EntityAlreadyExists
AWS EntityAlreadyExists means the request attempted to create an IAM resource that already exists (HTTP 409).
Last reviewed: February 25, 2026|Editorial standard: source-backed technical guidance
What Does Entity Already Exists Mean?
IAM rejected the create request because an entity with the same name already exists, so onboarding/bootstrap flows must switch from create-only to create-or-adopt logic.
Common Causes
- -Create operation targets an IAM entity name already present in the account.
- -Parallel provisioning jobs race to create the same user/role/policy.
- -State drift causes automation to recreate entities that already exist.
- -Retry logic replays create calls without prior existence checks.
How to Fix Entity Already Exists
- 1Check for existing entity with IAM Get/List APIs before attempting create.
- 2Switch duplicate create path to adopt/update existing entity as needed.
- 3Serialize IAM bootstrap workflows to avoid concurrent create races.
- 4Use deterministic naming and idempotent create-or-update logic.
Step-by-Step Diagnosis for Entity Already Exists
- 1Capture entity type/name and request ID from failing IAM create call.
- 2Correlate duplicate create attempts across CI jobs and deployment pipelines.
- 3Diff desired-state definitions against current IAM inventory for drift.
- 4Inspect retry/replay behavior that may emit duplicate creates.
IAM Name Collision and Scope Checks
- -Inspect IAM namespace and path usage for duplicate names (example: role name reused by parallel stack in same account).
- -Verify target account context before create operation (example: bootstrap runs in shared services account where entity already exists).
Provisioning Concurrency and State Drift
- -Trace parallel IaC jobs issuing duplicate create calls (example: two pipelines create the same policy within seconds).
- -Diff desired state against live IAM inventory before apply (example: state rollback attempts to recreate existing role).
How to Verify the Fix
- -Repeat workflow and confirm clean state transitions.
- -Verify duplicate resource creation no longer occurs.
- -Confirm conflict error rates decline after rollout.
How to Prevent Recurrence
- -Use create-or-adopt logic for IAM entities instead of blind create calls.
- -Reserve deterministic names per environment/account to avoid collisions.
- -Gate parallel bootstrap jobs so only one IAM writer owns each entity namespace.
Pro Tip
- -add a pre-create IAM inventory check in pipelines and cache positive matches for the run, so repeated steps cannot reissue duplicate create operations.
Decision Support
Compare Guide
409 Conflict vs 412 Precondition Failed: When to Use Each
Choose 412 when If-Match or If-Unmodified-Since checks fail; choose 409 for state conflicts without failed precondition headers during concurrent updates.
Playbook
Conflict and Concurrency Playbook (409 / 412 / OptimisticLock)
Use this playbook to separate true write conflicts from stale precondition failures, then apply safe re-fetch, optimistic-lock, and retry choices.
Official References
Provider Context
This guidance is specific to AWS services. Always validate implementation details against official provider documentation before deploying to production.