How can I troubleshoot errors related to AWS Artifact organization agreement access or download?

Last updated: 2021-04-27

I get an account or permission error when trying to access or download an AWS Organizations agreement with AWS Artifact.

Resolution

Follow these troubleshooting steps:

"Your account isn’t in an organization. To create or join an organization, follow the instructions in Creating and Managing an AWS Organization"

This error means you're logged into the AWS Management Console with an AWS account that is not part of AWS Organizations. Your AWS account must be part of AWS Organizations to accept an organization agreement. You can create or join an organization by following the instructions in Creating and managing an organization.

"You are signed in to the management account of an organization in AWS Organizations. You can manage agreements for your management account and for all member accounts in your organization. By continuing, you grant AWS permissions to create an IAM role to identify the member accounts in your organization in AWS Organizations."

This error means that the trusted access for Artifact service isn't enabled from the AWS Organizations console in the management account. The trusted access for Artifact service must be enabled from the management account of the organization. Then, the organization agreements that are valid for all accounts in the Organization can be downloaded from the Organization Agreements section in the Artifact console of the management account.

Note: You can't accept organization agreements with member accounts. Member accounts of an organization can only view or download organization agreements.

"You don't have the permissions to retrieve information about your AWS account’s organization. You need permissions to describe your organization"

-or-

"You don't have the permissions to download the agreement. You need permissions to download this agreement in AWS Artifact"

This error means that the AWS Identity and Access Management (IAM) user account doesn't have permission to access organization agreements.

If you're accessing organization agreements with an IAM user from the management account, be sure that the permissions are similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "artifact:AcceptAgreement",
                "artifact:DownloadAgreement",
                "artifact:TerminateAgreement"
            ],
            "Resource": [
                "arn:aws:artifact::*:customer-agreement/*",
                "arn:aws:artifact:::agreement/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "iam:ListRoles",
            "Resource": "arn:aws:iam::*:role/*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateRole",
            "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync"
        },
        {
            "Effect": "Allow",
            "Action": "iam:AttachRolePolicy",
            "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync",
            "Condition": {
                "ArnEquals": {
                    "iam:PolicyARN": "arn:aws:iam::aws:policy/service-role/AWSArtifactAccountSync"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:DescribeOrganization",
                "organizations:EnableAWSServiceAccess",
                "organizations:ListAccounts",
                "organizations:ListAWSServiceAccessForOrganization"
            ],
            "Resource": "*"
        }
    ]
}

If you're accessing organization agreements with an IAM user from a member account, be sure that the permissions are similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "artifact:AcceptAgreement",
                "artifact:DownloadAgreement"
            ],
            "Resource": [
                "arn:aws:artifact:::agreement/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateRole",
            "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync"
        },
        {
            "Effect": "Allow",
            "Action": "iam:AttachRolePolicy",
            "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync",
            "Condition": {
                "ArnEquals": {
                    "iam:PolicyARN": "arn:aws:iam::aws:policy/service-role/AWSArtifactAccountSync"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "iam:ListRoles",
            "Resource": "arn:aws:iam::*:role/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:DescribeOrganization",
                "organizations:ListAWSServiceAccessForOrganization"
            ],
            "Resource": "*"
        }
    ]
}

For more information, see Controlling access.

"Your organization must be enabled for all features"

Your organization is configured only for consolidated billing. To use organization agreements in AWS Artifact, your organization must be enabled for all features with AWS Organizations. For more information, see Enabling all features in your organization.


Did this article help?


Do you need billing or technical support?