+<GitHub discussion={{"id":"D_kwDOF8slf84AUGiY","number":728,"author":{"login":"timrwilliams"},"title":"How do I remove a user from Reference Architecture?","body":"\nI would like to remove a user account from the reference architecture setup. I have removed their entry from users.yml but when running `terragrunt apply` I receive the below error:\r\n\r\n```\r\n Error: Error deleting IAM User x.x: DeleteConflict: Cannot delete entity, must remove tokens from principal first.\r\n│ \tstatus code: 409, request id: e5ca38f3-0059-4fd2-ac39-ae2528dbbeab\r\n```\r\n\r\nI note in the underlying terraform docs there is a mention of a \"force_destroy\" process but not sure how to translate that to the Reference Architecture flow.\n\n---\n\n<ins datetime=\"2023-06-06T08:20:39Z\">\n <p><a href=\"https://support.gruntwork.io/hc/requests/110231\">Tracked in ticket #110231</a></p>\n</ins>\n","bodyHTML":"<p dir=\"auto\">I would like to remove a user account from the reference architecture setup. I have removed their entry from users.yml but when running <code class=\"notranslate\">terragrunt apply</code> I receive the below error:</p>\n<div class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\" Error: Error deleting IAM User x.x: DeleteConflict: Cannot delete entity, must remove tokens from principal first.\n│ \tstatus code: 409, request id: e5ca38f3-0059-4fd2-ac39-ae2528dbbeab\"><pre class=\"notranslate\"><code class=\"notranslate\"> Error: Error deleting IAM User x.x: DeleteConflict: Cannot delete entity, must remove tokens from principal first.\n│ \tstatus code: 409, request id: e5ca38f3-0059-4fd2-ac39-ae2528dbbeab\n</code></pre></div>\n<p dir=\"auto\">I note in the underlying terraform docs there is a mention of a \"force_destroy\" process but not sure how to translate that to the Reference Architecture flow.</p>\n<hr>\n<ins datetime=\"2023-06-06T08:20:39Z\">\n <p dir=\"auto\"><a href=\"https://support.gruntwork.io/hc/requests/110231\" rel=\"nofollow\">Tracked in ticket #110231</a></p>\n</ins>","answer":{"body":"Since MFA tokens are likely created outside of Terraform, you will need to delete these prior to running terraform to remove the account.\r\n\r\nI wrote a script for you to handle this a bit easier than Click Ops in the console. I added in deletion of access keys as well, just in case those have to be removed prior to user deletion as well. Extend as you see fit, of course! This script just echoes to the screen, but can trivially be modified to actually run the aws commands.\r\n\r\n```\r\n#!/bin/bash\r\n\r\nuser=$1\r\n\r\nif [[ -z $user ]] ; then\r\n\techo \"Specify user to remove access keys and tokens from.\"\r\n\texit 0\r\nfi\r\n\r\n# Check to see if the user exists\r\naws iam get-user --user-name $user > /dev/null\r\nif [[ $? -ne 0 ]] ; then\r\n\t# If there's an error, we'll see the problem (likely NoSuchEntity) sent to STDERR\r\n\texit 1\r\nfi\r\n\r\nmfas=$(aws iam list-mfa-devices --user-name $user | grep SerialNumber | cut -d : -f 2- | sed 's/[ \",]//g')\r\nfor mfa in $mfas ; do\r\n\techo \"aws iam deactivate-mfa-device --user-name $user --serial-number $mfa\"\r\n\techo \"aws iam delete-virtual-mfa-device --serial-number $mfa\"\r\ndone\r\n\r\nkeys=$(aws iam list-access-keys --user-name $user | grep AccessKeyId | cut -d : -f 2 | sed 's/[ \",]//g')\r\nfor key in $keys ; do\r\n\techo \"aws iam delete-access-key --user-name $user --access-key-id $key\"\r\ndone\r\n```","bodyHTML":"<p dir=\"auto\">Since MFA tokens are likely created outside of Terraform, you will need to delete these prior to running terraform to remove the account.</p>\n<p dir=\"auto\">I wrote a script for you to handle this a bit easier than Click Ops in the console. I added in deletion of access keys as well, just in case those have to be removed prior to user deletion as well. Extend as you see fit, of course! This script just echoes to the screen, but can trivially be modified to actually run the aws commands.</p>\n<div class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"#!/bin/bash\n\nuser=$1\n\nif [[ -z $user ]] ; then\n\techo "Specify user to remove access keys and tokens from."\n\texit 0\nfi\n\n# Check to see if the user exists\naws iam get-user --user-name $user > /dev/null\nif [[ $? -ne 0 ]] ; then\n\t# If there's an error, we'll see the problem (likely NoSuchEntity) sent to STDERR\n\texit 1\nfi\n\nmfas=$(aws iam list-mfa-devices --user-name $user | grep SerialNumber | cut -d : -f 2- | sed 's/[ ",]//g')\nfor mfa in $mfas ; do\n\techo "aws iam deactivate-mfa-device --user-name $user --serial-number $mfa"\n\techo "aws iam delete-virtual-mfa-device --serial-number $mfa"\ndone\n\nkeys=$(aws iam list-access-keys --user-name $user | grep AccessKeyId | cut -d : -f 2 | sed 's/[ ",]//g')\nfor key in $keys ; do\n\techo "aws iam delete-access-key --user-name $user --access-key-id $key"\ndone\"><pre class=\"notranslate\"><code class=\"notranslate\">#!/bin/bash\n\nuser=$1\n\nif [[ -z $user ]] ; then\n\techo \"Specify user to remove access keys and tokens from.\"\n\texit 0\nfi\n\n# Check to see if the user exists\naws iam get-user --user-name $user > /dev/null\nif [[ $? -ne 0 ]] ; then\n\t# If there's an error, we'll see the problem (likely NoSuchEntity) sent to STDERR\n\texit 1\nfi\n\nmfas=$(aws iam list-mfa-devices --user-name $user | grep SerialNumber | cut -d : -f 2- | sed 's/[ \",]//g')\nfor mfa in $mfas ; do\n\techo \"aws iam deactivate-mfa-device --user-name $user --serial-number $mfa\"\n\techo \"aws iam delete-virtual-mfa-device --serial-number $mfa\"\ndone\n\nkeys=$(aws iam list-access-keys --user-name $user | grep AccessKeyId | cut -d : -f 2 | sed 's/[ \",]//g')\nfor key in $keys ; do\n\techo \"aws iam delete-access-key --user-name $user --access-key-id $key\"\ndone\n</code></pre></div>"}}} />
![docs-sourcer[bot]](https://avatars.githubusercontent.com/u/17118990?v=4&size=40){kind=avatar}
0 commit comments