Transit Gateway shared with AWS Resource Access Manager (AWS RAM) identify all accounts as external
Customer has an AWS Landing Zone (ALZ) implementation where they are sharing a Transit Gateway (TGW) between accounts. Sharing a TGW results in error unless Allow external accounts
is checked, even though the account is in the same organization.
The account that they are trying to share the TGW with, is under the same root Organization by ALZ and AWS Control Tower configuration Why these accounts are considered externals?. Once allow external accounts is checked the TGW can be shared and the principal type shows "Account (External)"
AWS RAM must be integrated with AWS Organizations. Once this is done from the management account, RAM will have permissions to access AWS Organizations and enable sharing with Organization IDs and OUs. It will also properly identify accounts within the Organization and no longer require you to enable External sharing if the account is within the same Org. Enable sharing with AWS Organizations docs cover how to enable from the management account.
Relevant questions
Transit Gateway shared with AWS Resource Access Manager (AWS RAM) identify all accounts as external
Accepted Answerasked 3 years agoTransit Gateway - number of prefixes from TGW->CGW
Accepted Answerasked 3 years agoAWS Transit Gateway Routing Features
Accepted Answerasked 3 years agoTransit Gateway - Propagated route limit per Routing Table
Accepted Answerasked 3 years agoTransit Gateway to Direct Connect Gateway to Transit Gateway
Accepted Answerasked 2 years agoAWS Transit Gateway attachment pricing
Accepted Answerasked 2 years agoModify Transit Gateway Properties After Creation
Accepted Answerasked 3 years agoAWS Transit Gateway ASN visibility
Accepted Answerasked 2 years agoTransit Gateway Peering - Cross Accounts Not Sharing Payer ID
Accepted Answerasked 2 years agoTransit Gateway attachment cost to VPC and subnets
Accepted Answerasked 2 years ago