Can't see shared resources in the destination account - Amazon Resource Access Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Can't see shared resources in the destination account

Scenario

Users can't see the resources that they believe are shared with them from other Amazon Web Services accounts.

Possible causes and solutions

Sharing with Amazon Organizations was turned on by using Organizations instead of Amazon RAM

If Amazon Organizations was turned on by using Organizations instead of Amazon RAM, then sharing within the organization fails. To check if this is the cause of the problem, navigate to the Settings page in the Amazon RAM console and verify that the Enable sharing with Amazon Organizations checkbox is selected.

  • If the checkbox is selected, then this is not the cause.

  • If the checkbox is not selected, then this might be the cause. Don't select the checkbox yet. Perform the following steps to correct the situation.

Important

When you disable trusted access to Amazon Organizations, principals within your organization are removed from all resource shares and lose access to those shared resources.

  1. Sign in to your the management account of your organization using an IAM role or user with administrative permissions.

  2. Navigate to the Services page in the Amazon Organizations console.

  3. Choose RAM.

  4. Choose Disable trusted access.

  5. Navigate to the Settings page in the Amazon RAM console.

  6. Select the box Enable sharing with Amazon Organizations, and then choose Save settings.

You might need to update the share and specify the accounts or organizational units within the organization to share with.

The resource share doesn't specify this account as a principal

In the Amazon Web Services account that created the resource share, view the resource share in the Amazon RAM console. Verify that the account that can't access the resources is listed as a Principal. If it isn't, then update the share to add the account as a principal.

The role or user in the account doesn't have required minimum permissions

When you share a resource in account A to another account B, roles and users in account B don't automatically get access to the resources in the share. The administrator of account B must first grant permission to the IAM roles and users in account B who need to access the resource. As an example, the following policy shows how you might grant read-only access to roles and users in account B for a resource from account A. The policy specifies the resource by its Amazon Resource Name (ARN).

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ram:Get*", "ram:List*" ], "Effect": "Allow", "Resource": "arn:aws-cn:<service>:<Region-code>:<Account-A-ID>:<resource-id>" } ] }

The resource is in a different Amazon Web Services Region than the current console setting

Amazon RAM is a Regional service. Resources exist in a specific Amazon Web Services Region, and to see them, the Amazon Web Services Management Console must be configured to view the resources in that Region.

The Amazon Web Services Region that the console is currently accessing is displayed in the upper-right corner of the console. To change it, choose the current Region name and from the dropdown menu, choose the Region whose resources you want to see.