Error: "UnknownResourceException"
Scenario
You get one of the following errors:
-
"
CannotCreateResourceShare: UnknownResourceException: OrganizationalUnit ou-"xxxxcould not be found -
"
CannotUpdateResourceShare: UnknownResourceException: OrganizationalUnit ou-".xxxxcould not be found
Cause
These errors can occur if you enable integration between Amazon RAM and Amazon Organizations by
using either the Organizations console or
the Organizations EnableAWSServiceAccess API instead of by using the Amazon RAM console. When you
enable integration by using the Organizations console or API, the service doesn’t create the
AWSServiceRoleForResourceAccessManager role in your account. That
role is needed to access information about your organization. Because the role
wasn't created, Amazon RAM can’t access details about the accounts or organizational
units (OUs) in your organization.
Solution
To resolve the issue, turn off integration between Amazon RAM and Amazon Organizations. Then turn it on again by calling the Amazon RAM EnableSharingWithAwsOrganization API operation, or by using the Amazon Web Services Management Console to perform the following steps.
-
Sign in to your the management account of your organization using an IAM role or user with administrative permissions.
-
Navigate to the Services page in the Amazon Organizations console
. -
Choose RAM.
-
Choose Disable trusted access.
-
Navigate to the Settings page in the Amazon RAM console
. -
Select the box Enable sharing with Amazon Organizations, and then choose Save settings.
Important
When you disable trusted access to Amazon Organizations, principals within your organization are removed from all resource shares and lose access to those shared resources.
You should now be able to use Amazon RAM to share your resources with accounts and OUs in the organization.