Why can't I access my member account?

3 minute read
0

I want to access my member account in an AWS Organization.

Resolution

To gain access to a member account in your Organization, first try the following:

  • Use the root user credentials by signing in with the email address and password that you created for the account.
  • If you can't log in with your initial password, use the following steps to recover it:
    1. Go to the Sign in page of the AWS Management Console. If you're already signed in to AWS, you must sign out to see the Sign in page.
    2. The Sign in page shows three text boxes: Root user, IAM user, and Root user email address. Sign in using the root user credentials.
    3. Enter the email address that is associated with your AWS account, and then choose Next.
    4. Choose Forgot your password? Then, enter the information that's required to reset the password to the new one that you provide. Make sure that your email address that's associated with the account is active and receives incoming email.

Access a member account that has a management account access role

When you create a member account, AWS Organizations automatically creates an AWS Identity and Management (IAM) role called OrganizationAccountAccessRole in the account. This role has full administrative permissions in the member account. The scope of access for this role includes all principals in the management account.

Follow these steps to assume the OrganizationAccountAccessRole:

  1. Open the AWS Management Console using IAM user credentials that grant administrator permissions in the management account. Next, grant permissions to members of the IAM group in the management account to access the role.
  2. Switch to the role for the member account.

Create the OrganizationAccountAccessRole in an invited member account

Invited member accounts that join your organization don't automatically get an administrator's role. You must do this manually. This action duplicates the role automatically set up for created accounts. As a best practice, use the same name, OrganizationAccountAccessRole, for your manually created roles for consistency and ease of use.

Post-closure

If you closed a member account more than 90 days previously, the account is permanently closed and you no longer have access to it. All content and AWS services associated with this account are deleted.

Related information

When should I use an external ID?

Using multi-factor authentication (MFA) in AWS

Closing an account

AWS OFFICIAL
AWS OFFICIALUpdated a year ago