How do I remove a member account from an organization in AWS Organizations when I can't sign in to the member account?
Last updated: 2020-06-26
I want to remove a member account from an organization and turn that account into a standalone account. However, I can't sign in to the member account. What should I do?
To gain access to a member account in an organization, first try the following:
- Contact the administrator of the member account and ask them to grant you access.
- If you have access to the email address associated with the account, but have forgotten the password, reset the password.
If the preceding strategies don't work, use AWS Identity and Access Management (IAM) to assume an administrator's role for the account:
- If the member account was created using the AWS Organizations Console, an IAM role called "OrganizationAccountAccessRole" was automatically created to grant administrative permissions to the master account.
- If the account was invited to the organization, the IAM role "OrganizationAccountAccessRole" was not automatically created. To create the AWS Organizations admin role for an invited member account, see Creating the OrganizationAccountAccessRole in an invited member account.
Add permissions to assume an administrator's IAM role for the member account. For more information, see Accessing a member account that has a master account access role. Then, switch to the IAM role in the console. After you assume the "OrganizationAccountAccessRole" for the member account, do the following:
- Open the IAM console, choose Users from the navigation pane, and then choose Add user.
- Enter a user name, and then select AWS Management Console access.
- Select Custom password, and then enter a password.
- Clear Require password reset.
- Choose Next: Permissions.
- Choose Attach existing policies directly, choose AdministratorAccess from the list of policies, and then choose Next: Tags.
- (Optional) On the Add tags page, enter values for Key and Value.
- Choose Next: Review.
- Review the details of your new IAM user, and then choose Create user.
After you complete these steps, verify the necessary details and then remove the member account from the organization.
Note: If you want to close a member account instead, follow the instructions at Closing an AWS account. You must be able to sign in as the root user to close an account.