Accessing member accounts in an organization with Amazon Organizations - Amazon Organizations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Accessing member accounts in an organization with Amazon Organizations

When you create an account in your organization, Amazon Organizations automatically creates an IAM role that is by default named OrganizationAccountAccessRole. You can specify a different name when you create it, however we recommend that you name it consistently across all of your accounts. Amazon Organizations doesn't create any other users or roles.

To access the accounts in your organization, you must use one of the following methods:

Minimum permissions

To access an Amazon Web Services account from any other account in your organization, you must have the following permission:

  • sts:AssumeRole – The Resource element must be set to either an asterisk (*) or the account ID number of the account with the user who needs to access the new member account

Using trusted access for IAM Identity Center

Use Amazon IAM Identity Center and enable trusted access for IAM Identity Center with Amazon Organizations. This allows users to sign in to the Amazon access portal with their corporate credentials and access resources in their assigned management account or member accounts.

For more information, see Multi-account permissions in the Amazon IAM Identity Center User Guide. For information about setting up trusted access for IAM Identity Center, see Amazon IAM Identity Center and Amazon Organizations.

Using the IAM role OrganizationAccountAccessRole

If you create an account by using the tools provided as part of Amazon Organizations, you can access the account by using the preconfigured role named OrganizationAccountAccessRole that exists in all new accounts that you create this way. For more information, see Accessing a member account that has OrganizationAccountAccessRole with Amazon Organizations.

If you invite an existing account to join your organization and the account accepts the invitation, you can then choose to create an IAM role that allows the management account to access the invited member account. This role is intended to be identical to the role automatically added to an account that is created with Amazon Organizations.

To create this role, see Creating OrganizationAccountAccessRole for an invited account with Amazon Organizations.

After you create the role, you can access it using the steps in Accessing a member account that has OrganizationAccountAccessRole with Amazon Organizations.

Topics