bonniekeller
commented
3 years ago Hi, thanks for taking the time to submit a PR, I'm sorry that I can't accept it. We explicitly address this in the Warning on this page: "Do not add permission to delete an MFA device without MFA authentication. Users with this policy might attempt to assign themselves an MFA device and receive an error that they are not authorized to perform iam:DeleteVirtualMFADevice. If this happens, do not add that permission to the DenyAllExceptListedIfNoMFA statement. Users that are not authenticated using MFA should never be allowed to delete their MFA device. Users might see this error if they previously began assigning a virtual MFA device to their user and cancelled the process. To resolve this issue, you or another administrator must delete the user's existing MFA device using the AWS CLI or AWS API. For more information, see I am not authorized to perform: iam:DeleteVirtualMFADevice.". You might have been experiencing the situation that we discuss in the preceding link.
A user can not create an MFA in the AWS console without the "iam:DeleteVirtualMFADevice" permission as they will get an error for "Entity Already Exists". This permission should be included so users can configure their own virtual MFA device.
Issue #, if available: n/a
Description of changes: Adds delete virtual mfa device to the allowed action when MFA is not present to allow creation of MFA device in the AWS console.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.