How do I troubleshoot the "MFA device already exists" error when an IAM user tries to create a new MFA device?

2 minute read

I tried to create a new multi-factor authentication (MFA) device for an AWS Identity and Access Management (IAM) user. I received an error similar to the following: "MFA device already exists." The IAM user doesn't have any MFA devices.

Resolution

If you create an MFA device but you don't activate it for IAM users, then this error occurs when you create a new MFA device. This error occurs only when you use the AWS Command Line Interface (AWS CLI) to create a new MFA device. First, use the AWS CLI to delete the MFA device. Then, recreate the MFA device.

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Complete the following steps:

To list all virtual MFA devices created in your AWS account, run the list-virtual-mfa-devices AWS CLI command:

aws iam list-virtual-mfa-devices --assignment-status Unassigned

Note the MFA device serial number that aligns with the name that you're creating.

To delete the MFA device, run the delete-virtual-mfa-device AWS CLI command:

aws iam delete-virtual-mfa-device --serial-number arn:aws:iam::account-id:mfa/device-name

Create a new MFA device.
Follow the instructions to activate a virtual MFA device for an IAM user (console).
-or-
Follow the instructions to assign MFA devices in the AWS CLI or AWS API.

If you don't find unassigned devices with the same name, then that same device name was used for an MFA device by another user. Use a different name for your MFA device.

Related information

How do I enforce MFA authentication for IAM users that use the AWS Management Console and the AWS CLI?

Using multi-factor authentication

How do I use the AWS CLI to authenticate access to AWS resources with an MFA token?

Topics: Security, Identity, & Compliance
Tags: AWS Identity and Access Management
Language: English

AWS OFFICIALUpdated 13 days ago

No comments

Relevant content

"MFA device already exists" error when no MFA device exists
DS
asked 2 years ago
SSO users get error when trying to register an MFA device "It's not you, it's us"
AWS-User-2399932
asked 4 years ago
MFA Device serial number does not exist
smathers
asked a year ago
CLI command 'aws iam list-mfa-devices' does not return MFA devices belonging to the account root user
Accepted Answer
User-0929887
asked 3 years ago
AWS IAM Identity Center (SSO) fails when a user tries to register a built-in MFA device
daniele
asked 3 years ago
How do I reset a lost or broken MFA device for my IAM user or AWS account root user?
AWS OFFICIALUpdated 12 days ago
How do I reset my AWS account root user MFA device?
AWS OFFICIALUpdated 4 months ago
How do I enforce MFA authentication for IAM users that use the AWS Management Console and the AWS CLI?
AWS OFFICIALUpdated 3 months ago
How do I remove a lost or broken MFA device from my AWS account?
AWS OFFICIALUpdated 4 years ago
Securing the Cloud: The evolution and future of AWS root access management, MFA integration and MFA adoption timelines for enhanced security design
EXPERT
Harish Mandhadi
published a year ago