Terraform: aws Instance Profile already exists error
I had the following aws_iam_instance_profile:
resource "aws_iam_instance_profile" "nat" {
name = "${var.vpc_name}-iam-nat-profile"
roles = ["${aws_iam_role.nat.name}"]
}
With vpc_name set to prod or dev, and a completely empty AWS account with no existing IAM roles or profiles, _every_ time I ran terraform apply, I would get an error of this form:
Error creating IAM instance profile prod-iam-nat-profile already exists: prod-iam-nat-profile already exists (EntityAlreadyExists)
There were no IAM roles or profiles in the account; I had nothing in the terraform file other than the definition of the referenced aws_iam_role; and this error would remain even if I ran terraform destroy before running terraform apply.
The workaround was to move the var.vpc_name interpolation to the end:
resource "aws_iam_instance_profile" "nat" {
name = "iam-nat-profile-${var.vpc_name}"
roles = ["${aws_iam_role.nat.name}"]
}
Any idea what's going on? I know the temptation is to say "prod-iam-nat-profile must have already existed in your account", but I never created such a profile by hand and it was not there when I would check the IAM pages in the AWS console. I'm using terraform 0.6.4.
brikis98
All 6 comments
Update: it turns out that instance profiles don't show up in the AWS console. Well, they do, but only attached to a role. If you delete the role, but not the policy, then there is no longer a way to see the policy in the console.
Therefore, instead of using the console, you can use the AWS CLI to see all the instance profiles:
aws iam list-instance-profiles
With that command, I found the old, conflicting profiles, so the terraform error message was correct.
brikis98
on 4 Nov 2015
thanks this and aws iam delete-instance-profile --instance-profile-name profile_name_here saved my day!
cordoval
on 16 Dec 2015
yes, used that cmd and was able to remove the profile. thanks
'aws iam delete-instance-profile --instance-profile-name {insert-profile-name-here}'
lloyddugmore
on 25 Mar 2018
Well, they do, but only attached to a role. If you delete the role, but not the policy, then there is no longer a way to see the policy in the console.
Sounds like something the AWS team should fix or at least provide an improved error message.
lmj0011
on 3 May 2018
Just burned an hour on this :( thanks for the fix!
nicholasserra
on 16 Jan 2019
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 30 Mar 2020
Related issues
Seraf
ยท
3Comments
franklinwise
ยท
3Comments
rjinski
ยท
3Comments
zeninfinity
ยท
3Comments
larstobi
ยท
3Comments
Most helpful comment
thanks this and
aws iam delete-instance-profile --instance-profile-name profile_name_heresaved my day!