Activate trusted access for stack sets with AWS Organizations

This topic provides instructions on how to activate trusted access with AWS Organizations, which is required by StackSets to deploy across accounts and AWS Regions using service-managed permissions. To use self-managed permissions, see Grant self-managed permissions instead.

Before you create a stack set with service-managed permissions, you must first complete the following tasks:

Enable all features in AWS Organizations. With only consolidated billing features enabled, you can't create a stack set with service-managed permissions.
Activate trusted access with AWS Organizations. After trusted access is activated, StackSets creates the necessary IAM roles in the organization's management account and target (member) accounts when you create stack sets with service-managed permissions.

With trusted access activated, the management account and delegated administrator accounts can create and manage service-managed stack sets for their organization.

To activate trusted access, you must be an administrator user in the management account. An administrator user is a user with full permissions to your AWS account. For more information, Create an administrator user in the AWS Account Management Reference Guide. For recommendations for protecting the security of the management account, see Best practices for the management account in the AWS Organizations User Guide.

To activate trusted access

Sign in to AWS as an administrator of the management account and open the CloudFormation console at https://console.aws.amazon.com/cloudformation.
From the navigation pane, choose StackSets. If trusted access is deactivated, a banner displays that prompts you to activate trusted access.
Choose Activate trusted access.

Trusted access is successfully activated when the following banner displays.

Note
Activate Organizations Access is the same as Enable Organizations Access, and Deactivate Organizations Access is the same as Disable Organizations Access. These terms have been updated based on marketing guidelines.

To deactivate trusted access

See AWS CloudFormation StackSets and AWS Organizations in the AWS Organizations User Guide.

Before you can deactivate trusted access with AWS Organizations, you must deregister all delegated administrators. For more information, see Register a delegated administrator.

Note

For information about using API operations instead of the console to activate or deactivate trusted access, see:

Service-linked roles

The management account uses the AWSServiceRoleForCloudFormationStackSetsOrgAdmin service-linked role. You can modify or delete this role only if trusted access with AWS Organizations is deactivated.

Each target account uses a AWSServiceRoleForCloudFormationStackSetsOrgMember service-linked role. You can modify or delete this role only under two conditions: if trusted access with AWS Organizations is deactivated, or if the account is removed from the target organization or organizational unit (OU).

For more information, see AWS CloudFormation StackSets and AWS Organizations in the AWS Organizations User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Grant self-managed permissions