How do I navigate between member accounts in AWS Organizations?

Short description

When you create an AWS account in your organization, AWS Organizations automatically creates the AWSServiceRoleForOrganizations service-linked role. If your organization supports all features, then the account must have this role.

AWS Organizations also automatically creates the OrganizationAccountAccessRole AWS Identity and Access Management (IAM) role. This role grants the management account access to the new member account. All member accounts must have this role for the administrator to access the accounts. However, when you invite an existing AWS account to join your organization, it doesn't automatically get an administrator role. Therefore, you must manually create a role to grant administrator access to invited members.

Note: For consistency, it's a best practice to use the same role name (OrganizationAccountAccessRole) for your manually created role.

Resolution

To grant your management account access to the newly invited member account, create the OrganizationAccountAccessRole role in the member account.

Create an AWS Organizations administrator role in the member account

1. Open the IAM console, and then in the member account sign in as an IAM user, or assume an IAM role. The user or role must have permission to create IAM roles and policies.
   Note: For this use case, it's not a best practice to sign in as the root user.
2. In the navigation pane, choose Roles, and then choose Create Role.
3. For Trusted entity type, choose AWS account, and then, choose Another AWS account.
4. Enter the 12-digit account ID of the account that you want to grant administrator access to.
   Note: Because the accounts are internal to your company, don't choose Require external ID. For more information, see How to use external ID when granting access to your AWS resources.
5. (Optional) If you turned on and configured multi-factor authentication (MFA), then you can chose Require MFA for authentication.
6. Choose Next. On the Add permissions page, choose the AWS managed policy that's named AdministratorAccess.
7. Choose Next.
8. On the Name, review, and create page, enter a role name, such as OrganizationAccountAccessRole.
9. (Optional) Enter a description or add tags for your role.
10. Review your configuration, and then choose Create role.

Your new role appears on the list of available roles.

Switch to the role for the member account

When you use this newly created role, you have administrator permissions in the new member account. To switch to the OrganizationAccountAccessRole in the member account, use the AWS Organizations console or the AWS Command Line Interface (AWS CLI).

Use the AWS Organizations console

Complete these steps:

1. Open the AWS Organizations console.
2. In the navigation pane, select your current account.
3. From the dropdown menu, choose Switch role, and then on the next page choose Switch role.
4. Enter the administrator-provided account ID number and the role name that you created.
5. For Display Name, enter the name that you want to appear when you use this role.
6. Choose Switch Role.

All actions that you perform in this role use the role's granted permissions. Until you switch back to your previous IAM identity, you don't have the permissions that are associated with your previous IAM identity. To switch back to your previous IAM identity, select the account's display name in the navigation bar. Then, choose Back to USERNAME.

Use the AWS CLI

Complete these steps:

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

1. Open the terminal or command prompt on your operating system.

2. To assume the role in the member account, use the aws sts assume-role command. Replace ROLE-ARN with the ARN of the IAM role that you created in the member account:

   aws sts assume-role --role-arn ROLE_ARN --role-session-name CrossAccountSession

   The command gives you the access key ID, secret access key, and session token as temporary security credentials.

3. Configure the AWS CLI to use these temporary credentials:

    aws configure set aws_access_key_id TEMP_ACCESS_KEY_ID  
    aws configure set aws_secret_access_key TEMP_SECRET_ACCESS_KEY  
    aws configure set aws_session_token TEMP_SESSION_TOKEN

   Note: As a best security practice, this step uses temporary security credentials instead of long-term access keys. However, you can still see these credentials in plaintext, so make sure that you keep this information secure. For more information, see Use temporary security credentials (IAM roles) instead of long-term access keys.

You can now run AWS CLI commands to access resources in the member account

Troubleshoot issues

If you can't access a member account, then you might not have the necessary permissions. To access an account from any other account in your organization, you must have the following permissions:

• Include sts:AssumeRole in the IAM identity that you want to assume another role for.
• Establish a trust relationship from the destination role to the source account or role.

These required permissions apply to any role that assumes another role in the same account or across accounts.

If you encounter an error when you try to assume a role, then see I can't assume a role to troubleshoot your issue.

Related information

Accessing member accounts in your organization

Managing AWS accounts in your organization

Switching to a role (console)

Switching to an IAM role (AWS CLI)