All Collections
Archera User Guide
Why Did The AWS Sub-account Connection Script Fail to Connect Some Accounts?
Why Did The AWS Sub-account Connection Script Fail to Connect Some Accounts?
Aran Khanna avatar
Written by Aran Khanna
Updated over a week ago

If the Bash script generated to help you connect your AWS sub-accounts to Reserved.ai, using the role from your Master billing account, is failing with an error similar to the one below

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::000000000000:user/your-master-user is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111111:role/OrganizationAccountAccessRole

the most likely issue is that the AWS sub-account was Invited to the AWS Organization and not created directly from the Master billing account. Since this sub-account was not created directly from the Master billing account, or the sub-account removed the pre-generated OrganizationAccountAccessRole that would allow the Master billing account to have permissions to access the sub-accounts.

To fix this you will need to skip the Script and manually go through the process of connecting each sub-account by logging into that account directly and going through the same IAM Role installation walkthrough you completed to connect the Master Billing Account.

Did this answer your question?