1 Answer
- Newest
- Most votes
- Most comments
1
You only have 1 Organisation, Management account and then member accounts. By default if you create an account in org using the Org tools, it will create a trusted cross account role in the member account called OrganizationAccountAccessRole. You can use this IAM role without identity centre
If you invite an already existing account into the Org, you can create this role.
Either way, so long as you have a role in the member account which trusts the Management account you can just assume that role
More details, 2nd bullet point here https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html
Relevant content
- Accepted Answerasked 9 months ago
- asked a year ago
- asked 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Did this help answer your question?
Hello Gary, thank you for your response. Unfortunately, I still do not understand the functionality. I am certain that I likely phrased my original inquiry wrong. I will try to break it down further here:
I am currently logged in as the AWS root user. Under IAM, I click on related consoles > AWS Organizations (could have just gone to AWS organizations, but these are my steps at the moment)
From AWS Organizations, I see a tree of Root >
My root email login is associated with Account #1, but Account #2 has a completely different email listed.
With that out of the way, there are two questions that I have:
1.) On the current root user (Account #1), I see no DB instances [0/40]. --- I know DB's are listed under Account #2. At this point, is it possible to toggle over to account #2 without a separate user login?
2.) ^^ My current process is to create a secondary IAM IDENTITY CENTER user using the account #1 Root login and assign that newly created user access to only account #2 under the AWS account settings
2a.) iAM Identity Center > Users > Add User --- Followed By: 2b.) IAM Identity Center > Multi Account Permissions > AWS Accounts > Select Account #2 > Assign Users or Groups > Find newly created user from 2a > select user > next
At this point the newly created user has access to view my DBs on account #2, but that is because I gave them access to that specific AWS account. Why can't root do this?