NoSuchEntity
AWS NoSuchEntity (No Such Entity) is an IAM-specific error meaning the referenced IAM entity (user, role, group, or policy path target) does not exist. In IAM API operations, this error returns HTTP 404.
Last reviewed: February 12, 2026|Editorial standard: source-backed technical guidance
What Does No Such Entity Mean?
When NoSuchEntity is returned, the IAM target object cannot be resolved, so identity-management workflows fail before update or delete operations can be applied.
Common Causes
- -IAM entity friendly name, path, or ARN is misspelled or stale.
- -Automation targets the wrong AWS account for IAM operations.
- -Entity was deleted/renamed between lookup and mutation steps.
- -Recent IAM create/delete change has not fully propagated yet.
How to Fix No Such Entity
- 1Validate entity existence with IAM `Get*`/`List*` APIs using exact name/path.
- 2Confirm active caller account with `sts:GetCallerIdentity` before mutation calls.
- 3Refresh IAM references from authoritative source rather than cached values.
- 4Retry only after short propagation window when entity was just created.
Step-by-Step Diagnosis for No Such Entity
- 1Capture API action, entity identifier, and request ID from the IAM error response.
- 2Check CloudTrail IAM events for create/delete/rename operations around failure time.
- 3Compare IaC intended entity path/name with runtime value sent to IAM.
- 4Verify cross-account role assumptions are not pointing to a different account entity set.
Identity Validation
- -Verify IAM entity name, path, and ARN exactly as sent to the API (example: `role/service-role/MyRole` path mismatch causes NoSuchEntity).
- -Inspect caller account context before mutation (example: operation runs in a different account than where the role was created).
Lifecycle and Consistency Checks
- -Audit IAM create/delete/rename events around failure time (example: entity was removed between lookup and update step).
- -Trace IaC state versus live IAM inventory for drift (example: state references a role that was manually deleted).
How to Verify the Fix
- -Re-run the same IAM API call and confirm NoSuchEntity is no longer returned.
- -Validate dependent IAM operations complete using the corrected identifier.
- -Confirm IAM not-found failures drop in deployment and runbook logs.
How to Prevent Recurrence
- -Centralize IAM entity naming/path conventions and enforce them in CI.
- -Avoid hard-coded IAM names; resolve from deployment outputs or inventory APIs.
- -Add ordering guards between IAM create/delete and dependent mutation steps.
Pro Tip
- -record immutable IAM entity IDs in deployment metadata and resolve friendly names from that mapping at runtime.
Decision Support
Compare Guide
403 Forbidden vs 404 Not Found: When to Hide Resources
Use 403 for explicit access denial, or 404 to conceal resource existence when security policy requires reducing endpoint and object enumeration risk.
Compare Guide
404 Not Found vs 410 Gone: Missing vs Permanent Removal
Learn when to return 404 (missing or temporary absence) versus 410 (intentional permanent removal), including redirect and cache implications.
Playbook
Resource State Playbook (404 / 410 / ResourceNotFound)
Use this playbook to separate temporary missing-resource lookups from permanent removals, then fix scope, lifecycle, and identifier drift safely.
Official References
Provider Context
This guidance is specific to AWS services. Always validate implementation details against official provider documentation before deploying to production.