How do I troubleshoot an AWSControlTowerExecution role error that occurs during AWS Control Tower account enrollment?

3 minute read

I want to troubleshoot an AWSControlTowerExecution role error that occurs when I try to enroll my AWS Control Tower account.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

When you enroll an account in AWS Control Tower, the AWSControlTowerExecution role must be present and properly configured for the account. If it isn't, then you might receive the following error message:

"AWS Control Tower is unable to assume the AWSControlTowerExecution role in the account. Add the role to your account if it's not present, and try again"

Sign in to the account that you want to enroll in AWS Control Tower. Then, check whether the AWSControlTowerExecution role is present in the AWS Identity and Access Management (IAM) console. If it's present, then check whether the role has a trust relationship with the AWS Organizations management account. Also, check whether the role has an attached administrative access policy.

If the role isn't present in the account, and the account is part of a registered organizational unit (OU), then take the following actions:

Move the account under the root level of your organization in the AWS Organizations console. If the account is under a registered OU, then terminate the provisioned product. Then, you can create the AWSControlTowerExecution role without being blocked by a service control policy.
Create the IAM role.

To create the IAM role, complete the following steps:

Navigate to the IAM service in the AWS Management Console.
Choose Roles.
Choose Create role, and then choose Custom trust policy.

Insert the following trust policy.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::Management Account ID:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}

Note: Replace Management Account ID with your AWS Management Account ID.

Attach the AdministratorAccess policy.
Skip the Tags section (optional).
In the Review section, add the following details:
Role name: AWSControlTowerExecution
Description: "Allows full account access for enrollment"
Choose Create role.

If the member account has the AWSControlTowerExecution role, but the trust relationship is incorrect and the product is in a failed state, then take the following actions:

Move the account under the root level of your organization in the AWS Organizations console, or delete the provisioned product.
Edit the trust relationship of the AWSControlTowerExecution role. To do this, assume the AWS Management Account ID.

Note: If you need to create a role for multiple accounts, then re-register the OU. This action automatically creates the AWSControlTowerExecution role in all accounts within that OU.

Related information

Manually add the required IAM role to an existing AWS account and enroll it

Topics: Management & Governance
Tags: AWS Control Tower
Language: English

AWS OFFICIALUpdated 2 months ago

No comments

Relevant content

Enrollment of an Existing Account in Control Tower Fails
Accepted Answer
Ryan Dalton
asked 3 years ago
Control Tower Enrollment Error
Boonzilla
asked 3 years ago
How do I add a member account to the AWS Control tower managed Organization?
Accepted Answer
Qasim
asked 2 years ago
Error enrolling accounts with AFT and Control Tower
cmcgdc
asked 3 years ago
Control Tower enrollment keeps failing with InsufficientDeliveryPolicyException for AWS Config
Carlos Galvez
asked 8 days ago
How do I gain access as an AWS account root user to accounts created by Account Factory or Account Vending Machine in AWS Control Tower?
AWS OFFICIALUpdated a year ago
How do I resolve the "AccessDenied" or "Invalid information" error when I try to assume a cross-account IAM role?
AWS OFFICIALUpdated a month ago
How do I troubleshoot EC2 instance profile errors for IAM roles?
AWS OFFICIALUpdated a year ago
How do I troubleshoot explicit deny error messages when I request API calls with IAM roles or users?
AWS OFFICIALUpdated 9 days ago
AWS Control Tower Backup Integration: Best Practices Guide
EXPERT
Tyler_P
published 6 months ago