tfstateのbackendを異なるアカウントのs3バケットにできない

[sunakan]

やりたいこと

tfstateの保管場所を別アカウント作成済みのs3バケットに指定したい

When

AWS Organizationsのマスター側のCloud9のAdminRole(Ec2InstanceMetadata)から、terraform initするとき

Why

AWS OrganizationsでIaC専用のアカウントを作り、そこにtfstateを集約したい

How

.aws/config? ./aws/credentials

[iac]
role_arn=arn:aws:iam::xxxxxx:role/abc
credential_source=Ec2InstanceMetadata

backend.tf

terraform {
  backend "s3" {
    bucket = "sunagimo-landing-zone-master"
    region = "ap-northeast-1"
    key    = "organizations.tfstate"
    shared_credentials_file = "~/.aws/credentials"
    encrypt = true
    profile = "iac"
  }
}

エラー内容

Error: Error loading state:
    AccessDenied: Access Denied
        status code: 403, request id: xxxxxxxxx, host id: xxxxxxx

Terraform failed to load the default state from the "s3" backend.
State migration cannot occur unless the state can be loaded. Backend
modification and state migration has been aborted. The state in both the
source and the destination remain unmodified. Please resolve the
above error and try again.

$ aws --profile iac sts get-caller-identity

は動く

[sunakan]

ACCOUNT_IDを発行して外からやったらうまくいってしまった。。。Cloud9限定？