AWS SSO user with AdministratorAccess cannot access root owned resources
I have an AWS environment where all the resources (VPC’s, EC2, Route53, etc) were created and administered by the root account and I’m trying to move away from this so administration of the environment can be delegated to others. I’ve setup AWS SSO with our IdP (Okta), created a AWS Account for the user and linked it with an SSO User, created the permission set “AdministratorAccess” and assigned it to the AWS account. I’m able to sign-in to AWS via the IdP, can see the permission set assigned it AdministratorAccess, but I cannot access/view any of the resources that were created by the root account.
I’ve been going through all the IAM, policy and access documentation and cannot figure out how to provide access to the resources. I assumed assigning the AdministratorAccess permission set was sufficient, but I’m clearly mistaken or missing something.
Any assistance would be greatly appreciated.
What resources exactly are we talking about ? S3 buckets? SNS topics? AWS doesn't really have a notion of "owner" that has special access (except for some S3 objects , but that is a different story). Only thing I can imagine is that they wrote an S3 bucket policy to do a "deny *" for everybody not themselves. In that case, the only thing you can do is to log in as root, remove/fix the policy.
A VPC, EC2 instance, etc... doesn't have resource policies, so you wouldn't be able to restrict access to it that way.
Other things to consider:
- Are you SURE you are in the right account and region?
- Is this perhaps part of an account in an org that has SCPs active?
The resources I'm referring to are VPC's, EC2 instances, and Route 53 zones. When signed in as the root account I have 4 VPC's, 10+ Route53 zones, and 30+ EC2 instances across multiple regions. The SSO user assigned the AdministratorAccess permission set cannot see any of this.
I've confirmed that the account and regions are correct, the Organization details are the same for the SSO User, same Organization ID and the Management ID is that of our root account. All AWS Organization Policies are disabled and AWS Organization Services are all "access disable" other than SSO.
AWS SSO user with AdministratorAccess cannot access root owned resourcesasked 3 months ago
boto3 "logging" into the AWS SSOAccepted Answerasked 3 months ago
Cannot terminate stale beanstalk environment with No Data stateasked a year ago
AWS Workmail: Resources, Delegates should not receive emails and only have read access to the resource calendarasked 2 months ago
Athena + CUR report - resources created in the last week?Accepted Answerasked 2 years ago
Connectivity issues across all ec2 related resourcesasked 3 years ago
Root cannot view EB environments created by IAMasked 2 years ago
Stop all resourcesasked 20 days ago
How do I find the IP(s) blocking deletion of an InternetGateway?asked 3 months ago
List of resources inside VPCAccepted Answerasked 2 years ago