Delete RAM resources to fix Alibaba Cloud account deletion failure - Resource Access Management - Alibaba Cloud - Resource Access Management

You must delete all Resource Access Management (RAM) resources before closing an Alibaba Cloud account. If any RAM resources remain, the account closure fails.

Verified accounts

If your Alibaba Cloud account has passed real-name verification, delete the following resources in order using the RAM console or the RAM API. The order matters — RAM users must be deleted before groups, and roles before policies.

Delete all RAM users.

For more information, see Disable or delete a RAM user.
Delete all RAM user groups.

For more information, see Delete a RAM user group.
Delete all RAM roles.

For more information, see Delete a RAM role.
Delete all custom policies.

For more information, see Delete a custom policy.
Delete all OAuth applications, including enterprise applications and third-party applications.

For more information, see Delete an application.
Delete all identity providers (IdPs).

For more information, see Delete a SAML IdP.
Delete all virtual MFA devices.

Deleting a RAM user automatically removes the virtual MFA device bound to that user. However, orphaned virtual MFA devices may still exist in two cases:
- A binding operation failed, leaving an unbound virtual MFA device.
- You called the CreateVirtualMFADevice operation but did not bind the device to a RAM user.
To delete orphaned devices, call the ListVirtualMFADevices operation to list all virtual MFA devices, then call the DeleteVirtualMFADevice operation to delete each one.
Reset the default logon suffix.
1. Find your account ID.
  
  Log on to the Alibaba Cloud Management Console. Click your profile picture in the upper-right corner, and then click Security Settings. Note the account ID on the Security Settings page.
2. Change the default logon suffix to the account ID.
  
  For more information, see Manage RAM user logon domains.

Unverified accounts

If your Alibaba Cloud account has not passed real-name verification, you cannot access the RAM console. However, Alibaba Cloud services may have created service-linked roles under your account. Use Cloud Shell or the Alibaba Cloud CLI to delete these roles.

The following steps use Cloud Shell. To open Cloud Shell, log on to the Alibaba Cloud Management Console and click the Cloud Shell icon (>_) in the top navigation bar.

List all RAM roles:
```
aliyun ram ListRoles
```
Identify service-linked roles. For more information, see Service-linked roles.

Role names that start with AliyunServiceRoleFor are service-linked roles.
Delete the roles.
- To delete a service-linked role:
  1. Run the following command:
```
aliyun resourcemanager DeleteServiceLinkedRole --force --RoleName $role_name
```
    Replace $role_name with the actual role name.
  2. Verify the deletion:
```
aliyun resourcemanager GetServiceLinkedRoleDeletionStatus --DeletionTaskId $task_id
```
    Replace $task_id with the DeletionTaskId returned in the previous step. If Status is SUCCEEDED, the role is deleted.
- To delete a standard RAM role, run the following command:
```
aliyun ram DeleteRole --force --RoleName $role_name --CascadingDelete true
```
  Replace $role_name with the actual role name. The --CascadingDelete true flag automatically detaches all policies before deleting the role.
Verify that all roles are deleted:
```
aliyun ram ListRoles
```
If no roles are returned, proceed to close your Alibaba Cloud account.