Delegated Administrative Policy error to add CreateOrganisationalUnit
I have created a Delegation Policy and assign it to an account so that I can login as the user in that account to perform Adminstrative tasks just like root.
Unfortunately, I am not able to create OU when I login as the user assigned as the delegated administrator.
When I review the Policy for the Delegated Administrator, there is no permission for CreateOrganisationalUnit. Below is the Policy for the Delegated Administrator.
After I added "organizations:CreateOrganizationalUnit" to the policy below and clicked Save Policy, I get an error: Failed to edit delegation policy. API Response: This resource-based policy contains an unsupported action.
- How do I fix the error above?
- Is there a way I can create an administrator user to inherit permissions from root without having to assign individual permissions?
- Can I assign the managed permission set such as billing, AdministratorAccess etc to the Delegated administrative Policy?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegatingNecessaryDescribeListActions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111117:root"
},
"Action": [
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:DescribePolicy",
"organizations:DescribeEffectivePolicy",
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListPolicies",
"organizations:ListPoliciesForTarget",
"organizations:ListTargetsForPolicy",
"organizations:ListTagsForResource"
],
"Resource": "*"
}
]
}
- Newest
- Most votes
- Most comments
Be aware of the following:
-The CreateOrganizationalUnit permission needs to be explicitly added to the policy for the delegated administrator role. -AWS Organizations does not support resource-based policies for delegated administrators. The policy must use the supported action-based format. -As a best practice, consider creating an IAM group with the required administrator permissions, then assigning the group to the delegated user instead of individual permissions.
To create an administrator group: -Open the IAM console and create a new group called "Administrators" -Attach the managed policy "AdministratorAccess" to grant full administrative permissions -Add users to the group to inherit the permissions
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_delegated_admin.html
By registering a member account as a delegated administrator for an AWS service you enable that account to have some administrative permissions for that service, as well as permissions for Organizations read-only actions.
The best way to avoid using root user is to create a user and assign it to the Management account, then assign permission set AdministratorAccess to the user using Identity Center.
The purpose of Delegated Administrator is mainly to manage all of the organization's accounts used in the service and reduce the use of management account.
Relevant content
- Accepted Answerasked 2 years ago
- Accepted Answerasked 2 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 4 years ago
Appreciate your answer. However, the best practice is to use Identity Center for Human access https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html. When creating an IAM user, when the 'Provide user access to the AWS Management Console' is selected, AWS will force to use Identity Center to create the user.