Hello there,
I am using CloudQuery with an AWS master account and syncing 10-20 other accounts flawlessly.
Sometimes, instead of the account ID, I would like to see the actual display name of the account. Is it possible to cross-reference the value somewhere?
Hi 
I think if you sync the aws_organizations_accounts table you should be able to cross-reference the account ID with the name column for a friendly account name. AWS Organizations Accounts Table
Oh nice! I missed this one. 
Thank youuuuuuuuuuuuuu!
Sorry to ping you back @herman, I just tried syncing, the tables are created but there is no data. Is the data specific to a region?
Are there any errors in your logs? Can you share a redacted copy of your config file?
I found an error:
2023-12-12T14:21:38Z ERR table resolver finished with error error="operation error Organizations: ListAccounts, https response error StatusCode: 400, RequestID: 262c64b5-3ac1-499f-a653-ec8011a81360, AccessDeniedException: You don't have permissions to access this resource." client=414741042729:us-east-1 module=aws-src table=aws_organizations_accounts
I added all my orgs using cloudquery cloudformation stackset.
Can you share a link to the StackSet you used? Do you get an error every single account or only that one?
Sorry, all accounts.
Ok! So I think the issue that you are running into is that Stack Sets do not deploy into the account that they are deployed from. This means that there is no admin/management account that has the ability to call Organizations: ListAccounts, so that is why that table is empty.
Open issue for this is here: https://github.com/cloudquery/iam-for-aws-orgs/issues/4
In the meantime, I think you can manually create the IAM role in the management account and it will be able to sync all of the desired data. Another option is to add another section to your config to explicitly sync the management account like this:
kind: source
spec:
name: aws-org
tables: [ "*" ]
destinations: ["postgresql"]
spec:
org:
---
kind: source
spec:
name: aws-management-account
tables: [ "*" ]
destinations: ["postgresql"]
spec:
accounts:
# configure your credentials for this account here
- id: aws-management-account
My cloudquery-ro role already exists in my main account.
Is it here that I should add the permission? I added the policy ReadOnlyAccess like the other orgs. Will it be enough?
In order for a role to call organizations:ListAccounts, it must have a policy attached to it that gives it permissions (like the policy you screenshotted), but it also must:
be called only from the organization's management account or by a member account that is a delegated administrator for an Amazon Web Services service.
I am a bit confused. I am an admin using the member “cloudquery-ro” when syncing, but using my account to use it. Is it me that needs delegated administrator rights or “cloudquery-ro”?
In the admin/delegated account, is there a role named cloudquery-ro?