You can manually delete the remnants of your account credential in your AWS account if the procedure to delete a credential through Tanzu Mission Control fails to do so.

There are three types of things that are deployed in the AWS account that you need to clean up to complete the deletion: the lambdas, the Cloud Watch Events, and an ssm parameter.

This manual clean-up method is required only if the force credential delete fails.


Log in to your AWS account.


  1. Find and delete the lambdas. To find the lambdas, from the AWS console, navigate to Lambda > Functions and search by tag. Tanzu Mission Control adds two types of tags to the lambdas:
    • is the user account/org_id
    • is the name of the credential
  2. Find and delete the Cloud Watch events, which are listed under the Amazon Event bridge rules. These have the same tags applied as above, and there are two event rules that correspond to the two lambdas from the previous step.
  3. Search for the ssm paramater in the Amazon Systems Manager parameter store. There is one parameter that Tanzu Mission Control uses called the agent token, and it has the same two tags as above.
  4. Locate and delete the CloudFormation template.

    You can search CloudFormation by the credential name. Delete that CloudFormation template after the credential is deleted from Tanzu Mission Control. This deletes all of the following:

    • control-plane.${GeneratedTemplateID} - this is for control plane communications
    • worker.${GeneratedTemplateID} - this is for the worker nodes
    • lambda.${GeneratedTemplateID} - this role allows Lambda to retrieve EKS cluster, VPC, AMI, Region, and Availability Zone information
    • cloudwatch.${GeneratedTemplateID} - this allows CloudWatch to invoke Lambda functions
    • clusterlifecycle.${GeneratedTemplateID} - this role is for managing EKS cluster lifecycles