Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Enabling a delegated admin account for
Amazon Account Management
A delegated admin account can call the Amazon Account Management API operations for other member accounts
in the organization. To designate a member account in your organization as a delegated admin
account, use the following procedure.
To perform these tasks, you must meet the following requirements:
After you specify a delegated admin account for your organization, users and roles in that
account can call the Amazon CLI and Amazon SDK operations in the account namespace
that can work in the Organizations mode by supporting an optional AccountId
parameter.
- Amazon Web Services Management Console
This task isn't supported in the Amazon Account Management management console. You
can perform this task only by using the Amazon CLI or an API operation from one of the Amazon SDKs.
- Amazon CLI & SDKs
-
To register a delegated admin account for the Account Management service
You can use the following commands to enable a delegated admin for the
Account Management service.
You must specify the following service principal:
account.amazonaws.com
-
Amazon CLI: register-delegated-administrator
The following example registers a member account of the organization
as a delegated admin for the Account Management service.
$ aws organizations register-delegated-administrator \
--account-id 123456789012 \
--service-principal account.amazonaws.com
This command produces no output if it's successful.
After you run this command, you can use credentials from account
123456789012 to call Account Management Amazon CLI and SDK API operations that
use the --account-id parameter to reference member accounts
in an organization.