I followed the instructions to deploy AWS Config Rules and conformance packs using a delegated admin. However, I received an error similar to the following:
- An error occurred (AccessDeniedException) when calling the DeregisterDelegatedAdministrator operation: You don't have permissions to access this resource.
- An error occurred (InvalidInputException) when calling the RegisterDelegatedAdministrator operation: You specified an unrecognized service principal.
- An error occurred (ConstraintViolationException) when calling the RegisterDelegatedAdministrator operation: You have exceeded the allowed number of delegated administrators for the delegated service.
Resolution
Follow these troubleshooting steps for the specific error message received.
Important: Before you begin, be sure that you installed and configured the AWS Command Line Interface (AWS CLI).
"An error occurred (AccessDeniedException) when calling the DeregisterDelegatedAdministrator operation: You don't have permissions to access this resource."
This error means that you ran the register-delegated-administrator command from an AWS Organizations member account similar to the following:
$aws organizations register-delegated-administrator --service-principal config-multiaccountsetup.amazonaws.com --account-id member-account-ID
You can delegate an administrator only from the AWS Organizations primary account. Run the register-delegated-administrator command from the AWS Organizations primary account.
"An error occurred (InvalidInputException) when calling the RegisterDelegatedAdministrator operation: You specified an unrecognized service principal."
This error can occur if your AWS Organizations organization doesn't have all features and trusted access enabled.
1. Run the enable-aws-service-access command similar to the following:
$aws organizations enable-aws-service-access --service-principal=config-multiaccountsetup.amazonaws.com
2. Run the register-delegated-administrator command from the AWS Organizations primary account to delegate the member account to deploy AWS Organization conformance packs and AWS Config rules:
$aws organizations register-delegated-administrator --service-principal config-multiaccountsetup.amazonaws.com --account-id member-account-ID
"An error occurred (ConstraintViolationException) when calling the RegisterDelegatedAdministrator operation: You have exceeded the allowed number of delegated administrators for the delegated service."
This error means that the maximum member account limit of 3 is reached for registered delegated administrators.
1. To determine which delegated administrators are registered, run the list-delegated-administrators similar to the following:
$aws organizations list-delegated-administrators --service-principal=config-multiaccountsetup.amazonaws.com
You receive an output similar to the following:
{
"DelegatedAdministrators": [
{
"Id": "987654321098",
"Arn": "arn:aws:organizations::123456789012:account/o-anz8bj0hfs/987654321098",
"Email": "youremailalias@example.com",
"Name": "your-account-name",
"Status": "ACTIVE",
"JoinedMethod": "CREATED",
"JoinedTimestamp": 1557432887.92,
"DelegationEnabledDate": 1590681859.773
}
]
}
2. To de-register a delegated administrator, run the deregister-delegated-administrator command:
$aws organizations deregister-delegated-administrator --service-principal config-multiaccountsetup.amazonaws.com --account-id member-account-ID
3. Rerun the register-delegated-administrator command to delegate an account as an administrator:
$aws organizations register-delegated-administrator --service-principal config-multiaccountsetup.amazonaws.com --account-id member-account-ID
Related information
How do I remove a member account from an organization in AWS Organizations when I can't sign in to the member account?
How do I move accounts between organizations in AWS Organizations?