Accessing member accounts in an organization with AWS Organizations - AWS Organizations
This documentation is a draft for private preview for regions in the AWS European Sovereign Cloud. Documentation content will continue to evolve. Published: December 30, 2025.

Accessing member accounts in an organization with AWS Organizations

When you create an account in your organization, AWS Organizations automatically creates an IAM role that is by default named OrganizationAccountAccessRole. You can specify a different name when you create it, however we recommend that you name it consistently across all of your accounts. AWS Organizations doesn't create any other users or roles.

To access the accounts in your organization, you must use one of the following methods:

Minimum permissions

To access an AWS account from any other account in your organization, you must have the following permission:

  • sts:AssumeRole – The Resource element must be set to either an asterisk (*) or the account ID number of the account with the user who needs to access the new member account

Using trusted access for IAM Identity Center

Use AWS IAM Identity Center and enable trusted access for IAM Identity Center with AWS Organizations. This allows users to sign in to the AWS access portal with their corporate credentials and access resources in their assigned management account or member accounts.

For more information, see Multi-account permissions in the AWS IAM Identity Center User Guide. For information about setting up trusted access for IAM Identity Center, see AWS IAM Identity Center and AWS Organizations.

Using the IAM role OrganizationAccountAccessRole

If you create an account by using the tools provided as part of AWS Organizations, you can access the account by using the preconfigured role named OrganizationAccountAccessRole that exists in all new accounts that you create this way. For more information, see Accessing a member account that has OrganizationAccountAccessRole with AWS Organizations.

If you invite an existing account to join your organization and the account accepts the invitation, you can then choose to create an IAM role that allows the management account to access the invited member account. This role is intended to be identical to the role automatically added to an account that is created with AWS Organizations.

To create this role, see Creating OrganizationAccountAccessRole for an invited account with AWS Organizations.

After you create the role, you can access it using the steps in Accessing a member account that has OrganizationAccountAccessRole with AWS Organizations.

Topics