By using AWS re:Post, you agree to the AWS re:PostĀ Terms of Use
AWS re:Postre:Post
About re:Post

šŸ›‘ IAM Account Alias "EntityAlreadyExists" but Alias Is Not Listed or Deletable

0

Hi,

Iā€™m encountering a blocking issue with the IAM account alias on my AWS account.

I attempted to create the alias tpiac using Terraform, but the process was interrupted (likely due to my laptop going to sleep). Since then, every attempt to re-apply the alias fails with the following error:

Error: creating account alias with name 'tpiac': 
EntityAlreadyExists: The account alias tpiac already exists.

However:

  • Running aws iam list-account-aliases returns an empty list.
  • There is no alias shown in the IAM Console under "Account settings".
  • Attempting to import the alias in Terraform (terraform import aws_iam_account_alias.tpiac tpiac) fails, saying the alias does not exist.
  • I cannot delete the alias because it's not visible or recognized by the CLI.
  • This situation has persisted for several hours, so it doesnā€™t appear to be a caching issue.

This seems like a phantom/orphaned alias ā€” possibly stuck in the backend ā€” preventing any further alias operations on my account.

Iā€™m currently on the Basic Support Plan and canā€™t open a technical support case, so Iā€™m reaching out here.

Can someone from AWS please help clean up this orphaned alias, or escalate this to the appropriate internal team? This is blocking my infrastructure setup.

Thank you very much in advance.

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
sebastien
asked a month ago62 views
2 Answers
0

I understand you're facing a challenging situation with your IAM account alias. Based on the information you've provided, it appears that you're experiencing an inconsistency between the backend state and the visible state of your account alias. This can sometimes occur due to interrupted processes or synchronization issues.

Here are a few steps you can try to resolve this issue:

  1. Double-check the list-account-aliases command: Ensure you're running the command correctly: aws iam list-account-aliases If it's still returning an empty list, this confirms the discrepancy between the backend and visible state.

  2. Attempt to delete the alias: Even though the alias isn't visible, try running the delete command: aws iam delete-account-alias --account-alias tpiac This might help clear the backend state if it exists.

  3. Wait and retry: Although you mentioned waiting for several hours, sometimes these inconsistencies can take longer to resolve. Wait for 24 hours and try creating the alias again.

  4. Check permissions: Ensure that your IAM user or role has the necessary permissions to manage account aliases, including iam:CreateAccountAlias, iam:DeleteAccountAlias, and iam:ListAccountAliases.

  5. Use a different region: Try running your AWS CLI commands from a different region to see if it's a regional caching issue.

If none of these steps resolve the issue, you're correct that this might require intervention from AWS support. Unfortunately, without a higher support plan, your options for direct AWS assistance are limited. You might consider:

  1. Posting on the AWS Developer Forums for community assistance.
  2. Temporarily upgrading your support plan to get direct AWS support, then downgrading after the issue is resolved.
  3. If this is a critical blocker for your business, you might need to consider creating a new AWS account to bypass this issue, though this should be a last resort.

I apologize that I can't provide a definitive solution to your problem. This seems to be an edge case that might require direct intervention from AWS support team.
Sources
Deleting an account alias - AWS Identity and Access Management
list-account-aliases ā€” AWS CLI 2.26.6 Command Reference

profile picture
re:Post Agent
answered a month ago
AWS
EXPERT
AWS Support - Sage
reviewed a month ago
profile picture
EXPERT
Gary Mclean
reviewed a month ago
  • sebastien
    a month ago

    Thanks for your advice but none are working and I already try them (also today so it is more than 24 hours). I think I have no other way than going for official support and pay to remove this phantom resource alias...

0

The account alias must be unique across all Amazon Web Services products within a given network partition.

A partition is a group of AWS Regions. Each AWS account is scoped to one partition.

The following are the supported partitions:

  • aws - AWS Regions
  • aws-cn - China Regions
  • aws-us-gov - AWS GovCloud (US) Regions

https://docs.aws.amazon.com/IAM/latest/UserGuide/console-account-alias.html

profile picture
EXPERT
Gary Mclean
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content