我在尝试访问或下载与 AWS Artifact 签订的 AWS Organizations 协议时遇到了账户或权限错误。
解决方法
按照下面的步骤对收到的错误消息进行故障排除。
"Your account isn't in an organization.To create or join an organization, follow the instructions in Creating and Managing an AWS Organization"
出现此错误是因为您用于登录 AWS 管理控制台的 AWS 账户不属于 AWS Organizations。要接受组织协议,必须为您的账户创建一个组织。
"You are signed in to the management account of an organization in AWS Organizations.You can manage agreements for your management account and for all member accounts in your organization.By continuing, you grant AWS permissions to create an IAM role to identify the member accounts in your organization in AWS Organizations."
出现此错误是因为未从管理账户中的 AWS Organizations 控制台激活对 AWS Artifact 的可信访问。必须从组织的管理账户激活 AWS Artifact 的可信访问。
然后,可以下载对组织中所有账户有效的组织协议:
- 从管理账户打开 AWS Artifact 控制台。
- 选择组织协议。
- 选择组织协议,然后选择下载协议。
**注意:**不能使用成员账户来接受组织协议。只能从组织的成员账户查看或者下载组织协议。
"You don't have the permissions to retrieve information about your AWS account's organization.You need permissions to describe your organization"
-或-
"You don't have the permissions to download the agreement.You need permissions to download this agreement in AWS Artifact"
发生此错误是因为 AWS Identity and Access Management(IAM)用户账户无权访问组织协议。
如果使用管理账户中的 IAM 用户访问组织协议,请确保权限与以下策略类似:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"artifact:AcceptAgreement",
"artifact:DownloadAgreement",
"artifact:TerminateAgreement"
],
"Resource": [
"arn:aws:artifact:::customer-agreement/",
"arn:aws:artifact:::agreement/"
]
},
{
"Effect": "Allow",
"Action": "iam:ListRoles",
"Resource": "arn:aws:iam:::role/"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam:::role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact";
},
{
"Effect": "Allow",
"Action": [
"organizations:DescribeOrganization",
"organizations:EnableAWSServiceAccess",
"organizations:ListAccounts",
"organizations:ListAWSServiceAccessForOrganization"
],
"Resource": "*"
}
]
}
如果使用成员账户中的 IAM 用户访问组织协议,请确保权限与以下策略类似:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"artifact:AcceptAgreement",
"artifact:DownloadAgreement",
"artifact:TerminateAgreement"
],
"Resource": [
"arn:aws:artifact:::customer-agreement/",
"arn:aws:artifact:::agreement/"
]
},
{
"Effect": "Allow",
"Action": [
"organizations:DescribeOrganization"
],
"Resource": ""
}
]
}
有关详细信息,请参阅 Identity and access management in AWS Artifact。
"Your organization must be enabled for all features"
发生此错误是因为贵组织仅配置为整合账单。要在 AWS Artifact 中使用组织协议,必须使用 AWS Organizations 为您的组织激活所有功能。有关更多信息,请参阅 Activating all features in your organization。
相关信息
Managing agreements in AWS Artifact