Remove AWS Entitlements

Deletes a principal's access from specified AWS accounts using specified permission sets.


Actions that involve adding or removing AWS entitlements take some time to be processed by AWS. This processing time means that the list of entitlements returned by List AWS Entitlements may not reflect all of the entitlements that were added or removed. Additionally, a conflict error can be returned if a remove entitlement action immediately follows an add entitlement before the entitlement was successfully added. To avoid unwanted side effects, you can insert a delay in your flow by using a Wait For function, with a suggested delay time of 30 seconds. This connector will try to complete its task a finite number of times before returning an error if unsuccessful.


Field Definition Type Required
Region Choose from the list of AWS regions. Dropdown TRUE
Instance ARN Choose from the list of available Amazon Resource Names (ARNs) or select -- Enter Instance ARN -- to enter an ARN. Dropdown TRUE
Account ID This dropdown displays a maximum of 300 accounts. Choose from the list of available AWS accounts or select -- Enter Account ID -- to enter an ID that doesn't appear in the list.

Note: While the root account does appear in the list of available accounts, the Account ID can't be that of the root account. The root account requires additional permissions associated with the policy that's attached to the customer's role. Disallowing the use of the root account prevents users from providing unnecessary permissions to root.

Dropdown TRUE


Field Definition Type Required
Instance ARN Amazon Resource Name (ARN) identifier of the instance. This field only appears when the -- Enter Instance ARN -- option is chosen from the Instance ARN dropdown in the Options section. String TRUE
Principal Type Entity type of the principal. Dropdown TRUE
Principal ID GUID identifier of the principal from which to remove the entitlements. String TRUE
Account ID Identifier of the AWS account. This field only appears when the -- Enter Account ID -- option is chosen from the Account ID dropdown in the Options section. String TRUE
Permission Sets Amazon Resource Names (ARNs) of permission sets to remove from the principal for a specified AWS account. Each AWS account has a default maximum of 50 permission sets, which can be increased by AWS at the request of a customer. See AWS account quotas. List of Text TRUE


Field Definition Type
Status Code

Result of the operation. The connector returns an HTTP status code that indicates whether the action taken by the card succeeded or failed. For example:

  • A 201 Created status code indicates success where a new resource was created.
  • A 403 Forbidden error indicates that the HTTP request wasn't processed because the necessary permissions were missing.

For a full list of possible status codes, see HTTP status codes.


Related topics

AWS Multi-Account Access connector

Workflow elements

AWS IAM Identity Center API Reference Guide