Problem
When deleting a user with account synchronization enabled in the Enterprise Identity Access Management (EIAM) system of Alibaba Cloud IDaaS, the corresponding RAM user is not deleted synchronously.
Possible causes
The RAM account is in a special state (such as bound to a multi-factor authentication (MFA) device, has configured AccessKeys, or is part of a user group).
Incorrect synchronization scope settings. The organization of the deleted user may not match the synchronization scope settings.
Parameter configuration errors cause synchronization request exceptions.
Usage notes
Back up important information first: Ensure there are no critical resources or permissions associated with the RAM account before deletion.
Assess impacts: Deleting a RAM account will forcibly log out that account and its assumed roles without automatic recovery.
Manage permissions: Ensure the administrator has sufficient permissions, such as
AliyunRAMFullAccess.
Solution
As IDaaS cannot automatically synchronize the deletion of RAM accounts in special states, follow these steps manually:
Step 1: Remove the special state of the RAM account
Remove from user groups:
Log on to the Alibaba Cloud RAM console.
In the left navigation bar, select .
Find the target RAM account and click its name to go to the details page.
In the user group area, remove the account from all user groups.
Detach MFA device (if any):
In the RAM console, go to the details page of the target RAM account.
In the area, detach the MFA device.
Delete AccessKey (if any):
On the details page of the target RAM account, go to the AccessKey management area.
Delete all configured AccessKeys.
Step 2: Delete the RAM account
Log on to the RAM console.
In the left navigation bar, select .
Find the target RAM account and click Delete in the Actions column.
Follow the prompts to complete the deletion.