How can I troubleshoot errors related to the AWS Organizations agreement for AWS Artifact?

3 minute read
0

I got an account or permission error when I tried to access or download an AWS Organizations agreement with AWS Artifact.

Resolution

Follow these steps to troubleshoot the error message that you received.

"Your account isn't in an organization. To create or join an organization, follow the instructions in Creating and Managing an AWS Organization"

This error occurs because you're logged in to the AWS Management Console with an AWS account that isn't part of AWS Organizations. To accept an organization agreement, you must create an organization for your account. 

"You are signed in to the management account of an organization in AWS Organizations. You can manage agreements for your management account and for all member accounts in your organization. By continuing, you grant AWS permissions to create an IAM role to identify the member accounts in your organization in AWS Organizations."

This error occurs because the trusted access for AWS Artifact isn't activated from the AWS Organizations console in the management account. You must activate the trusted access for AWS Artifact from the management account of the organization.

You can then download the organization agreements that are valid for all accounts in the organization:

  1. Open the AWS Artifact console from the management account.
  2. Choose Organization Agreements.
  3. Select the organization agreement, and then choose Download agreement.

Note: You can't use a member account to accept organization agreements. You can only view or download organization agreements from the member accounts of an organization.

"You don't have the permissions to retrieve information about your AWS account's organization. You need permissions to describe your organization"

-or-

"You don't have the permissions to download the agreement. You need permissions to download this agreement in AWS Artifact"

This error occurs because the AWS Identity and Access Management (IAM) user account doesn't have permission to access organization agreements.

If you used an IAM user from the management account to access organization agreements, then be sure that the permissions are similar to the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "artifact:AcceptAgreement",
                "artifact:DownloadAgreement",
                "artifact:TerminateAgreement"
            ],
            "Resource": [
                "arn:aws:artifact:::customer-agreement/",
                "arn:aws:artifact:::agreement/"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "iam:ListRoles",
            "Resource": "arn:aws:iam:::role/"
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam:::role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact";
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:DescribeOrganization",
                "organizations:EnableAWSServiceAccess",
                "organizations:ListAccounts",
                "organizations:ListAWSServiceAccessForOrganization"
                
            ],
            "Resource": "*"
        }
    ]
}

If you used an IAM user from a member account to access organization agreements, then be sure that the permissions are similar to the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "artifact:AcceptAgreement",
                "artifact:DownloadAgreement",
                "artifact:TerminateAgreement"
            ],
            "Resource": [
                "arn:aws:artifact:::customer-agreement/",
                "arn:aws:artifact:::agreement/"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:DescribeOrganization"
            ],
            "Resource": ""
        }
    ]
}

For more information, see Identity and access management in AWS Artifact.

"Your organization must be enabled for all features"

This error occurs because your organization is configured only for consolidated billing. To use organization agreements in AWS Artifact, you must activate your organization for all features with AWS Organizations. For more information, see Activating all features in your organization.

Related information

Managing agreements in AWS Artifact

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago