Help Center/ Organizations/ API Reference/ API Overview

Updated on 2024-10-21 GMT+08:00

View PDF

API Overview

Organization Management

**Table 1** Organization management APIs
API	Description
Creating an organization	Creates an organization. The account calling this API automatically becomes the management account of the new organization. This API must be called using the credentials from the account that is to become the new organization's management account.
Getting organization information	Gets the information about the organization holding the account. All accounts in an organization can call this API.
Deleting an organization	Deletes an organization. This API must be called using the management account. The organization must be empty of accounts, organizational units (OUs), and policies.
Leaving the current organization	Leaves the current organization. This API can be called only from a member account in the organization. You can leave an organization as a member account only if the account is configured with the information required for operating as a standalone account. The account to leave must not be a delegated administrator account for any service enabled for your organization.
Listing roots of an organization	Lists the roots of an organization. This API can be called only from the organization's management account or from a delegated administrator account.

OU Management

**Table 2** OU management APIs
API	Description
Creating an OU	Creates an OU in a root or a parent OU. An OU is a container of accounts. You can group accounts into an OU and apply policies to the OU based on your business requirements. This API can be called only from the organization's management account.
Listing OUs	Lists all OUs in an organization. If a parent OU is specified, this API will return a list of all the OUs contained in the specified parent OU. This API can be called only from the organization's management account or from a delegated administrator account.
Getting OU information	Gets OU information. This API can be called only from the organization's management account or from a delegated administrator account.
Renaming an OU	Renames the specified OU. After an OU is renamed, the following configurations remain unchanged: OU ID, its child OUs and accounts, and policies attached to the OU. This API can be called only from the organization's management account.
Deleting an OU	Deletes an OU from the root or another OU. Before deleting an OU, you must remove all member accounts from the OU or move them to another OU, and also remove the child OUs from the OU. This API can be called only from the organization's management account.

Account Management

**Table 3** Account management APIs
API	Description
Creating an account	Creates an account. The generated account automatically becomes a member account of the organization holding the account that calls this API. This API can be called only from the organization's management account. The Organizations service creates the required service-linked agency and account-accessed agency in the new account.
Listing accounts in an organization	Lists all the accounts in an organization. This API can be called only from the organization's management account or from a delegated administrator account. If a parent OU is specified, this API will return a list of all the accounts contained in the specified parent OU.
Closing an account	Closes an account that was created in the organization.
Getting account information	Gets the information about the specified account. This API can be called only from the organization's management account or from a delegated administrator account.
Removing the specified account	Removes the specified account from an organization. The removed account becomes a standalone account that is not a member account of any organization. This API can be called only from the organization's management account. You can remove an account from an organization only if the account is configured with the information required to operation as a standalone account. The account you want to remove must not be a delegated administrator account for any service enabled for your organization.
Moving an account	Moves an account from its current source location (root or OU) to the specified destination location (root or OU).
Inviting an account to join an organization	Sends an invitation to another account. The invited account will join your organization as a member account. This API can be called only from the organization's management account.
Querying CreateAccount requests in the specified state	Queries the CreateAccount requests in the specified state for an organization. This API can be called only from the organization's management account or from a delegated administrator account.
Getting the account creation status	Gets the status of the asynchronous request to create an account. This API can be called only from the organization's management account or from a delegated administrator account.

Invitation Management

**Table 4** Invitation management APIs
API	Description
Getting invitation information	Gets the information about existing invitations in an organization. All accounts in an organization can call this API.
Accepting an invitation	Accepts an invitation to join an organization. After you accept an invitation, the invitation information continues to appear in the results of relevant APIs for 30 days.
Declining an invitation	Declines an invitation to join an organization. This sets the invitation state to Declined and deactivates the invitation. This API can be called only from the account that received the invitation. The invitation initiator cannot re-activate a declined invitation but can send a new invitation.
Canceling an invitation	Cancels an invitation. This sets the invitation state to Canceled. This API can be called only from the account that sent the invitation. After you cancel an invitation, the invitation information continues to appear in the results of relevant APIs for 30 days.
Listing received invitations	Lists all the invitations associated with the specified account. All accounts can call this API.
Listing sent invitations	Lists all the invitations sent by an organization. This API can be called only from the organization's management account or from a delegated administrator account.

Management of Trusted Services

**Table 5** APIs for managing trusted services
API	Description
Enabling a trusted service	Enables the integration of a service (specified by service_principal) with Organizations. When you enable a trusted service, you allow the trusted service to create a service-linked agency in all accounts in your organization. This allows the trusted service to perform operations on your behalf in your organization and its accounts. This API can be called only from the organization's management account.
Disabling a trusted service	Disables the integration of a service (specified by service_principal) with Organizations. When you disable integration, the service no longer can create a service-linked agency in new accounts in your organization. This means the service can no longer perform operations on your behalf on any accounts that newly joined your organization. The service can still perform operations in the already joined accounts until the service completes its clean-up from Organizations. This API can be called only from the organization's management account.
Listing trusted services	Returns a list of trusted services that are integrated with Organizations. This API can be called only from the organization's management account or from a delegated administrator account.

Management of Delegated Administrators

**Table 6** APIs for managing delegated administrators
API	Description
Registering a delegated administrator	Registers the specified member account as a delegated administrator to manage the Organizations functions of a specified service. This API grants the delegated administrator the read-only access to Organizations service data. IAM users in the delegated administrator account still need IAM permissions to access and manage the specified service. This API can be called only from the organization's management account.
Deregistering a delegated administrator	Deregisters the existing delegated administrator for the specified service. This API can be called only from the organization's management account.
Listing services managed by a delegated administrator account	Lists the services for which the specified account is a delegated administrator. This API can be called only from the organization's management account or from a delegated administrator account.
Listing delegated administrator accounts	Lists the accounts that are designated as delegated administrators in an organization. This API can be called only from the organization's management account or from a delegated administrator account.

Policy Management

**Table 7** Policy management APIs
API	Description
Creating a policy	Creates a policy of the specified type. This API can be called only from the organization's management account.
Listing policies	Lists all policies in an organization. If a resource ID (such as an OU ID or account ID) is specified, this API will return a list of policies attached to the resource. This API can be called only from the organization's management account or from a delegated administrator account.
Getting policy information	Gets the information about the specified policy. This API can be called only from the organization's management account or from a delegated administrator account.
Updating a policy	Updates the name, description, or content of a policy. If no parameter is specified, the policy remains unchanged. The policy type cannot be changed. This API can be called only from the organization's management account.
Deleting a policy	Deletes the specified policy from an organization. Before calling this API, you must detach the policy from all OUs, roots, and accounts. This API can be called only from the organization's management account.
Enabling a policy type for a root	Enables a policy type for the root of an organization. After you enable a policy type for the root, you can attach the policies of this type to the root, or any OUs or accounts under the root. This is an asynchronous request. You can use ListRoots to view the status of the policy types for the specified root. This API can be called only from the organization's management account.
Disabling a policy type in a root	Disables a policy type in a root. A policy of a specific type can be attached to entities in a root only if that policy type is enabled in the root. After calling this API, you can no longer attach any policies of the specified type to the root or any OU or account in the root. This is an asynchronous request. You can use ListRoots to view the status of the policy types for the specified root. This API can be called only from the organization's management account.
Attaching a policy to a principal	Attaches a policy to a root, OU, or individual account. This API can be called only from the organization's management account.
Detaching a policy from a principal	Detaches a policy from a root, OU, or account. This API can be called only from the organization's management account.
Listing entities for the specified policy	Lists all the entities (roots, OUs, and accounts) that the specified policy is attached to. This API can be called only from the organization's management account or from a delegated administrator account.

Tag Management

**Table 8** Tag management APIs
API	Description
Listing tags for the specified resource	Lists the tags that are attached to the specified resource. You can attach tags to the following resources in Organizations: accounts, OUs, roots, and policies. This API can be called only from the organization's management account or from a delegated administrator account.
Adding tags to the specified resource	Adds one or more tags to the specified resource. You can attach tags to the following resources in Organizations: accounts, OUs, roots, and policies. This API can be called only from the organization's management account.
Removing tags from the specified resource	Removes any tags with the specified key from the specified resource. You can detach tags from the following resources in Organizations: accounts, OUs, roots, and policies. This API can be called only from the organization's management account.
Listing tags for the specified resource	Lists the tags that are attached to the specified resource. You can attach tags to any of the following organization resources: accounts, OUs, roots, and policies. This API can be called only from the organization's management account or from a delegated administrator account.
Adding tags to the specified resource	Adds one or more tags to the specified resource. You can attach tags to any of the following organization resources: accounts, OUs, roots, and policies. This API can be called only from the organization's management account.
Removing tags from the specified resource	Removes any tags with the specified key from the specified resource. You can attach tags to any of the following organization resources: accounts, OUs, roots, and policies. This API can be called only from the organization's management account.
Listing instances by resource type and tag	Lists instances by resource type and tag.
Querying the number of instances by resource type and tag	Queries the number of instances by resource type and tag.
Querying resource tags	Queries the tags attached to resources of the specified type.

Other APIs

**Table 9** Other Organizations APIs
API	Description
Querying the effective policy	Queries the effective policy of a specific type for the specified account. This API cannot be used to query the information about service control policies. This API can be called only from the organization's management account or from a delegated administrator account.
Listing entities in an organization	Lists all the roots, OUs, and accounts in an organization. This API can be called only from the organization's management account or from a delegated administrator account. You can filter entities you want to view by specifying the parent OU ID and child OU ID.
Listing cloud services integrable with Organizations	Lists all cloud services that can be integrated with Organizations. After a service on this list is enabled with trusted access, that service becomes a trusted service for Organizations.
Listing resource types that support tag policy enforcement	Lists the resource types that support enforcement with tag policies.
Listing organization quotas	Lists the quotas of an organization. This API can be called only from the organization's management account or from a delegated administrator account.

Previous topic: Before You Start

Next topic: Calling APIs

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.