Why am I getting errors setting up an AWS Organizations member account as a delegated administrator for AWS Config rules?
I followed the instructions to deploy AWS Config Rules and conformance packs using a delegated admin. However, I received an error similar to the following:
- An error occurred (AccessDeniedException) when calling the DeregisterDelegatedAdministrator operation: You don't have permissions to access this resource.
- An error occurred (InvalidInputException) when calling the RegisterDelegatedAdministrator operation: You specified an unrecognized service principal.
- An error occurred (ConstraintViolationException) when calling the RegisterDelegatedAdministrator operation: You have exceeded the allowed number of delegated administrators for the delegated service.
Resolution
Follow these troubleshooting steps for the specific error message received.
Important: Before you begin, be sure that you installed and configured the AWS Command Line Interface (AWS CLI).
"An error occurred (AccessDeniedException) when calling the DeregisterDelegatedAdministrator operation: You don't have permissions to access this resource."
This error means that you ran the register-delegated-administrator command from an AWS Organizations member account similar to the following:
$aws organizations register-delegated-administrator --service-principal config-multiaccountsetup.amazonaws.com --account-id member-account-ID
You can delegate an administrator only from the AWS Organizations primary account. Run the register-delegated-administrator command from the AWS Organizations primary account.
"An error occurred (InvalidInputException) when calling the RegisterDelegatedAdministrator operation: You specified an unrecognized service principal."
This error can occur if your AWS Organizations organization doesn't have all features and trusted access enabled.
1. Run the enable-aws-service-access command similar to the following:
$aws organizations enable-aws-service-access --service-principal=config-multiaccountsetup.amazonaws.com
2. Run the register-delegated-administrator command from the AWS Organizations primary account to delegate the member account to deploy AWS Organization conformance packs and AWS Config rules:
$aws organizations register-delegated-administrator --service-principal config-multiaccountsetup.amazonaws.com --account-id member-account-ID
"An error occurred (ConstraintViolationException) when calling the RegisterDelegatedAdministrator operation: You have exceeded the allowed number of delegated administrators for the delegated service."
This error means that the maximum member account limit of 3 is reached for registered delegated administrators.
1. To determine which delegated administrators are registered, run the list-delegated-administrators similar to the following:
$aws organizations list-delegated-administrators --service-principal=config-multiaccountsetup.amazonaws.com
You receive an output similar to the following:
{ "DelegatedAdministrators": [ { "Id": "987654321098", "Arn": "arn:aws:organizations::123456789012:account/o-anz8bj0hfs/987654321098", "Email": "youremailalias@example.com", "Name": "your-account-name", "Status": "ACTIVE", "JoinedMethod": "CREATED", "JoinedTimestamp": 1557432887.92, "DelegationEnabledDate": 1590681859.773 } ] }
2. To de-register a delegated administrator, run the deregister-delegated-administrator command:
$aws organizations deregister-delegated-administrator --service-principal config-multiaccountsetup.amazonaws.com --account-id member-account-ID
3. Rerun the register-delegated-administrator command to delegate an account as an administrator:
$aws organizations register-delegated-administrator --service-principal config-multiaccountsetup.amazonaws.com --account-id member-account-ID
Related information
How do I move accounts between organizations in AWS Organizations?
Conteúdo relevante
- AWS OFICIALAtualizada há 7 meses