I'll explain in this post how to fix AWS MFA Entity Already Exists error.
For the sake of this post I'm assuming you have the requisite IAM permissions to carry out the below commands.
What we are trying to do is list the all virtual mfa devices and then delete the defective/conflictive mfa devices. Deleting the defective/conflictive mfa devices, let's the user re-enroll into MFA.
This command will list the virtual mfa devices in your account:
aws iam list-virtual-mfa-devices
Result:
"VirtualMFADevices": [
{
"SerialNumber": "arn:aws:iam::1234567890:mfa/AB-CD"
},
{
"SerialNumber": "arn:aws:iam::0987654321:mfa/acbd"
},
{
"SerialNumber": "arn:aws:iam::112233445566:mfa/something",
"User": {
"Path": "/",
"UserId": "ABCDEFGHIJKL",
"Arn": "arn:aws:iam::112233445566:user/something",
"CreateDate": "2020-08-14T04:27:38+00:00",
"PasswordLastUsed": "2020-09-29T07:35:46+00:00"
},
"EnableDate": "2020-08-14T04:27:38+00:01"
}
]
Defective MFA virtual device will look something like this:
{
"SerialNumber": "arn:aws:iam::0987654321:mfa/acbd"
}
We just need to delete the defective MFA virtual device:
aws iam delete-virtual-mfa-device --serial-number arn:aws:iam::0987654321:mfa/acbd
Once this is done, ask the user having issues with MFA to enroll again.
Top comments (0)