- Newest
- Most votes
- Most comments
Hi John,
It seems like you're on the right path, and as Daniel mentioned, the resource section for organizations:ListAccounts needs to be in a separate policy.
I have made an example policy for you;
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::*:role/CrossAccountMy365Attestation"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"organizations:ListAccounts"
],
"Resource": [
"*"
]
}
]
}
Please try with that and let us know if it works for you?
Thanks :)
To list all accounts that your user has access to using the AmazonOrganizationsClient.ListAccounts method in C# .NET Core 8, you need to ensure that your user has the appropriate permissions. The error you're receiving suggests that your current IAM user or role lacks the necessary permissions to perform this action.
To resolve this issue, you need to have the appropriate IAM permissions attached to your user or role. Specifically, you should have the "organizations:ListAccounts" permission. This permission is typically included in the "AWSOrganizationsReadOnlyAccess" managed policy, or you can create a custom policy that includes this specific permission.
It's important to note that the ListAccounts operation can only be called from the organization's management account or by a member account that is a delegated administrator for an AWS service. If you're not using the management account or a delegated administrator account, you won't be able to list all accounts in the organization, regardless of your IAM permissions.
If you're trying to list only the accounts that your specific IAM user has access to (rather than all accounts in the organization), you might want to consider using the AWS IAM Identity Center (formerly AWS Single Sign-On) ListAccounts API instead. This API lists all AWS accounts assigned to the user by the administrator of the account.
Your code looks correct for calling the ListAccountsAsync method. If you have the proper permissions and are using the management account or a delegated administrator account, this code should work:
public async Task<ListAccountsResponse> RetrieveAccountsAsync() { var awsCredentials = new Amazon.Runtime.BasicAWSCredentials(AccessKeyId, AccessKeySecret); var client = new AmazonOrganizationsClient(awsCredentials, Amazon.RegionEndpoint.USEast1); return await client.ListAccountsAsync(new ListAccountsRequest { }); }
If you continue to face issues after ensuring you have the correct permissions, you may want to double-check your AWS credentials and make sure they are valid and have not expired.
Sources
ListAccounts - AWS Organizations
Use ListAccounts with an AWS SDK or CLI - AWS Organizations
ListAccounts - AWS IAM Identity Center
Relevant content
- asked 3 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
This is my current permissions
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "sts:AssumeRole", "organizations:ListAccounts" ], "Resource": [ "arn:aws:iam::*:role/CrossAccountMy365Attestation" ] } ] }
The IAM user is in the organizational account. Am I missing something else?
@JohnW Did you create that policy manually? Trying to create in the console results in two separate statements (since the "organizations:ListAccounts" action only supports the all resources wildcard):
{ "Sid": "VisualEditor0", "Effect": "Allow", "Action": "organizations:ListAccounts", "Resource": "*" }
With that policy, the API operation succeeds for me.