Manage AWS Accounts Using AWS Organizations

Link to chapter -

Might be worth noting, you need to create an IAM user for this switch role to work, will not work on root account. I did not know this until googling.

1 Like

Thanks for pointing this out. Do you mind editing the chapter and submitting a PR to help other folks?

If not let me know which part of the chapter should be mention this and I’ll add it there.

I followed the instructions to add a new account to my AWS Organization, but I have no option to “Switch Role” in my menu. I also cannot login to this user as I do not know the password, and when I click “Forgot password” it says I must request a password reset through the root user. I tried to remove the account, but it says that I cannot remove it because the account has not completed the sign-up steps. What do I do to access and/or delete this user? I think you may have a step missing from your instructions. Thanks for your help!

Hmm were you logged in as the root user when you were creating a new account? For the signup part, you might be using the wrong URL to login.

Yes, I was logging in as the root user. I had to create an IAM user with console access and then login as that user instead. Then the option to switch roles became available.

1 Like

I can confirm Susan’s experience above. The switch roles is not available for the root user.

Since June 2019, AWS has offered AWS Control Tower. Combined with SSO, this is an alternative to the Organizations setup described here. I have now experienced using both Organizations and Control Tower and it’s worth noting that Control Tower is a vastly superior option. It’s also easier to use and manage, though the initial learning curve is marginally higher.

The only real challenge I found with Control Tower is how they use the term “account” in a relatively overloaded fashion. That is exacerbated by requiring that each such account requires a unique email address during setup that creates a new “root” user for the account. (We realized that we could deal with this by using + in email addresses so they are effectively all the same account, differentiated by whatever is after the + sign.)

This would be a great section of this guide to update to the Control Tower option. It is also worth noting that AWS recommends Control Tower as their “best practice” over Organizations now. Even if you just added a note to the effect of “Consider using AWS Control Tower as an alternative” with a link to that, perhaps it would save some folks from some headaches.

Yeah we’ll look into this and the SSO setup!