AWS

NoSuchEntity - No Such Entity

Getting a **NoSuchEntity** error means the IAM entity (user, role, policy, or group) you're referencing doesn't exist in your AWS account—the entity might have been deleted, the name is misspelled, or it belongs to a different account. This client-side error (4xx) is common in IAM operations. Most common when IAM users or roles are deleted, but also appears when entity names are misspelled, entities are in different accounts, entity IDs are wrong, or IAM policies reference non-existent entities.

#Common Causes

  • Identity: IAM entity doesn't exist. Entity was deleted from account. Entity belongs to different AWS account. Entity ID/name is incorrect.
  • Network: Cross-account entity reference. IAM entities are global (not regional).
  • Limits: Typo in entity name. Entity never existed. Entity ID format invalid.

Solutions

  1. 1Step 1: Diagnose - List IAM users: aws iam list-users --query 'Users[*].[UserName,UserId]' --output table. List IAM roles: aws iam list-roles --query 'Roles[*].[RoleName,RoleId]' --output table. Compare with your reference.
  2. 2Step 2: Diagnose - Get entity by name: aws iam get-user --user-name USER_NAME. Or aws iam get-role --role-name ROLE_NAME. Check if entity exists.
  3. 3Step 3: Diagnose - Check CloudTrail for deletion: aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteUser --query 'Events[*].CloudTrailEvent' | jq '.[] | .userIdentity.userName'. Verify if deleted.
  4. 4Step 4: Fix - Use correct entity name: Replace entity ID with username/rolename in references. Update IAM policies to use correct names. Verify entity exists before referencing.
  5. 5Step 5: Fix - Create entity if needed: aws iam create-user --user-name USER_NAME. Or aws iam create-role --role-name ROLE_NAME --assume-role-policy-document file://trust-policy.json. Or update references to use existing entities.

</>Code Examples

List IAM Entities to Find Correct Names
1#!/bin/bash
2# List all IAM users
3echo "=== IAM Users ==="
4aws iam list-users \
5  --query 'Users[*].[UserName,UserId,CreateDate]' \
6  --output table
7
8# List all IAM roles
9echo "\n=== IAM Roles ==="
10aws iam list-roles \
11  --query 'Roles[*].[RoleName,RoleId,CreateDate]' \
12  --output table | head -20
13
14# List all IAM groups
15echo "\n=== IAM Groups ==="
16aws iam list-groups \
17  --query 'Groups[*].[GroupName,GroupId]' \
18  --output table
19
20# List all IAM policies
21echo "\n=== IAM Policies ==="
22aws iam list-policies --scope Local \
23  --query 'Policies[*].[PolicyName,PolicyId]' \
24  --output table | head -20
Check if IAM Entity Exists
1#!/bin/bash
2# Check if IAM user exists
3USER_NAME="myuser"
4echo "=== Checking IAM User: ${USER_NAME} ==="
5aws iam get-user --user-name ${USER_NAME} \
6  --query 'User.[UserName,UserId,Arn]' \
7  --output table 2>&1
8
9if [ $? -eq 0 ]; then
10  echo "✓ User exists"
11else
12  echo "✗ User not found (NoSuchEntity)"
13  echo "\nListing available users:"
14  aws iam list-users --query 'Users[*].UserName' --output table
15fi
16
17# Check if IAM role exists
18ROLE_NAME="MyRole"
19echo "\n=== Checking IAM Role: ${ROLE_NAME} ==="
20aws iam get-role --role-name ${ROLE_NAME} \
21  --query 'Role.[RoleName,RoleId,Arn]' \
22  --output table 2>&1
23
24if [ $? -eq 0 ]; then
25  echo "✓ Role exists"
26else
27  echo "✗ Role not found (NoSuchEntity)"
28  echo "\nListing available roles:"
29  aws iam list-roles --query 'Roles[*].RoleName' --output table | head -10
30fi
Check CloudTrail for Entity Deletion
1#!/bin/bash
2# Check CloudTrail for IAM user deletion
3USER_NAME="myuser"
4echo "=== Checking CloudTrail for User Deletion ==="
5
6aws cloudtrail lookup-events \
7  --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteUser \
8  --max-results 10 \
9  --query 'Events[*].[EventTime,CloudTrailEvent]' \
10  --output text | while read time event; do
11    echo "Time: ${time}"
12    DELETED_USER=$(echo "${event}" | jq -r '.userIdentity.userName' 2>/dev/null)
13    if [ "${DELETED_USER}" = "${USER_NAME}" ]; then
14      echo "Found deletion event for ${USER_NAME} at ${time}"
15    fi
16  done
17
18# Check for role deletion
19ROLE_NAME="MyRole"
20echo "\n=== Checking for Role Deletion ==="
21aws cloudtrail lookup-events \
22  --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteRole \
23  --max-results 10 \
24  --query 'Events[*].[EventTime,CloudTrailEvent]' \
25  --output text | head -5

Related Errors

ResourceNotFoundExceptionInvalidUserID.NotFound

Provider Information

This error code is specific to AWS services. For more information, refer to the official AWS documentation.

NoSuchEntity - No Such Entity | AWS Error Reference | Error Code Reference