Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I grant myself administrator control to member accounts in AWS Organizations?

4 minute read
0

I invited an existing AWS account to join my organization. I want to access the member account and have full administrator control over it.

Resolution

To grant yourself administrator control access to the invited member account, create the OrganizationAccountAccessRole role in the member account.

Create an AWS Organizations administrator role in the member account

  1. Open the AWS Identity and Access Management (IAM) console. In the member account, sign in as an IAM user or assume an IAM role. The user or role must have permission to create IAM roles and policies.
    Note: As a best practice, don't sign in as the root user.
  2. In the navigation pane, select Roles, and then choose Create Role.
  3. For Trusted entity type, choose AWS account, and then choose Another AWS account.
  4. Enter the 12-digit account ID of the invited member account.
    Note: Because the accounts are internal to your company, don't choose Require external ID. For more information, see How to use external ID when granting access to your AWS resources.
    If you turned on and configured multi-factor authentication (MFA), then you can choose Require MFA for authentication.
  5. Choose Next. On the Add permissions page, choose the AWS managed policy that's named AdministratorAccess.
  6. Choose Next.
  7. On the Name, review, and create page, enter a role name, such as OrganizationAccountAccessRole.
    (Optional) Enter a description or add tags for your role.
  8. Review your configuration, and then choose Create role.

Your new role appears on the list of available roles.

Switch to the role for the member account

To switch to the OrganizationAccountAccessRole in the member account, use the AWS Organizations console or the AWS Command Line Interface (AWS CLI).

Use the AWS Organizations console

Complete these steps:

  1. Open the AWS Organizations console.
  2. Sign in as an IAM user with sufficient permissions.
  3. From the dropdown menu, choose Switch role. On the next page, choose Switch role.
  4. Enter the administrator-provided account ID number and the role name that you created.
  5. For Display Name, enter the name that you want to appear when you use this role.
  6. Choose Switch Role.

All actions that you perform in this role use the role's granted permissions. Until you switch back to your previous IAM identity, you don't have the permissions that are associated with your previous IAM identity. To switch back to your previous IAM identity, select the account's display name in the navigation bar. Then, choose Back to USERNAME.

Use the AWS CLI

Complete these steps:

Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

  1. Open the terminal or command prompt on your operating system.

  2. To assume the role in the member account, use the aws sts assume-role command. Replace ROLE-ARN with the ARN of the IAM role that you created in the member account:

    aws sts assume-role --role-arn ROLE\_ARN —role-session-name CrossAccountSession

    The command gives you the access key ID, secret access key, and session token as temporary security credentials.

  3. Configure the AWS CLI to use these temporary credentials:

 aws configure set aws\_access\_key\_id TEMP\_ACCESS\_KEY\_ID    
 aws configure set aws\_secret\_access\_key TEMP\_SECRET\_ACCESS\_KEY    
 aws configure set aws\_session\_token TEMP\_SESSION\_TOKEN

Note: As a best security practice, this step uses temporary security credentials instead of long-term access keys. However, you can still see these credentials in plaintext, so make sure that you keep this information secure. For more information, see Temporary security credentials in IAM.

You can now run AWS CLI commands to access resources in the member account.

Troubleshoot issues

If you can't access a member account, then you might not have the necessary permissions. To access an account from any other account in your organization, you must have the following permissions and trust policies:

  • Include sts:AssumeRole in the IAM identity that you want to assume another role for.
  • Establish a trust relationship from the destination role to the source account or role.

These required permissions apply to any role that assumes another role in the same account or across accounts.

If you encounter an error when you try to assume a role, then see I can't assume a role.

Related information

Accessing member accounts in an organization with AWS Organizations

Managing accounts in an organization with AWS Organizations

Switch from a user to an IAM role (console)

Switch to an IAM role (AWS CLI)

Topics
Management & Governance
Tags
AWS Organizations
Language
English
AWS OFFICIALUpdated 7 months ago
No comments

Relevant content