I am not sure this is by design.
I've found that the below command is fine to get list_accounts()
from an AWS Organizations Root account or its client account.
import boto3
orgClient = boto3.client('organizations')
print(orgClient.list_accounts())
My understanding is, that list_accounts
should be only working on the organization management account.
Why do I still get the same result from the client account as well?
As per Boto3 docs for list_accounts
:
This operation can be called only from the organization's management account or by a member account that is a delegated administrator for an Amazon Web Services service.
Are you calling the operation from a delegated administrator account?