> For the complete documentation index, see llms.txt.
Skip to main content

Check out Port for yourself ➜ 

Multiple accounts installation

Loading version...

This page shows you how to deploy the AWS integration to sync resources from multiple AWS accounts into your Port catalog. The integration runs in one account (your integration account) and assumes IAM roles in each member account to discover and sync their resources.

Why use multi-account mode? If your organization spans many AWS accounts, managing each account separately would require maintaining a manual list and reconfiguring the integration every time an account is added or removed. Multi-account mode eliminates that overhead: accounts are discovered automatically via AWS Organizations on every resync, so your catalog stays accurate as your organization evolves.

Account discovery

Account discovery is driven by AWS Organizations. The integration assumes a role in your management account to call the Organizations API, then assumes PortOceanReadRole in each discovered account to read and sync resources into your Port catalog. The account list is refreshed on every resync cycle and new accounts are picked up automatically, and removed accounts stop being synced.

How accounts are discovered depends on whether you provide a Target OU ID during installation:

Sync all accounts (default)

Leave the Target OU ID field empty to sync every active member account in your organization.

When to use: You want full organization-wide visibility with no account filtering.

How it works:

  1. The integration assumes a role in your management account.
  2. It calls the AWS Organizations ListAccounts API to enumerate all active accounts in your organization.
  3. It assumes PortOceanReadRole in each account and syncs resources into your Port catalog.

Sync accounts in a specific OU

Set a Target OU ID (ou-xxxx-xxxxxxxx) during installation to scope discovery to a specific branch of your organization hierarchy. The integration will discover accounts in that OU and any nested sub-OUs.

When to use: You want to limit syncing to a subset of accounts. For example, only accounts in your production OU, or a single business unit's accounts.

How it works:

  1. The integration assumes a role in your management account.
  2. It calls ListAccountsForParent with your OU ID and recursively walks all nested sub-OUs to build the account list.
  3. It assumes PortOceanReadRole in each discovered account and syncs resources into your Port catalog.

Find your OU ID in the AWS Organizations console under Organizational structure (format: ou-xxxx-xxxxxxxx).

Selecting a Port API URL by account region

The port_region, port.baseUrl, portBaseUrl, port_base_url and OCEAN__PORT__BASE_URL parameters select which Port API instance to use:

Troubleshooting

What are you experiencing?

Select the issue that best matches your situation. We'll guide you through diagnosing and fixing it step by step.