Forgot AWS Organization Member Account IAM role name

1
votes

After setting up AWS Organizations, I created a member account with a custom IAM role name. I've now forgotten the role name used and I'm unable to assume role as root into that account. I need to create IAM users in the member account but without the ability to assume role using the custom OrganizationAccountAccessRole it seems I'm unable to.

I've tried getting access by

  1. Using the member account root user but it doesn't have permissions to IAM
  2. Signing in to member account using AWS SSO user with IAMFullAccess and AdministratorAccess policies attached to the policy set but user cannot access IAM.
  3. Attempting to describe member account using the master account admin user but the role isn't there

At this point, I'm thinking the only way out is to recreate the member account. Please tell me there is a better way.

UPDATE: - Found that 1 & 2 didn't work because of a restrictive Service Control Policy (SCP) on the account which didn't include IAM access permissions.

1
amazon-web-servicesaws-organizations
If you creating the Org., can you use its master account to investigate this? - Marcin
Hi @Marcin, I tried this i.e. #3 but role isn't returned when you view the account in the console or describe it in the CLI. - Shawlz
What about CloudTrial? Wouldn't it have any API calls logged which would be related to setting the role, and the role name? - Marcin
@Marcin: Brilliant idea and it worked! I checked CloudTrail, filtered by EventName:CreateAccount and I was able to see the role specified in the requestParameters. Thanks a lot. - Shawlz
Glad to hear. I will make answer for future reference. - Marcin

1 Answers

2
votes

Based on the comments.

The solution was to inspect CloudTrial logs to find the API call used to create the role.