Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

List organization accounts for parent organization unit from member account

0

Hi,

I have setup organization with multiple organization units. I have a multiple member accounts in OU1 and I would like to list all accounts from OU1 from within the member account which is member of the OU1.

I tried following CLI command:

aws organizations list-accounts-for-parent --parent-id ou-OU1

Of course ou-OU1 is made up and I am using existing ID here.

I tried this inline policy with my user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "organizations:ListAccountsForParent",
            "Resource": "*"
        }
    ]
}

I have IAM user created in Account1 which is under OU1.

Is this even possible? If so how can I achieve this?

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS OrganizationsAWS Account ManagementSecurity, Identity, & Compliance
Language
English
asked 10 months ago161 views
2 Answers
1
Accepted Answer

Hello.

Normally, Account1 is not the root account that manages AWS Organizations, so you cannot check member account information using the "list-accounts-for-parent" command.
If you configure Account1 as a delegated account in AWS Organizations, you should be able to use "list-accounts-for-parent".
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_delegated_admin.html

EXPERT
answered 10 months ago
  • Riku_Kobayashi EXPERT
    10 months ago

    You can create a delegation policy by following the steps in the following document: https://docs.aws.amazon.com/organizations/latest/userguide/orgs-policy-delegate.html

    By setting the delegation policy as follows, you can execute "list-accounts-for-parent" on Account1.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::Account1 ID:root"
      },
      "Action": "organizations:ListAccountsForParent",
      "Resource": "*"
    }
  ]
}
0

Hello,

You can use below command from member account of same organization unit for which you are trying to list all aws accounts. Just authenticate yourself with member account from same organization and you must be able to do it. Use below command: #aws organizations list-accounts

Policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "organizations:ListAccounts", "Resource": "*" } ] }

Hope this helps !!

Thanks, Manoj Kumar

AWS
answered 10 months ago
  • Ivan Barlog
    10 months ago

    Hi @rkmanoj, unfortunatelly this is exactly what I tried and as I written in the original question this did not work.

    Seems like add account as delegated account does the trick - see @Riku_Kobayashi answer.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content