Register a delegated administrator member account - Amazon CloudFormation
To register a delegated administrator (console)To deregister a delegated administrator (console)To register a delegated administrator (Amazon CLI)To deregister a delegated administrator (Amazon CLI)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Register a delegated administrator member account

In addition to your organization's management account, member accounts with delegated administrator permissions can create and manage stack sets with service-managed permissions for the organization. Stack sets with service-managed permissions are created in the management account, including stack sets created by delegated administrators. To be registered as a delegated administrator for your organization, your member account must be in the organization. For more information about joining an organization, see Inviting an Amazon Web Services account to join your organization.

Your organization can have up to five registered delegated administrators at one time. Delegated administrators can choose to deploy to all accounts in your organization or specific OUs. Trusted access with Amazon Organizations must be activated before delegated administrators can deploy to accounts managed by Organizations. For more information, see Activate trusted access for stack sets with Amazon Organizations.

Important

Please be aware of the following:

  • Delegated administrators have full permissions to deploy to accounts in your organization. The management account can't limit delegated administrator permissions to deploy to specific OUs or to perform specific stack set operations.

  • Make sure your delegated administrators have organizations:ListDelegatedAdministrators permissions to avoid any potential errors.

You can register delegated administrators for your organization in the following Regions: US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), Europe (Stockholm), Israel (Tel Aviv), South America (São Paulo), Amazon GovCloud (US-East), and Amazon GovCloud (US-West).

You can register and deregister delegated administrators using the Amazon CloudFormation console, Amazon CLI, or Amazon SDKs.

To register a delegated administrator (console)

  1. Sign in to Amazon as an administrator of the management account and open the Amazon CloudFormation console at https://console.amazonaws.cn/cloudformation/.

  2. From the navigation pane, choose StackSets.

  3. Under Delegated administrators, choose Register delegated administrator.

  4. In the Register delegated administrator dialog box, choose Register delegated administrator.

    The success message indicates that the member account has successfully been registered as a delegated administrator.

To deregister a delegated administrator (console)

  1. Sign in to Amazon as an administrator of the management account and open the Amazon CloudFormation console at https://console.amazonaws.cn/.

  2. From the navigation pane, choose StackSets.

  3. Under Delegated administrators, select the account that you want to deregister, and then choose Deregister.

    The success message indicates that the member account has successfully been deregistered as a delegated administrator.

    You can register this account again at any time.

To register a delegated administrator (Amazon CLI)

  1. Open the Amazon CLI.

  2. Run the register-delegated-administrator command.

    $ aws organizations register-delegated-administrator \
  --service-principal=member.org.stacksets.cloudformation.amazonaws.com \
  --account-id="memberAccountId"

  3. Run the list-delegated-administrators command to verify that the specified member account is successfully registered as a delegated administrator.

    $ aws organizations list-delegated-administrators \
  --service-principal=member.org.stacksets.cloudformation.amazonaws.com

To deregister a delegated administrator (Amazon CLI)

  1. Open the Amazon CLI.

  2. Run the deregister-delegated-administrator command.

    $ aws organizations deregister-delegated-administrator \
  --service-principal=member.org.stacksets.cloudformation.amazonaws.com \
  --account-id="memberAccountId"

  3. Run the list-delegated-administrators command to verify that the specified member account is successfully deregistered as a delegated administrator.

    $ aws organizations list-delegated-administrators \
  --service-principal=member.org.stacksets.cloudformation.amazonaws.com

    You can register this account again at any time.