user-name "$USER_NAME" --output text --query 'AccessKeyMetadata[*].AccessKeyId')
	if [ ! -z "$ACC_KEY" ]; then
		echo "$ACC_KEY" | while read -r KEY_LIST; do
			aws iam delete-access-key --user-name "$USER_NAME" --access-key-id "$KEY_LIST"
		done
	fi

	# remove certificates
	CERT_ID=$(aws iam list-signing-certificates --user-name "$USER_NAME" --output text --query 'Certificates[*].CertificateId')
	if [ ! -z "$CERT_ID" ]; then
		echo "$CERT_ID" | while read -r CERT_LIST; do
			aws iam delete-signing-certificate --user-name "$USER_NAME" --certificate-id "$CERT_LIST"
		done
	fi

	# remove login profile/password
	aws iam delete-login-profile --user-name "$USER_NAME"

	# remove MFA devices
	MFA_ID=$(aws iam list-mfa-devices --user-name "$USER_NAME" --query 'MFADevices[*].SerialNumber')
	if [ ! -z "$MFA_ID" ]; then
		echo "$MFA_ID" | while read -r MFA_LIST; do
			aws iam deactivate-mfa-device --user-name "$USER_NAME" --serial-number "$MFA_LIST"
		done
	fi

	# detach user policies
	USER_POLICY=$(aws iam list-attached-user-policies --user-name "$USER_NAME" --query 'AttachedPolicies[*].PolicyArn')
	if [ ! -z "$USER_POLICY" ]; then
		echo "$USER_POLICY" | while read -r POLICIES; do
			aws iam detach-user-policy --user-name "$USER_NAME" --policy-arn "$POLICIES"
		done
	fi

	# remove user from groups
	GRP_NAME=$(aws iam list-groups-for-user --user-name "$USER_NAME" --query 'Groups[*].GroupName' | tr -s '\t' '\n')
	if [ ! -z "$GRP_NAME" ]; then
		echo "$GRP_NAME" | while read -r GRP; do
			aws iam remove-user-from-group --user-name "$USER_NAME" --group-name "$GRP"
		done
	fi

	# delete the user
	aws iam delete-user --user-name "$USER_NAME"

	# unset the alias
	unalias aws
fi

Once copied, mark the file as executable as follows:

1
chmod +x delete_iam_user.sh

Run the script to see the usage:

1
bash delete_iam_user.sh

Output would be like this:

1
2
3
4
5
6
7
8
9
Usage: delete_iam_user.sh "USERNAME" "AWS PROFILE NAME"

E.g.
delete_iam_user.sh cb-varun some-random-aws-profile

Note: 
- The username should not contain any special characters (except hyphen, -; tested) 
- The script follows the rule of AWS on deleting IAM User. 
- Test and use at your own risk, although I have tested this at my end without any issues.

Note: The script requires 2 arguments:

  • 1st argument: IAM username
  • 2nd argument: AWS CLI profile name (or default; not tested)

Feel free to test it out and let me know in case of any issues.

amazon web services aws cloud command linux ubuntu iam
  1. Script to delete IAM user
© 2024 Varun Chandak, Powered by Aloha and Hexo.