Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws Instance Profile already exists error #3749

Closed
brikis98 opened this issue Nov 4, 2015 · 6 comments
Closed

aws Instance Profile already exists error #3749

brikis98 opened this issue Nov 4, 2015 · 6 comments

Comments

@brikis98
Copy link
Contributor

brikis98 commented Nov 4, 2015

I had the following aws_iam_instance_profile:

resource "aws_iam_instance_profile" "nat" {
  name = "${var.vpc_name}-iam-nat-profile"
  roles = ["${aws_iam_role.nat.name}"]
}

With vpc_name set to prod or dev, and a completely empty AWS account with no existing IAM roles or profiles, every time I ran terraform apply, I would get an error of this form:

Error creating IAM instance profile prod-iam-nat-profile already exists: prod-iam-nat-profile already exists (EntityAlreadyExists)

There were no IAM roles or profiles in the account; I had nothing in the terraform file other than the definition of the referenced aws_iam_role; and this error would remain even if I ran terraform destroy before running terraform apply.

The workaround was to move the var.vpc_name interpolation to the end:

resource "aws_iam_instance_profile" "nat" {
  name = "iam-nat-profile-${var.vpc_name}"
  roles = ["${aws_iam_role.nat.name}"]
}

Any idea what's going on? I know the temptation is to say "prod-iam-nat-profile must have already existed in your account", but I never created such a profile by hand and it was not there when I would check the IAM pages in the AWS console. I'm using terraform 0.6.4.

@brikis98
Copy link
Contributor Author

brikis98 commented Nov 4, 2015

Update: it turns out that instance profiles don't show up in the AWS console. Well, they do, but only attached to a role. If you delete the role, but not the policy, then there is no longer a way to see the policy in the console.

Therefore, instead of using the console, you can use the AWS CLI to see all the instance profiles:

aws iam list-instance-profiles

With that command, I found the old, conflicting profiles, so the terraform error message was correct.

@brikis98 brikis98 closed this as completed Nov 4, 2015
@cordoval
Copy link

thanks this and aws iam delete-instance-profile --instance-profile-name profile_name_here saved my day!

@lloyddugmore
Copy link

yes, used that cmd and was able to remove the profile. thanks
'aws iam delete-instance-profile --instance-profile-name {insert-profile-name-here}'

@lmj0011
Copy link

lmj0011 commented May 3, 2018

Well, they do, but only attached to a role. If you delete the role, but not the policy, then there is no longer a way to see the policy in the console.

Sounds like something the AWS team should fix or at least provide an improved error message.

@nicholasserra
Copy link

Just burned an hour on this :( thanks for the fix!

@ghost
Copy link

ghost commented Mar 30, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Mar 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants