I have a highly multi-account environment and Users that are assigned multiple permission sets per account.
e.g. Bob has both Administrator and ReadOnly for Test and Prod accounts.
Say I want to only remove Bob’s Administrator access for the Prod account, but leave his ReadOnly permission and also leave the both the Administrator and ReadOnly permission sets intact (because Alice is still an Administrator in Prod).
How do I do this in IAM Identity Center? The only options seem to be to delete the permission set or disable/delete the user. I don’t see how to remove a permission set from a user for a specific account.
2
Answers
I learned that there is no "bulk remove" like there is for adding account permissions. You have to remove the permissions one account at a time.
A bit tedious for multiple accounts, but at least it's possible.
Use the DeleteAccountAssignment API, which "Deletes a principal’s access from a specified AWS account using a specified permission set."
The key concept here is the "Account Assignment". It is a 3-way relationship between a (1) Permission Set, (2) User or Group Principal and (3) Account.
You create and delete account assignments using the same parameters, all of which are required:
There is no "update" action – the relationship either exists or doesn’t.