How can I troubleshoot the "entity already exists" error when an IAM user tries to create a new MFA device?

Last updated: 2022-03-28

I tried to create a new multi-factor authentication (MFA) device for an AWS Identity and Access Management (IAM) user. I received an error similar to the following:

"MFA Device entity at the same path and name already exists."

The IAM user doesn't have any MFA devices. How can I resolve this issue?

Short description

This error occurs because an MFA device was created but wasn't enabled for use with any IAM users.

Resolution

First, deactivate the MFA device. Then, delete it using the AWS Command Line Interface (AWS CLI). Finally, recreate the MFA device.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

1.    Run the following AWS CLI command list-virtual-mfa-devices to list all virtual MFA devices created in your AWS account:

$aws iam list-virtual-mfa-devices

2.    Note the MFA device serial number similar to the following format for use with step 4:

arn:aws:iam::<account-id>:mfa/<username-path>

3.    Run the AWS CLI command deactivate-mfa-device to deactivate the MFA device similar to the following:

$aws iam deactivate-mfa-device --user-name <username> --serial-number arn:aws:iam::<account-id>:mfa/<username>

Note: If you receive an error similar to the following, disregard it:

An error occurred (NoSuchEntity) when calling the DeactivateMFADevice operation: MFA Device with serial number arn:aws:iam::<account-id>:mfa/<username-path> doesn't exist.

4.    Run the AWS CLI command delete-virtual-mfa-device to delete the MFA device similar to the following:

$aws iam delete-virtual-mfa-device --serial-number arn:aws:iam::<account-id>:mfa/<username-path>

5.    Create a new MFA device.

Follow the instructions to enable a virtual MFA device for an IAM user (console).

-or-

Follow the instructions to enable a virtual MFA device for an IAM user (AWS CLI or AWS API).