How can I troubleshoot the "entity already exists" error when an IAM user tries to create a new MFA device?

Short description

This error occurs because an MFA device was created but wasn't enabled for use with any IAM users.

Resolution

First, deactivate the MFA device. Then, delete it using the AWS Command Line Interface (AWS CLI). Finally, recreate the MFA device.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

1.    Run the following AWS CLI command list-virtual-mfa-devices to list all virtual MFA devices created in your AWS account:

$aws iam list-virtual-mfa-devices

2.    Note the MFA device serial number similar to the following format for use with step 4:

arn:aws:iam::<account-id>:mfa/<username-path>

3.    Run the AWS CLI command deactivate-mfa-device to deactivate the MFA device similar to the following:

$aws iam deactivate-mfa-device --user-name <username> --serial-number arn:aws:iam::<account-id>:mfa/<username>

Note: If you receive an error similar to the following, disregard it:

An error occurred (NoSuchEntity) when calling the DeactivateMFADevice operation: MFA Device with serial number arn:aws:iam::<account-id>:mfa/<username-path> doesn't exist.

4.    Run the AWS CLI command delete-virtual-mfa-device to delete the MFA device similar to the following:

$aws iam delete-virtual-mfa-device --serial-number arn:aws:iam::<account-id>:mfa/<username-path>

5.    Create a new MFA device.

Follow the instructions to enable a virtual MFA device for an IAM user (console).

-or-

Follow the instructions to enable a virtual MFA device for an IAM user (AWS CLI or AWS API).

---

Related information

How can I enforce MFA authentication for IAM users that use the AWS CLI?

Using multi-factor authentication

How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?