Search code examples
amazon-web-servicesamazon-iamaws-cliaws-organizations

when calling the EnableAWSServiceAccess operation: You specified an unrecognized service principal

C:\>aws organizations enable-aws-service-access --service-principal cloudformation.amazonaws.com

An error occurred (InvalidInputException) when calling the EnableAWSServiceAccess operation: You specified an unrecognized service principal.

C:\>aws organizations enable-aws-service-access --service-principal "cloudformation.amazonaws.com"

An error occurred (InvalidInputException) when calling the EnableAWSServiceAccess operation: You specified an unrecognized service principal.

C:\>aws organizations enable-aws-service-access --service-principal 'cloudformation.amazonaws.com'

An error occurred (InvalidInputException) when calling the EnableAWSServiceAccess operation: You provided a value that does not match the required pattern.

Any idea what is wrong?

According to the docs here

--service-principal (string) The service principal name of the AWS service for which you want to enable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com .

I tried with 

"s3.amazonaws.com"
"ec2.amazonaws.com"
"elasticbeanstalk.amazonaws.com"
"autoscaling.amazonaws.com"

as service-principal. But all gave the same error.

It works in the console though. AWS Console -> CloudFormation -> StackSets -> Enable trusted access.

Solution

  • The EnableAWSServiceAccess is for:

    When you enable integration, you allow the specified service to create a service-linked role in all the accounts in your organization. This allows the service to perform operations on your behalf in your organization and its accounts.

    The reason it fails, I think, is that CloudFormation does support service-linked roles. You can verify that in this tablehttps://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html.

    Also it works in console because you are enabling it for StackSets, not the CloudFormation itself. CloudFormation does not support trusted access with your organization as listed in the docs. Only AWS CloudFormation Stacksets supports it.

    What's more it only works though console:

    You can enable trusted access using either the AWS CloudFormation console or the AWS Organizations console.

    You can't do this using CLI or SDK.