How can I troubleshoot AWS Artifact organization agreement access or download errors?

Last updated: 2020-08-26

I get an account or permission error trying to access or download an AWS Organizations agreement with AWS Artifact.

Resolution

Follow these troubleshooting steps for the download or access error message.

"Your account isn’t in an organization. To create or join an organization, follow the instructions in Creating and Managing an AWS Organization"

This error means you are logged into the AWS Management Console with an AWS account that is not part of AWS Organizations. Your AWS account must be part of AWS Organizations to accept an organization agreement. You can create or join an organization by following the instructions in Creating and managing an organization.

"Your organization isn’t using AWS Artifact to accept agreements for its member accounts. To get started, contact your master account administrator"

This error means that your master account has not accepted the organization agreement on behalf of all member accounts in your organization for AWS Organizations. The master account must accept an organization agreement from the AWS Artifact Console on behalf of all member accounts. Follow the instructions for Accepting an agreement for your organization.

Note: You can't accept organization agreements with member accounts. Member accounts of an organization can only view or download organization agreements.

"You don’t have the permissions to retrieve information about your AWS account’s organization. You need permissions to describe your organization"

-or-

"You don’t have the permissions to download the agreement. You need permissions to download this agreement in AWS Artifact"

This error means that the AWS Identity and Access Management (IAM) user account does not have permission to access organization agreements.

If you are accessing organization agreements with an IAM user from the master account, be sure that the permissions are similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "artifact:AcceptAgreement",
                "artifact:DownloadAgreement",
                "artifact:TerminateAgreement"
            ],
            "Resource": [
                "arn:aws:artifact::*:customer-agreement/*",
                "arn:aws:artifact:::agreement/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "iam:ListRoles",
            "Resource": "arn:aws:iam::*:role/*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateRole",
            "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync"
        },
        {
            "Effect": "Allow",
            "Action": "iam:AttachRolePolicy",
            "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync",
            "Condition": {
                "ArnEquals": {
                    "iam:PolicyARN": "arn:aws:iam::aws:policy/service-role/AWSArtifactAccountSync"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:DescribeOrganization",
                "organizations:EnableAWSServiceAccess",
                "organizations:ListAccounts",
                "organizations:ListAWSServiceAccessForOrganization"
            ],
            "Resource": "*"
        }
    ]
}

If you are accessing organization agreements with an IAM user from a member account, be sure that the permissions are similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "artifact:AcceptAgreement",
                "artifact:DownloadAgreement"
            ],
            "Resource": [
                "arn:aws:artifact:::agreement/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateRole",
            "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync"
        },
        {
            "Effect": "Allow",
            "Action": "iam:AttachRolePolicy",
            "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync",
            "Condition": {
                "ArnEquals": {
                    "iam:PolicyARN": "arn:aws:iam::aws:policy/service-role/AWSArtifactAccountSync"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "iam:ListRoles",
            "Resource": "arn:aws:iam::*:role/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:DescribeOrganization",
                "organizations:ListAWSServiceAccessForOrganization"
            ],
            "Resource": "*"
        }
    ]
}

For more information, see Controlling access.

"Your organization must be enabled for all features"

Your organization is configured only for consolidated billing. To use organization agreements in AWS Artifact, your organization must be enabled for all features with AWS Organizations. For more information, see Enabling all features in your organization.


Did this article help?


Do you need billing or technical support?