Add full dependency preflight check for "aws iam delete-user" #9909
Description
Describe the feature
Currently, when attempting to delete an IAM user with the AWS CLI, the deletion process stops at the first dependency it encounters (e.g., group membership, attached policies, access keys, MFA devices, login profile, SSH keys, etc.). The CLI reports only one blocking dependency at a time, forcing the user to run the deletion repeatedly to discover the next blocker.
I am proposing a feature enhancement where the AWS CLI provides a full list of all existing IAM user dependencies in a single command output, allowing users to see everything that must be removed before a deletion can proceed.
This would significantly improve the deletion workflow by:
Providing a single consolidated view of all dependencies (groups, policies, inline policies, access keys, MFA devices, signing certificates, login profile, service-specific credentials, etc.).
Eliminating the need for repeated delete attempts.
Making user cleanup faster, more predictable, and easier to automate.
Use Case
I frequently need to delete IAM users as part of automated cleanup scripts or security audits. Currently, aws iam delete-user only reports one blocking dependency at a time (such as an access key, inline policy, or group membership).
- This forces me to:
- Attempt deletion.
- Receive an error about a single dependency.
- Manually remove that dependency.
- Attempt deletion again.
- Repeat this process until all dependencies are removed.
This repetitive workflow is time-consuming, error-prone, and frustrating, especially when cleaning up users with multiple attachments.
A feature that provides a complete list of all dependencies in a single output would save time, reduce mistakes, and make scripts and automation more reliable. It would also improve visibility, helping administrators quickly understand why a user cannot be deleted.
Proposed Solution
Implement a preflight dependency check in the AWS CLI for the delete-user command that enumerates all IAM user dependencies before attempting deletion. This would allow users to see a complete list of blockers in a single command execution.
Implementation Approach:
- Create a CLI customization under awscli/customizations/iam/:
- Example file: delete_user_safe.py
- New command: aws iam delete-user-safe or a new flag: --check-dependencies for delete-user.
- Dependency Checks to Perform:
- Login Profile (get-login-profile)
- Access Keys (list-access-keys)
- Signing Certificates (list-signing-certificates)
- SSH Public Keys (list-ssh-public-keys)
- Service-Specific Credentials (list-service-specific-credentials)
- MFA Devices (list-mfa-devices)
- Inline Policies (list-user-policies)
- Attached Managed Policies (list-attached-user-policies)
- Group Memberships (list-groups-for-user)
- Behavior:
- The CLI queries all these resources for the target user.
- If any dependencies exist, the command prints a consolidated, human-readable list of all blockers.
- Optionally, support a --force flag to automatically remove all dependencies and then delete the user.
- Example Output:
User cannot be deleted. Resolve the following dependencies first:
- Groups: DevOps, Admins
- Inline Policies: user-policy-1
- Attached Policies: AdministratorAccess
- Access Keys: AKIA1234, AKIA5678
- MFA Devices: arn:aws:iam::123456789012:mfa/john.doe
- Login Profile: Exists
- Service-specific Credentials: codecommit
or
User cannot be deleted. User has listed dependencies: Groups, Inline Policies, Attached Policies, Access Keys, MFA Devices, Login Profile, Service-specific Credentials
- Testing & Validation:
- Unit tests to simulate users with different combinations of dependencies.
- Functional tests in tests/functional/iam/.
Other Information
No response
Acknowledgements
- I may be able to implement this feature request
- This feature might incur a breaking change
CLI version used
aws-cli/2.15.26
Environment details (OS name and version, etc.)
Linux (Ubuntu 22, kernel 6.2.0-1018-aws)