# Why Did the AWS Sub-Account Connection Script Fail?

If the Bash script generated to help you connect your AWS sub-accounts to Archera using the role fails with an error message such as:

```
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::000000000...
```

The most likely issue is that the AWS sub-account was **Invited** to the AWS Organization and not created within the organization.

When an account is invited (as opposed to created), AWS does not automatically provide the [pre-generated OrganizationAccountAccessRole](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html) that would allow the Master billing account to have permissions to assume a role in that account.

## How to Fix This

To fix this you will need to skip the Script and manually go through the process of connecting each sub-account by creating a custom IAM role in each sub-account that the Master account can assume.

Please reach out to our support team if you need additional help with this process.

## Related Resources

* [Can I test Archera in an AWS Sub-Account?](https://docs.archera.ai/help-center/aws-onboarding/test-in-subaccount)
* [Does Archera support multiple AWS accounts in a consolidated billing family?](https://docs.archera.ai/help-center/aws-faq/consolidated-billing-multiple-accounts)