I want to resolve errors that I receive when I set up an AWS Organizations member account as a delegated administrator for AWS Config rules.
Short description
You might experience the following errors when you set up an AWS Organizations member account as a delegated administrator for AWS Config rules:
"An error occurred (AccessDeniedException) when calling the DeregisterDelegatedAdministrator operation: You don't have permissions to access this resource."
"An error occurred (InvalidInputException) when calling the RegisterDelegatedAdministrator operation: You specified an unrecognized service principal."
"An error occurred (ConstraintViolationException) when calling the RegisterDelegatedAdministrator operation: You have exceeded the allowed number of delegated administrators for the delegated service."
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Troubleshoot your issues based on the error message that you receive:
An error occurred (AccessDeniedException) when calling the DeregisterDelegatedAdministrator operation: You don't have permissions to access this resource
This error occurs when you run the register-delegated-administrator command from an AWS Organizations member account. To resolve this, run the register-delegated administrator command from the AWS Organization primary account.
An error occurred (InvalidInputException) when calling the RegisterDelegatedAdministrator operation: You specified an unrecognized service principal
This error occurs because your AWS Organizations organization doesn't have all features and trusted access turned on. To resolve this, complete the following steps:
-
To turn on service access, run the enable-aws-service-access:
Note: Replace example-service-principal with the service principal URL of the AWS service that you want to turn on integration with your organization.
$aws organizations enable-aws-service-access --service-principal example-service-principal
-
To delegate the member account to deploy AWS Organization conformance packs and AWS Config rules, run the register-delegated-administrator command:
Note: Replace example-service-principal with the service principal URL of the AWS service that you want to turn on integration with your organization. Also, replace example-member-account-id with the member account ID.
$aws organizations register-delegated-administrator --service-principal example-service-principal --account-id example-member-account-ID
An error occurred (ConstraintViolationException) when calling the RegisterDelegatedAdministrator operation: You have exceeded the allowed number of delegated administrators for the delegated service
This error occurs when the maximum member account limit of 3 is reached for the registered delegated administrators. To resolve this, complete the following steps:
-
To determine which delegated administrators are registered, run the list-delegated-administrators command:
Note: Replace example-service-principal with the service principal URL of the AWS service that you want to turn on integration with your organization.
$aws organizations list-delegated-administrators --service-principal example-service-principal
Example output:
{ "DelegatedAdministrators": [
{
"Id": "987654321098",
"Arn": "arn:aws:organizations::123456789012:account/o-anz8bj0hfs/987654321098",
"Email": "youremailalias@example.com",
"Name": "your-account-name",
"Status": "ACTIVE",
"JoinedMethod": "CREATED",
"JoinedTimestamp": 1557432887.92,
"DelegationEnabledDate": 1590681859.773
}
]
}
-
To deregister a delegated administrator, run the deregister-delegated-administrator command:
Note: Replace example-service-principal with the service principal URL of the AWS service that you want to turn on integration with your organization. Also, replace example-member-account-id with the member account ID.
$aws organizations deregister-delegated-administrator --service-principal example-service-principal --account-id example-member-account-ID
-
To delegate an AWS account as the administrator, run the register-delegated-administrator command:
Note: Replace example-service-principal with the service principal URL of the AWS service that you want to turn on integration with your organization. Also, replace example-member-account-id with the member account ID.
$aws organizations register-delegated-administrator --service-principal example-service-principal --account-id example-member-account-ID
Related information
How do I remove a member account from an organization in AWS Organizations when I can't sign in to the member account?
How do I move an account from an existing AWS Organization to another AWS Organization?