Accessing the member account

Once you've created your member account, it's time to put it to work!

An IAM role will be present in the new account, with a default name of OrganizationAccountAccessRole. This is so you can assume the role (from your master account) and administer the member account. While this name is as good as any, it can be configured by passing the --role-name argument when creating the account.

In order to assume the role, you need to know its Amazon Resource Name (ARN). Working out the ARN is a multi-step process:

1. List your member accounts by running the following command in your master account:

        aws organizations list-accounts

1. Find the account you created (by its name) and note the ID value in the record. Using that ID, generate the role's ARN by following this pattern:

        arn:aws:iam::<your-member-account-
        id>:role/OrganizationAccountAccessRole

1. If you have changed the created role's name, update the last part of the ARN accordingly.

See the recipes in Chapter 8, Security and Identity for information on how to best manage multiple accounts.