By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Can OrganizationAccountAccessRole sees services subscribed under sub accounts?

0

Hi. My organization has a sub account which has a billed item of AWS App Runner - Provisioned - GB-hours.

However, when I assume the role of OrganizationAccountAccessRole with policy AdministratorAccess, the App Runner service list is empty.

Can OrganizationAccountAccessRole sees all services under all sub account? My purpose is to check all types of service in all sub accounts as an organization administrator.

Topics
Management & GovernanceComputeContainers
Tags
AWS OrganizationsAWS Account ManagementAWS App Runner
Language
English
WK
asked 2 months ago34 views
1 Answer
0

Yes, the OrganizationAccountAccessRole should be able to see all services under the sub accounts, including AWS App Runner, when properly configured and used. This role is designed to provide full administrative access to the member accounts within an AWS Organization.

However, if you're experiencing an issue where the App Runner service list appears empty despite assuming the OrganizationAccountAccessRole with AdministratorAccess policy, there could be a few reasons for this:

  1. Region-specific resources: Ensure you're looking in the correct AWS region where the App Runner service is deployed. Resources are region-specific, and if you're viewing a different region, the list may appear empty.

  2. Role permissions: Double-check that the OrganizationAccountAccessRole in the specific member account has the correct permissions. It should have the AdministratorAccess policy attached, granting full access to all AWS services and resources.

  3. Role trust relationship: Verify that the role's trust relationship is correctly set up to allow the management account to assume the role.

  4. Temporary permission issues: In rare cases, there might be temporary permission propagation delays or issues within AWS.

To troubleshoot this issue:

  1. Confirm you're in the correct AWS region.
  2. Verify the role permissions and trust relationship in the member account.
  3. Try accessing other services in the same account to see if the issue is specific to App Runner or affects all services.
  4. If the problem persists, you may want to contact AWS support for further assistance.

As an organization administrator, you should be able to use the OrganizationAccountAccessRole to view and manage all types of services across all sub-accounts. If you're still unable to see the App Runner service or other expected resources, it's recommended to review the role configuration and permissions to ensure everything is set up correctly.
Sources
Manage Organization Member Accounts via AWS CLI | AWS re:Post
Accessing a member account that has OrganizationAccountAccessRole with AWS Organizations - AWS Organizations

profile picture
re:Post Agent
answered 2 months ago
profile picture
EXPERT
Riku_Kobayashi
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content