How as a root or IAM user do I access multiple organizations under my AWS hierarchy with one single user login

0

Hello,

I have a total of two AWS accounts per my root hierarchy.

Parent: Management Account (1)

  • Child: Application Account (2)

As an IAM user created on the parent Account, I only have access to information connected to that account directly. Not to the information on the child account. Am I supposed to toggle between the two organizations?

Currently, my only work around for this was to create an IAM Identity Center user and only apply the child account to that user for login purpose.

Edwin
asked 2 months ago190 views
1 Answer
1

You only have 1 Organisation, Management account and then member accounts. By default if you create an account in org using the Org tools, it will create a trusted cross account role in the member account called OrganizationAccountAccessRole. You can use this IAM role without identity centre

If you invite an already existing account into the Org, you can create this role.

Either way, so long as you have a role in the member account which trusts the Management account you can just assume that role

More details, 2nd bullet point here https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html

profile picture
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • Did this help answer your question?

  • Hello Gary, thank you for your response. Unfortunately, I still do not understand the functionality. I am certain that I likely phrased my original inquiry wrong. I will try to break it down further here:

    • I am currently logged in as the AWS root user. Under IAM, I click on related consoles > AWS Organizations (could have just gone to AWS organizations, but these are my steps at the moment)

    • From AWS Organizations, I see a tree of Root >

    Account #1 (tagged: management account) Account #2

    My root email login is associated with Account #1, but Account #2 has a completely different email listed.

    With that out of the way, there are two questions that I have:

    1.) On the current root user (Account #1), I see no DB instances [0/40]. --- I know DB's are listed under Account #2. At this point, is it possible to toggle over to account #2 without a separate user login?

    2.) ^^ My current process is to create a secondary IAM IDENTITY CENTER user using the account #1 Root login and assign that newly created user access to only account #2 under the AWS account settings

    2a.) iAM Identity Center > Users > Add User --- Followed By: 2b.) IAM Identity Center > Multi Account Permissions > AWS Accounts > Select Account #2 > Assign Users or Groups > Find newly created user from 2a > select user > next

    At this point the newly created user has access to view my DBs on account #2, but that is because I gave them access to that specific AWS account. Why can't root do this?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions