AWS – Creating a member account

How to install and create applications with Docker Compose

Once your organization is up and running, the most common use you will have for it is automating the account creation process. Accounts that are created inside an organization are referred to as member accounts.

All charges that are incurred by a member account will be billed to the master account.

Getting ready

Obviously, you will need an organization to perform this recipe. See the other recipes in this chapter to get started. In this recipe, we will use the CLI instead of the web console. It’s good practice to flex your command-line skills now and then since the CLI is such a powerful tool for scripting and automation.

How to do it…

Perform the following steps to create a member account in your organization:

  1. Run the CLI tool command to create a new account with the appropriate values:
aws organizations create-account \
          --email <member-account-owners@email.com> \
          --account-name <member-account-name> \ 
          --query 'CreateAccountStatus.Id'
  1. This command will return a create-account-status request ID value that you can use to check the status:
aws organizations describe-create-account-status \ 
         --create-account-request-id <your-create-account-status-id>

How it works…

The command to create a member account in your organization is extremely simple.

The email address that’s used cannot be associated with any other AWS accounts.

The account creation process takes some time, so it is done asynchronously. This means that you won’t receive an immediate status for your create-account command. Instead, the command in this recipe will return a request ID.

This ID is then passed to another account to check the status of its creation. When the status is CREATED, you can start using the new account.

There’s more…

While this functionality is definitely useful, the AWS Organizations service is relatively new. This means there are a few features you should be aware of. In this section, we will cover the following:

  • Accessing the member account
  • Service Control Policies
  • Root credentials
  • Deleting accounts

Accessing the member account

Once you’ve created your member account, it’s time to put it to work!

An IAM role will be present in the new account; its default name is OrganizationAccountAccessRole. This is so you can assume the role (from your master account) and administer the member account. While this name is as good as any, it can be configured by passing the --role-name argument when creating the account.

To assume the role, you need to know its Amazon Resource Name (ARN). Working out the ARN is a multi-step process:

  1. List your member accounts by running the following command in your master account:
        aws organizations list-accounts
  1. Find the account you created (by its name) and note the ID value in the record. Using that ID, generate the role’s ARN by following this pattern:
        arn:aws:iam::<your-member-account-
        id>:role/OrganizationAccountAccessRole
  1. If you have changed the created role’s name, update the last part of the ARN accordingly.

See the recipes in  Chapter 8, AWS Account Security and Identityfor information on how to best manage multiple accounts.

Service Control Policies

Service Control Policies (SCPs) are another major feature of AWS Organizations. You can apply them at multiple levels/resources, including accounts (both member accounts and invited accounts). Check the other recipes in this chapter for more details.

Root credentials

Some activities still require the root credentials of the account. An example activity would be closing (or deleting) an account (see the next section, Deleting accounts, for more details).

To do this, you will need to perform the password recovery process for the email that was associated with the account when the create-account request was sent.

Deleting accounts

At the time of writing, there is no way to delete an account that’s been created in your organization via the API. You can still go into the member account and close it using the root credentials, but these don’t exist by default. You will need to use the account credential recovery process to log in and close the account.

While you can technically delete your organization via the API, you cannot do this if you have created any member accounts in your organization (since you can’t delete them, your organization will never be empty). 

See also

  • The Setting up a master account with AWS Organizations recipe in this chapter
  • The Adding a Service Control Policy (SCP) recipe in this chapter
  • The Cross-account user roles recipe in  Chapter 8, AWS Account Security and Identity

Comments are closed.