Menu
AWS Organizations
User Guide

Accessing and Administering the Member Accounts in Your Organization

When you create an account in your organization, AWS Organizations automatically creates a root user and an IAM role for the account. However, AWS Organizations doesn't create any IAM users, groups, or other roles. To access the accounts in your organization, you must use one of the following methods:

Minimum permissions

To access an AWS account from any other account in your organization, you must have the following permission:

  • sts:AssumeRole - The Resource element must be set to either * or the account ID number of the account with the user who needs to access the new member account.

Accessing a Member Account as the Root User

When you create a new account, Organizations initially assigns a long, complex, random password to the root user. You cannot retrieve this initial password. To access the account as the root user for the first time, you must go through the account password recovery process.

Notes

To request a new password for the member account's root user (Console)

  1. Go to the sign-in page of the AWS console at https://console.aws.amazon.com/. If you are already signed-in to AWS, you first have to sign out to see the sign-in page.

  2. If the Sign in page shows three text boxes for Account ID or alias, IAM user name, and Password, then choose Sign-in using root account credentials.

  3. Type the email address associated with your AWS account, and then choose Next.

  4. Choose Forgot your password?, and then enter the information required to reset the password to a new one that you provide. To do this, you must be able to access incoming mail sent to the email address that is associated with the account.

Creating the OrganizationAccountAccessRole in an Invited Member Account

By default, if you create a member account as part of your organization, AWS automatically creates a role in the account that grants admin permissions to delegated IAM users in the master account. By default, that role is named OrganizationAccountAccessRole. For more information, see Accessing a Member Account That Has a Master Account Access Role.

However, member accounts that you invite to join your organization do not automatically get an admin role created. You have to do this manually, as shown in the following procedure. This essentially duplicates the role automatically set up for created accounts. We recommend that you use the same name, OrganizationAccountAccessRole, for your manually created roles for consistency and ease of remembering.

To create an AWS Organizations admin role in a member account (Console)

  1. Sign in to the Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the member account that has permissions to create IAM roles and policies.

  2. In the IAM console, navigate to Roles, and then chooseCreate Role.

  3. Choose Another AWS account.

  4. Type the 12-digit account ID number of the master account that you want to grant admin access to.

  5. For this role, because the accounts are internal to your company, you should not choose Require external ID. For more information about the External ID option, see When Should I Use the External ID? in the IAM User Guide.

  6. You can optionally choose to require authentication using a multi-factor authentication (MFA) device, if you have MFA enabled and configured. For more information about MFA, see Using Multi-Factor Authentication (MFA) in AWS in the IAM User Guide.

  7. On the Attach permissions policies page, choose the AWS managed policy named AdministratorAccess, and then choose Next: Review.

  8. On the Review page, specify a role name and an optional description. We recommend that you use OrganizationAccountAccessRole, which is the default name assigned to the role in new accounts. Choose Create role to commit your changes.

  9. Your new role appears on the list of available roles. Choose the new role's name to view the details, paying special note to the link URL that is provided. Give this URL to users in the member account who need to access the role. Also make note of the Role ARN because you need this in step 11.

  10. Sign in to the Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/. This time, sign in as a user in the master account who has permissions to create policies and assign the policies to users or groups.

  11. Navigate to Policies, and then choose Create Policy.

    Note

    This example shows how to create a policy and attach it to a group. If you already created this policy for other accounts, you can skip to

  12. For Service, choose STS.

  13. For Actions, start typing AssumeRole in the Filter box, and then check the box next to it when it appears.

  14. Choose Resources, ensure Specific is selected, and then choose Add ARN.

  15. Type your AWS account ID number and type the name of the role you previously created in steps 1 - 9.

  16. If you are granting permission to assume the role in mutiple member accounts, repeats steps 14 and 15 for each account.

  17. Choose Review policy.

  18. Type a name for the new policy, and then choose Create policy to save your changes.

  19. Choose Groups in the navigation pane, and then choose the name of the group (not the check box) that you want to use to delegate administration of the member account.

  20. Choose Attach Policy, select the policy that you created in steps 11 - 18, and then choose Attach Policy.

The users who are members of the selected group now can use the URLs that you captured in step 9 to access each member account's role. They can access these member accounts the same way as they would if accessing an account that you create in the organization. For more information about using the role to administer a member account, see Accessing a Member Account That Has a Master Account Access Role.

Accessing a Member Account That Has a Master Account Access Role

When you create a member account using the AWS Organizations console, AWS Organizations automatically creates an IAM role in the account. This role has full administrative permissions in the member account. The role is also configured to grant that access to the organization's master account. You can create an identical role for an invited member account by following the steps in Creating the OrganizationAccountAccessRole in an Invited Member Account. To use this role to access the member account, you must sign in as a user from the master account that has permissions to assume the role. To configure these permissions, perform the following procedure. We recommend that you grant permissions to groups instead of users for ease of maintenance.

To grant permissions to members of an IAM group in the master account to access the role (Console)

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/ as a user with administrator permissions in the master account. This is required to delegate permissions to the IAM group whose users will access the role in the member account.

  2. In the navigation pane, choose Groups, and then choose the name of the group whose members you want to be able to assume the role in the member account. You can create a new group, if required.

  3. Choose the Permissions tab, and then expand the Inline Policies section.

  4. If no inline policies exist, choose click here to create one. Otherwise, choose Create Group Policy.

  5. Next to Policy Generator, choose Select.

  6. On the Edit Permissions page, set the following options:

    • For Effect, choose Allow.

    • For AWS Service, choose AWS Security Token Service.

    • For Actions, choose AssumeRole.

    • For Amazon Resource Name (ARN), type the ARN of the role that was created in the account. You can see the ARN in the IAM console on the role's Summary page. To construct this ARN, use the following template:

      arn:aws:iam::accountIdNumber:role/rolename

      Substitute the account ID number of the member account and the role name that was configured when you created the account. If you did not specify a role name, then the name defaults to OrganizationAccountAccessRole. The ARN should look like the following:

      arn:aws:iam::123456789012:role/OrganizationAccountAccessRole

  7. Choose Add statement, and then choose Next step.

  8. On the Review Policy page, ensure that the ARN for the role is correct. Type a name for the new policy, and then choose Apply Policy.

    IAM users that are members of the group now have permissions to switch to the new role in the AWS Management Console. When using the role, the user has administrator permissions in the new member account.

  9. Provide the information to the user who will switch to the role in the console. The user needs the account number and the role name to enter manually in the AWS Management Console, or you can send the user a link that is constructed as shown in the following example. It is shown on multiple lines here for readability, but you should type it and provide it all as one line:

    Copy
    https://signin.aws.amazon.com/switchrole ?account=accountIdNumber &roleName=roleName &displayName=textToDisplay

    The textToDisplay is a string that is displayed on the navigation bar in place of the user name.

For more information about granting permissions to switch roles, see Granting a User Permissions to Switch Roles in the IAM User Guide.

To manually switch to the role for the member account (Console)

If you provide your users with a link formatted as shown in the preceding procedure, then they simply have to click the link. They do not have to follow this procedure.

  1. Sign-in to the AWS Management Console as the master account user who was granted permissions in the preceding procedure. For example, you can use the IAM console at https://console.aws.amazon.com/iam/.

  2. In the upper-right corner, choose the link that contains your current sign-in name, and then choose Switch role.

  3. Type the account ID number and role name provided by your administrator.

  4. For Display Name, type the text that you want to show on the navigation bar in the upper-right corner in place of your user name while you are using the role. You can optionally select a color.

  5. Choose Switch Role. Now, all actions that you perform are done with the permissions granted to the role that you switched to. You no longer have the permissions associated with your original IAM user until you switch back.

  6. When you are done performing actions that require the permissions of the role, you can switch back to your normal IAM user by choosing the role name in the upper-right corner (whatever you specified as the Display Name), and then choosing Back to UserName.

For more information about using a role that you have been granted permissions to assume, see Switching to a Role (AWS Management Console) in the IAM User Guide.

For an end-to-end tutorial about using roles for cross-account access, see Tutorial: Delegate Access Across AWS Accounts Using IAM Roles in the IAM User Guide.