An orphaned WorkloadIdentity created by the service cannot be deleted after deleting the AgentCore Runtime. #835
Description
BedrockAgentCoreWorkloadIdentity deletion failed with error "WorkloadIdentity is linked to a service and cannot be deleted by the caller."
https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/service-linked-roles.html
CloudTrail
"invokedBy": "bedrock-agentcore.amazonaws.com"
},
"eventTime": "2025-11-12T12:31:54Z",
"eventSource": "bedrock-agentcore.amazonaws.com",
"eventName": "CreateWorkloadIdentity",
"awsRegion": "us-east-1",
"sourceIPAddress": "bedrock-agentcore.amazonaws.com",
"userAgent": "bedrock-agentcore.amazonaws.com",
"requestParameters": {
"name": "DemoAgent-xyA2P93QaE"
2026-01-12T21:16:28.825Z
us-east-1 - BedrockAgentCoreWorkloadIdentity - DemoAgent-xyA2P93QaE - [CreatedTime: "2025-11-12T12:31:54Z", LastUpdatedTime: "2025-11-12T12:31:54Z", Name: "DemoAgent-xyA2P93QaE"] - failed
2026-01-12T21:16:28.825Z
Removal requested: 0 waiting, 1 failed, 713 skipped, 0 finished
aws bedrock-agent list-agents --region us-east-1
{
"agentSummaries": []
}
aws bedrock-agentcore-control get-workload-identity --name DemoAgent-xyA2P93QaE --region us-east-1 2>&1
{
"name": "DemoAgent-xyA2P93QaE",
"workloadIdentityArn": "arn:aws:bedrock-agentcore:us-east-1:*:workload-identity-directory/default/workload-identity/DemoAgent-xyA2P93QaE",
"allowedResourceOauth2ReturnUrls": [],
"createdTime": "2025-11-12T14:31:54.838000+02:00",
"lastUpdatedTime": "2025-11-12T14:31:54.838000+02:00"
}
aws bedrock-agentcore-control delete-workload-identity --name DemoAgent-xyA2P93QaE --region us-east-1 2>&1
An error occurred (ValidationException) when calling the DeleteWorkloadIdentity operation: WorkloadIdentity is linked to a service and cannot be deleted by the caller.
aws bedrock-agentcore-control list-agent-runtimes --region us-east-1 2>&1
{
"agentRuntimes": []
}