List organization accounts for parent organization unit from member account
Hi,
I have setup organization with multiple organization units. I have a multiple member accounts in OU1 and I would like to list all accounts from OU1 from within the member account which is member of the OU1.
I tried following CLI command:
aws organizations list-accounts-for-parent --parent-id ou-OU1
Of course ou-OU1 is made up and I am using existing ID here.
I tried this inline policy with my user:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "organizations:ListAccountsForParent", "Resource": "*" } ] }
I have IAM user created in Account1 which is under OU1.
Is this even possible? If so how can I achieve this?
- Language
- English
- Newest
- Most votes
- Most comments
Hello.
Normally, Account1 is not the root account that manages AWS Organizations, so you cannot check member account information using the "list-accounts-for-parent" command.
If you configure Account1 as a delegated account in AWS Organizations, you should be able to use "list-accounts-for-parent".
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_delegated_admin.html
I found a working a solution!
Add the statement below to your AWS Organizations delegated admin policy. This must be done from your AWS org's management account unless you've already delegated org policy admin rights to another account:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowOrganizationsRead", "Effect": "Allow", "Principal": "*", "Action": [ "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListChildren", "organizations:ListParent", ], "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "<YOUR_ORG_ID>" } } } ] }
Notes:
-
Example above includes additional actions like
organizations:ListChildrenjust because I thought they'd be useful. If you truly only needListAccountsForParent, of course you can scope down. -
Refer to official docs for step-by-step on editing your organization delegated admin policy: Create a resource-based delegation policy with AWS Organizations
-
It's critical that you include
"aws:PrincipalOrgID": "<YOUR_ORG_ID>"to limit the actions as coming from accounts in your org only. There are other conditions you can add if you want to scope down further, for example: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
Delegated admin policy is nothing new, I had just assumed this particular policy type wouldn't let us specify Principal: "*". I was pleasantly surprised to find out I was wrong.
Hello,
You can use below command from member account of same organization unit for which you are trying to list all aws accounts. Just authenticate yourself with member account from same organization and you must be able to do it. Use below command: #aws organizations list-accounts
Policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "organizations:ListAccounts", "Resource": "*" } ] }
Hope this helps !!
Thanks, Manoj Kumar
Hi @rkmanoj, unfortunatelly this is exactly what I tried and as I written in the original question this did not work.
Seems like add account as delegated account does the trick - see @Riku_Kobayashi answer.
Relevant content
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago
You can create a delegation policy by following the steps in the following document: https://docs.aws.amazon.com/organizations/latest/userguide/orgs-policy-delegate.html
By setting the delegation policy as follows, you can execute "list-accounts-for-parent" on Account1.