You will get this error when you try to perform actions on Control Tower (creating/enrolling/updating an account) with the wrong principal such as:
- Root user (this will always fail)
- A role/user that has not been added to the ‘Access’ tab of the ‘AWS Control Tower Account Factory Portfolio’ in Service Catalog. It may also be missing the servicecatalog:ListLaunchPaths permission.
Also, when:
- The SSO user of the account has not been added to the ‘AWSAccountFactory’ or ‘AWSServiceCatalogAdmins’ Groups in IAM Identity Center
Trying to create an account when you are logged in as root access will give you this red bar preventing you from doing so.
Go to CloudTrail [1] --> event history --> Lookup attributes --> Event name --> type down 'ListLaunchPaths'
Check the most recent API record, open it and check the principal that performed the action.
If you were logged in as root, you will need to logout and login as a user or role that has the necessary permissions of using Control Tower.
If you were logged in as user/role and still got the same error,
Go to Service Catalog --> Portfolios --> AWS Control Tower Account Factory Portfolio --> Access.
Check if your user/role is listed here. If it's not then you will need to add it. Click on Grant Access and follow the steps.
In my case, I am logged in as adminuser, this user has to be appear in this list.
If you were logged in as an SSO user, you will need to check if the SSO user of your management account is part of group AWSAccountFactory or AWSServiceCatalogAdmins in IAM Identity Center. It must be part of one of them at minimum. See below.
