How can I troubleshoot the "entity already exists" error when an IAM user tries to create a new MFA device?
2 minute read
0
I tried to create a new multi-factor authentication (MFA) device for an AWS Identity and Access Management (IAM) user. I received an error similar to the following:
"MFA Device entity at the same path and name already exists."
The IAM user doesn't have any MFA devices. How can I resolve this issue?
Short description
This error occurs because an MFA device was created but wasn't enabled for use with any IAM users.
Resolution
First, deactivate the MFA device. Then, delete it using the AWS Command Line Interface (AWS CLI). Finally, recreate the MFA device.
1. Run the following AWS CLI command list-virtual-mfa-devices to list all virtual MFA devices created in your AWS account:
$aws iam list-virtual-mfa-devices
2. Note the MFA device serial number similar to the following format for use with step 4:
arn:aws:iam::<account-id>:mfa/<username-path>
3. Run the AWS CLI command deactivate-mfa-device to deactivate the MFA device similar to the following:
$aws iam deactivate-mfa-device --user-name <username> --serial-number arn:aws:iam::<account-id>:mfa/<username>
Note: If you receive an error similar to the following, disregard it:
An error occurred (NoSuchEntity) when calling the DeactivateMFADevice operation: MFA Device with serial number arn:aws:iam::<account-id>:mfa/<username-path> doesn't exist.
4. Run the AWS CLI command delete-virtual-mfa-device to delete the MFA device similar to the following:
$aws iam delete-virtual-mfa-device --serial-number arn:aws:iam::<account-id>:mfa/<username-path>