Can't see shared resources in the destination account
Scenario
Users can't see the resources that they believe are shared with them from other Amazon Web Services accounts.
Possible causes and solutions
Sharing with Amazon Organizations was turned on by using Organizations instead of Amazon RAM
If Amazon Organizations was turned on by using Organizations instead of Amazon RAM, then sharing within
the organization fails. To check if this is the cause of the problem, navigate
to the Settings page in the Amazon RAM
console
-
If the checkbox is selected, then this is not the cause.
-
If the checkbox is not selected, then this might be the cause. Don't select the checkbox yet. Perform the following steps to correct the situation.
Important
When you disable trusted access to Amazon Organizations, principals within your organization are removed from all resource shares and lose access to those shared resources.
-
Sign in to your the management account of your organization using an IAM role or user with administrative permissions.
-
Navigate to the Services page in the Amazon Organizations console
. -
Choose RAM.
-
Choose Disable trusted access.
-
Navigate to the Settings page in the Amazon RAM console
. -
Select the box Enable sharing with Amazon Organizations, and then choose Save settings.
You might need to update the share and specify the accounts or organizational units within the organization to share with.
The resource share doesn't specify this account as a principal
In the Amazon Web Services account that created the resource share, view the resource share in the
Amazon RAM console
The role or user in the account doesn't have required minimum permissions
When you share a resource in account A to another account B, roles and users in account B don't automatically get access to the resources in the share. The administrator of account B must first grant permission to the IAM roles and users in account B who need to access the resource. As an example, the following policy shows how you might grant read-only access to roles and users in account B for a resource from account A. The policy specifies the resource by its Amazon Resource Name (ARN).
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ram:Get*", "ram:List*" ], "Effect": "Allow", "Resource": "arn:aws-cn:
<service>
:<Region-code>
:<Account-A-ID>
:<resource-id>
" } ] }
The resource is in a different Amazon Web Services Region than the current console setting
Amazon RAM is a Regional service. Resources exist in a specific Amazon Web Services Region, and to see them, the Amazon Web Services Management Console must be configured to view the resources in that Region.
The Amazon Web Services Region that the console is currently accessing is displayed in the upper-right corner of the console. To change it, choose the current Region name and from the dropdown menu, choose the Region whose resources you want to see.