AWS

IAMEntityAlreadyExists - IAM Entity Already Exists

Hitting an **IAMEntityAlreadyExists** error means the IAM entity (user, group, role, or policy) you're trying to create already exists in your AWS account—IAM entity names must be unique within your account, so you can't create duplicates. This client-side error (4xx) happens when AWS validates IAM entity name uniqueness. Most common when user names already exist, but also appears when role names, group names, or policy names already exist, or duplicate entity creation attempts occur.

#Common Causes

  • Identity: IAM entity name already exists in account. Service Control Policy (SCP) enforces entity naming.
  • Network: VPC endpoint IAM entity restrictions. Entity name collision.
  • Limits: User name already exists. Role name already exists. Group name already exists. Policy name already exists. Duplicate entity creation attempt.

Solutions

  1. 1Step 1: Diagnose - Check if IAM user exists: aws iam get-user --user-name USER_NAME. If exists, user already created. Or list all users: aws iam list-users --query 'Users[*].UserName' --output table.
  2. 2Step 2: Diagnose - Check if IAM role exists: aws iam get-role --role-name ROLE_NAME. If exists, role already created. Or list all roles: aws iam list-roles --query 'Roles[*].RoleName' --output table.
  3. 3Step 3: Diagnose - Check if IAM policy exists: aws iam list-policies --scope Local --query "Policies[?PolicyName=='POLICY_NAME'].PolicyName" --output text. Verify if policy exists.
  4. 4Step 4: Fix - Use different entity name: Generate unique name: ENTITY_NAME="my-entity-$(date +%s)". Or add random suffix. Verify name is unique.
  5. 5Step 5: Fix - Delete existing entity if not needed: Delete user: aws iam delete-user --user-name USER_NAME. Delete role: aws iam delete-role --role-name ROLE_NAME. Or use existing entity.

</>Code Examples

Check if IAM User Exists Before Creating
1#!/bin/bash
2USER_NAME="my-user"
3
4echo "=== Checking if IAM User Exists ==="
5if aws iam get-user --user-name ${USER_NAME} &>/dev/null; then
6  echo "✗ User ${USER_NAME} already exists (IAMEntityAlreadyExists)"
7  
8  # Get user details
9  echo "\n=== User Details ==="
10  aws iam get-user --user-name ${USER_NAME} \
11    --query 'User.[UserName,UserId,CreateDate]' \
12    --output table
13else
14  echo "✓ User ${USER_NAME} does not exist"
15  echo "\n=== Creating New User ==="
16  aws iam create-user --user-name ${USER_NAME} \
17    --query 'User.[UserName,UserId]' \
18    --output table
19fi
20
21# List all IAM users
22echo "\n=== All IAM Users ==="
23aws iam list-users --query 'Users[*].UserName' --output table
Check if IAM Role Exists and Create with Unique Name
1#!/bin/bash
2ROLE_NAME="my-role"
3
4echo "=== Checking if IAM Role Exists ==="
5if aws iam get-role --role-name ${ROLE_NAME} &>/dev/null; then
6  echo "✗ Role ${ROLE_NAME} already exists (IAMEntityAlreadyExists)"
7  
8  echo "\n=== Role Details ==="
9  aws iam get-role --role-name ${ROLE_NAME} \
10    --query 'Role.[RoleName,RoleId,CreateDate]' \
11    --output table
12else
13  echo "✓ Role ${ROLE_NAME} does not exist"
14  
15  echo "\n=== Creating Role with Unique Name ==="
16  TIMESTAMP=$(date +%s)
17  UNIQUE_ROLE="${ROLE_NAME}-${TIMESTAMP}"
18  
19  echo "Unique role name: ${UNIQUE_ROLE}"
20  
21  # Create role (assuming trust policy exists)
22  echo "aws iam create-role \"
23  echo "  --role-name ${UNIQUE_ROLE} \"
24  echo "  --assume-role-policy-document file://trust-policy.json"
25fi
26
27# List all IAM roles
28echo "\n=== All IAM Roles ==="
29aws iam list-roles --query 'Roles[*].RoleName' --output table | head -10
Check if IAM Policy Exists
1#!/bin/bash
2POLICY_NAME="my-policy"
3
4echo "=== Checking if IAM Policy Exists ==="
5POLICY_EXISTS=$(aws iam list-policies \
6  --scope Local \
7  --query "Policies[?PolicyName=='${POLICY_NAME}'].PolicyName" \
8  --output text)
9
10if [ ! -z "${POLICY_EXISTS}" ]; then
11  echo "✗ Policy ${POLICY_NAME} already exists (IAMEntityAlreadyExists)"
12  
13  echo "\n=== Policy Details ==="
14  aws iam list-policies \
15    --scope Local \
16    --query "Policies[?PolicyName=='${POLICY_NAME}'].[PolicyName,PolicyId,CreateDate]" \
17    --output table
18else
19  echo "✓ Policy ${POLICY_NAME} does not exist"
20  echo "You can create it"
21fi
22
23# List all IAM policies
24echo "\n=== All IAM Policies (Local) ==="
25aws iam list-policies --scope Local \
26  --query 'Policies[*].PolicyName' \
27  --output table | head -10

Related Errors

EntityAlreadyExistsDuplicate

Provider Information

This error code is specific to AWS services. For more information, refer to the official AWS documentation.

IAMEntityAlreadyExists - IAM Entity Already Exists | AWS Error Reference | Error Code Reference