Detaching a Managed Policy from a User or a Group

You can detach a managed policy from a user or a group at any time. Permissions contained in the policy then no longer apply to the individual user or the users in the group.

After you detach a policy, it remains available in your account. You can then attach it again to users or groups. To modify the permissions in a policy or to delete it, see Editing Managed Policies Using Policy Versions or Deleting a Managed Policy.

Detaching a Managed Policy from a User

Detaching a Managed Policy from a User Using Cockpit v2

You can also do this action by clicking the user IconView details icon, clicking on the Attached Policies tab, then selecting a policy and clicking IconUnlink Unlink Policy.

  1. In the EIM Users dashboard, check the box of the user from which you want to detach a managed policy.
    The user is selected.

  2. Click IconUnlink Unlink Policy.
    The UNLINK POLICIES dialog box appears.

  3. From the Policy list, select the managed policy you want to detach.

  4. Click Unlink.
    The managed policy is detached from the user, and its permissions no longer apply to it.

Detaching a Managed Policy from a User Using OSC CLI

The UnlinkPolicy command removes a managed policy from a specific user.

Request sample
$ osc-cli api UnlinkPolicy --profile "default" \
    --PolicyOrn "orn:ows:idauth::012345678910:policy/example/example-user-policy" \
    --UserName "example-user"

This command contains the following attributes that you need to specify:

  • DryRun: (optional) If true, checks whether you have the required permissions to perform the action.

  • PolicyOrn: The OUTSCALE Resource Name (ORN) of the policy. For more information, see Resource Identifiers.

  • UserName: The name of the user you want to detach the policy from.

The UnlinkPolicy command returns the following elements:

  • ResponseContext: Information about the context of the response.

    • RequestId: The ID of the request.

Result sample
{
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  }
}

Detaching a Managed Policy from a User Using oapi-cli

The UnlinkPolicy command removes a managed policy from a specific user.

Request sample
$ oapi-cli --profile "default" UnlinkPolicy \
    --PolicyOrn "orn:ows:idauth::012345678910:policy/example/example-user-policy" \
    --UserName "example-user"

This command contains the following attributes that you need to specify:

  • DryRun: (optional) If true, checks whether you have the required permissions to perform the action.

  • PolicyOrn: The OUTSCALE Resource Name (ORN) of the policy. For more information, see Resource Identifiers.

  • UserName: The name of the user you want to detach the policy from.

The UnlinkPolicy command returns the following elements:

  • ResponseContext: Information about the context of the response.

    • RequestId: The ID of the request.

Result sample
{
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  }
}

Detaching a Managed Policy from a User Using AWS CLI

Before you begin: Install and configure AWS CLI. For more information, see Installing and Configuring AWS CLI.

To detach a managed policy from a user, use the detach-user-policy command following this syntax:

Request sample
$ aws iam detach-user-policy \
    --profile YOUR_PROFILE \
    --user-name USER_NAME \
    --policy-arn arn:aws:iam::123456789012:policy/MY_POLICY \
    --endpoint https://eim.eu-west-2.outscale.com

This command contains the following attributes that you need to specify:

  • (optional) profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI.

  • user-name: The name of the user from which you want to detach the policy.

  • policy-arn: The OUTSCALE Resource Name (ORN) of the policy you want to detach.

  • endpoint: The endpoint corresponding to the Region you want to send the request to. For more information, see Installing and Configuring AWS CLI.

The specified managed policy is detached from the user, and its permissions no longer apply to it.

Detaching a Managed Policy from a Group

Detaching a Managed Policy from a Group Using Cockpit v2

  1. In the EIM Groups dashboard, check the box of the group you want to detach a policy from.
    The group is selected.

  2. Click IconEdit Update Policies.
    The UPDATE MANAGED GROUP POLICIES dialog box appears.

  3. From the Policy list, select one or more managed policies you want to detach from the group.

  4. Click Update.
    The specified managed policy is detached from the group, and its permissions no longer apply to its users.

Detaching a Managed Policy from a Group Using OSC CLI

The UnlinkManagedPolicyFromUserGroup command unlinks a managed policy from a specific group.

Request sample
$ osc-cli api UnlinkManagedPolicyFromUserGroup --profile "default" \
    --PolicyOrn "orn:ows:idauth::012345678910:policy/example/example-user-policy" \
    --UserGroupName "example-usergroup"

This command contains the following attributes that you need to specify:

  • DryRun: (optional) If true, checks whether you have the required permissions to perform the action.

  • PolicyOrn: The OUTSCALE Resource Name (ORN) of the policy. For more information, see Resource Identifiers.

  • UserGroupName: The name of the group you want to unlink the policy from.

The UnlinkManagedPolicyFromUserGroup command returns the following elements:

  • ResponseContext: Information about the context of the response.

    • RequestId: The ID of the request.

Result sample
{
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  }
}

Detaching a Managed Policy from a Group Using oapi-cli

The UnlinkManagedPolicyFromUserGroup command unlinks a managed policy from a specific group.

Request sample
$ oapi-cli --profile "default" UnlinkManagedPolicyFromUserGroup \
    --PolicyOrn "orn:ows:idauth::012345678910:policy/example/example-user-policy" \
    --UserGroupName "example-usergroup"

This command contains the following attributes that you need to specify:

  • DryRun: (optional) If true, checks whether you have the required permissions to perform the action.

  • PolicyOrn: The OUTSCALE Resource Name (ORN) of the policy. For more information, see Resource Identifiers.

  • UserGroupName: The name of the group you want to unlink the policy from.

The UnlinkManagedPolicyFromUserGroup command returns the following elements:

  • ResponseContext: Information about the context of the response.

    • RequestId: The ID of the request.

Result sample
{
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  }
}

Detaching a Managed Policy from a Group Using AWS CLI

Before you begin: Install and configure AWS CLI. For more information, see Installing and Configuring AWS CLI.

To detach a managed policy from a group, use the detach-group-policy command following this syntax:

Request sample
$ aws iam detach-group-policy \
    --profile YOUR_PROFILE \
    --group-name GROUP_NAME \
    --policy-arn arn:aws:iam::123456789012:policy/MY_POLICY \
    --endpoint https://eim.eu-west-2.outscale.com

This command contains the following attributes that you need to specify:

  • (optional) profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI.

  • group-name: The name of the group from which you want to detach the policy.

  • policy-arn: The OUTSCALE Resource Name (ORN) of the policy you want to detach.

  • endpoint: The endpoint corresponding to the Region you want to send the request to. For more information, see Installing and Configuring AWS CLI.

The specified managed policy is detached from the group, and its permissions no longer apply to its users.

Related Pages

Corresponding API Methods

AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.

Export to PDF