By using AWS re:Post, you agree to the AWS re:Post Terms of Use

AmazonOrganizationsClient.ListAccounts (ListAccountsRequest) C# .net core 8

0

I need a way to pull all accounts that my user has access to.

Looking at https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/Organizations/MOrganizationsListAccountsListAccountsRequest.html

It mentions Note: For .NET Core this operation is only available in asynchronous form. Please refer to ListAccountsAsync.

I have been unable to find documentation on this any my current code

        public async Task<ListAccountsResponse> RetrieveAccountsAsync()
        {
            var awsCredentials = new Amazon.Runtime.BasicAWSCredentials(AccessKeyId, AccessKeySecret);

            var client = new AmazonOrganizationsClient(awsCredentials, Amazon.RegionEndpoint.USEast1);
            return await client.ListAccountsAsync(new ListAccountsRequest { });
        }

The exception I am receiving is

AccessDeniedException: You don't have permissions to access this resource.

Any idea what permissions i need to list all accounts?

Thanks,

2 Answers
1
Accepted Answer

Hi John,

It seems like you're on the right path, and as Daniel mentioned, the resource section for organizations:ListAccounts needs to be in a separate policy.

I have made an example policy for you;

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/CrossAccountMy365Attestation"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "organizations:ListAccounts"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Please try with that and let us know if it works for you?

Thanks :)

AWS
answered 9 days ago
1

To list all accounts that your user has access to using the AmazonOrganizationsClient.ListAccounts method in C# .NET Core 8, you need to ensure that your user has the appropriate permissions. The error you're receiving suggests that your current IAM user or role lacks the necessary permissions to perform this action.

To resolve this issue, you need to have the appropriate IAM permissions attached to your user or role. Specifically, you should have the "organizations:ListAccounts" permission. This permission is typically included in the "AWSOrganizationsReadOnlyAccess" managed policy, or you can create a custom policy that includes this specific permission.

It's important to note that the ListAccounts operation can only be called from the organization's management account or by a member account that is a delegated administrator for an AWS service. If you're not using the management account or a delegated administrator account, you won't be able to list all accounts in the organization, regardless of your IAM permissions.

If you're trying to list only the accounts that your specific IAM user has access to (rather than all accounts in the organization), you might want to consider using the AWS IAM Identity Center (formerly AWS Single Sign-On) ListAccounts API instead. This API lists all AWS accounts assigned to the user by the administrator of the account.

Your code looks correct for calling the ListAccountsAsync method. If you have the proper permissions and are using the management account or a delegated administrator account, this code should work:

public async Task<ListAccountsResponse> RetrieveAccountsAsync()
{
    var awsCredentials = new Amazon.Runtime.BasicAWSCredentials(AccessKeyId, AccessKeySecret);
    var client = new AmazonOrganizationsClient(awsCredentials, Amazon.RegionEndpoint.USEast1);
    return await client.ListAccountsAsync(new ListAccountsRequest { });
}

If you continue to face issues after ensuring you have the correct permissions, you may want to double-check your AWS credentials and make sure they are valid and have not expired.
Sources
ListAccounts - AWS Organizations
Use ListAccounts with an AWS SDK or CLI - AWS Organizations
ListAccounts - AWS IAM Identity Center

profile picture
answered 12 days ago
  • This is my current permissions

    { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "sts:AssumeRole", "organizations:ListAccounts" ], "Resource": [ "arn:aws:iam::*:role/CrossAccountMy365Attestation" ] } ] }

    The IAM user is in the organizational account. Am I missing something else?

  • @JohnW Did you create that policy manually? Trying to create in the console results in two separate statements (since the "organizations:ListAccounts" action only supports the all resources wildcard): { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "organizations:ListAccounts", "Resource": "*" }

    With that policy, the API operation succeeds for me.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions