How to get the management account Identity Center Instance Tags from a member account in an AWS Organization

0

Hi, just to give you some context: I have an organization and within the management account I created an Identity Center instance (management-instance), that instance has a tag called "Exclude". Then I created a member account in the org. From that member account I started to play with the AWS services, in this case I created again a brand new IC instance (member-instance) and also tag it with "Exclude"(key/value). Now I have a goal, I want to get the users from the management IC instance being on the member account. I ran the next commands on the member account Cloudshell just to validate if I have access to the users from the management account: "aws identitystore list-users --identity-store-id i<<d-instance>> --region us-west-2" and as expected I could get the users in the cloud shell from the management account being in the member account. Now what's the deal here. I've been trying to this run this commands, but now I want to know if the IC from the management account has any tag attached being in the member account cloudshell. I ran: aws sso-admin list-tags-for-resource --resource-arn "arn:aws:sso:::instance/456" --region us-west-2 and this works for the instance created in the same account but when I try to access the one created on the mgm account, got this: An error occurred (AccessDeniedException) when calling the ListTagsForResource operation: User: arn:aws:iam::123:root is not authorized to perform: sso:ListTagsForResource on resource: arn:aws:sso:::instance/ssoins-456 because no resource-based policy allows the sso:ListTagsForResource action I already tried creating a role to assumed the mgm account and also following this tutorial about "Delegate access across AWS accounts using IAM roles" => https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html Currently using our implementation that is basically based on roles so to do the connection we use a role and according the permission attached we had some service and actions available. We literally give to the role the admin permission, but we got the same error. We used the AWS SDK we got almost the same error: AccessDeniedException: User: arn:aws:sts::123:assumed-role/roleName/Rolenamesession is not authorized to perform: sso:ListTagsForResource on resource: arn:aws:sso:::instance/ssoins-456 because no resource-based policy allows the sso:ListTagsForResource For me it's pretty weird, I have access to the management users IC instance from the member account, but not to the IC tags Note: I also tried disabling the SCP polcies in the org, but same result I'd appreciate some help here, it's frustrating

1 Answer
0

Hello,

I've tried to replicate the issue you're experiencing, but it appears there may be some mistakes in permissions or misconfigurations. Below, I've outlined the steps I followed:

Step 1: Set Up Permissions in the Management Account

Create an IAM Policy for Listing Tags: Navigate to IAM in the management account. Create a new policy (ListTagsPolicy) with permissions to list tags for the Identity Center instance: json Kopijuoti kodą { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sso:ListTagsForResource", "Resource": "*" } ] } Save the policy. Create an IAM Role for Cross-Account Access: Still in IAM, create a new role (CrossAccountAccessRole). Establish trust with the member account by adding the member account as a trusted entity: json Kopijuoti kodą { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::member-account-id:root" }, "Action": "sts:AssumeRole" } ] } Attach the ListTagsPolicy created earlier to this role. Note the ARN of the created role (e.g., arn:aws:iam::management-account-id:role/CrossAccountAccessRole). Step 2: Assume Role in Member Account

Configure AWS CLI or SDK:

In the member account, configure your AWS CLI or SDK to use credentials that have permissions to assume roles. Ensure you have the role ARN from the management account. Assume Role Using AWS CLI:

Use the following command to assume the role. Replace placeholders with actual values: bash Kopijuoti kodą aws sts assume-role --role-arn "arn:aws:iam::management-account-id:role/CrossAccountAccessRole" --role-session-name "AccessInstanceTags" This command returns security credentials (Access Key ID, Secret Access Key, and Session Token). Configure Session Using Returned Credentials:

Configure your CLI session to use the returned credentials: bash Kopijuoti kodą export AWS_ACCESS_KEY_ID="ReturnedAccessKeyId" export AWS_SECRET_ACCESS_KEY="ReturnedSecretAccessKey" export AWS_SESSION_TOKEN="ReturnedSessionToken" Step 3: Access Tags from Member Account

List Tags for Identity Center Instance: Using the assumed role's session, run the following command to list the tags: bash Kopijuoti kodą aws sso-admin list-tags-for-resource --resource-arn "arn:aws:sso:::instance/ssoins-456" --region us-west-2 If permissions and configurations are correct, this will list the tags of the Identity Center instance.

Vyto
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions