- Newest
- Most votes
- Most comments
Hi Jimmy_m, Thanks for your very helpful information. This worked for one of the accounts I need to enroll, so appreciate the help.
However, for the second account I need to enroll, I am still having a problem. It issue is that the account I am trying to enroll has an AWSControlTowerExecution IAM Role which gives trusts a different AWS account ID (it was previously enrolled in another account & organisation).
I have tried to update this role to turst the correct account ID but I keep getting told my IAM user does not have the correct permissions. The account I am using has full Admin access, and I even added full IAM access to see if this would help. It didn't. I also got the root user to log on and try the same, but even the root user did not have permissions to update the trust policy. The error message was :
USER arn:aws:iam:xx : root is not authorixed to perform: iam:UpdateAssumeRolePolicy on resource: role AWSControlTowerExecution with explict deny
Do you know how I can get around this ?
Kind Regards, Roisin
Hi, There's multiple things I'd like to check on here, and hopefully we can get this working for you.
To successfully use the Service Catalog Account Factory, you will need to add the User or Role you login as (for the Organization Management account), to the Portfolio permissions. That's likely what its asking for in the "Add the IAM user" part of the error message. This will allow you to correctly enroll accounts. In future there should be no need to change/delete the Account Factory Portfolio or Product itself, just Terminate the Provisioned Product if you run into issues with an account enrollment.
The repair you did may have removed this configuration and placed the Service Catalog Portfolio and Product back to the default configuration.
Now for the account enrollment there's a few things to confirm for existing AWS Accounts:
- The account must be part of the Organization already
- The account has the AWSControlTowerExecution IAM Role, and it trusts the Organization management account ID
- Does the Account has AWS Config already setup?. This can cause enrollment problems. You can solve this 1 of 2 ways. Delete the config recorder and delivery channels (as Control Tower will configure new ones), or use this process to enroll existing AWS Config resources These prerequisites are covered HERE
Once those prereqs are covered you should be able to enroll an account. Either directly by putting the account details into the Account Factory, or by registering/re-registering the OU that contains the account.
Relevant content
- asked 8 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Hi Roisin, two things - looks like you are using Root - you cannot use root user with Control Tower. The second clue is "with an explicit deny" - this means that the iam action is being blocked at the Service Control Policy (SCP) level. Speak to your platform team / admins. Hope this helps