Reputation: 658
Forgot AWS Organization Member Account IAM role name
After setting up AWS Organizations, I created a member account with a custom IAM role name. I've now forgotten the role name used and I'm unable to assume role as root into that account. I need to create IAM users in the member account but without the ability to assume role using the custom OrganizationAccountAccessRole it seems I'm unable to.
I've tried getting access by
- Using the member account root user but it doesn't have permissions to IAM
- Signing in to member account using AWS SSO user with
IAMFullAccessandAdministratorAccesspolicies attached to the policy set but user cannot access IAM. - Attempting to describe member account using the master account admin user but the role isn't there
At this point, I'm thinking the only way out is to recreate the member account. Please tell me there is a better way.
UPDATE: - Found that 1 & 2 didn't work because of a restrictive Service Control Policy (SCP) on the account which didn't include IAM access permissions.
Upvotes: 3
Views: 1312
Answers (1)
Reputation: 238309
Based on the comments.
The solution was to inspect CloudTrial logs to find the API call used to create the role.
Upvotes: 4
Related Questions
- Organization could not be found
- AWS error your account is not a member of an organization
- AWS Organization accounts manangement
- How to delete AWS child account when removed from the organization?
- I deleted by mistake my AWS IAM user: how to recover?
- Remove enrolled account from AWS Control Tower
- Newly created AWS member account is missing IAM role
- Cannot create new AWS account in newly created AWS organization
- You cannot add accounts to your organization while it is initializing. Try again later
- AWS root account cannot access organizational accounts