Workshop AWS Account Setup > App Prod Account > Initial steps

Initial steps

Creating the app-prod account

Make sure to replace ${ACCOUNT_EMAIL} with a correct mail address which you have access to.

AWS_PROFILE=myorg-master aws organizations create-account --email ${ACCOUNT_EMAIL} --account-name "app-prod"

The response should look like this:

{
    "CreateAccountStatus": {
        "Id": "car-ldsfjdflsjldfsjlsdffjlfds",
        "AccountName": "app-prod",
        "State": "IN_PROGRESS",
        "RequestedTimestamp": 1562429570.66
    }
}

Moving the account to the Custom organizational unit

Get the root id of your organization:

AWS_PROFILE=myorg-master aws organizations list-roots --query 'Roots[].Id' --output text

Get the id of the organizational unit “Custom”:

AWS_PROFILE=myorg-master aws organizations list-organizational-units-for-parent --parent-id ${ROOT_ID} --query 'OrganizationalUnits[?Name==`Custom`].Id' --output text

Get the id of the new AWS account:

AWS_PROFILE=myorg-master aws organizations list-accounts --query 'Accounts[?Name==`app-prod`].Id' --output text

Move the new account to the organizational unit “Custom”:

AWS_PROFILE=myorg-master aws organizations move-account --account-id ${ACCOUNT_ID} --source-parent-id ${ROOT_ID} --destination-parent-id {OU_CUSTOM_ID}

Setting up account access for the CLI

The role OrganizationAccountAccessRole is automatically created in the new account.
This allows access for all the users in the Administrators group.

Enhance the file ~/.aws/config as follows:

[profile myorg-app-prod]
role_arn = arn:aws:iam::${APP_PROD_AWS_ACCOUNT_ID}:role/OrganizationAccountAccessRole
mfa_serial = ${MFA_SERIAL}
source_profile = myorg-master

Replace ${APP_PROD_AWS_ACCOUNT_ID} with the account id of log archive and ${MFA_SERIAL} with the MFA serial of your user.

Get the account id as follows:

AWS_PROFILE=myorg-master aws organizations list-accounts --query 'Accounts[?Name==`app-prod`].Id' --output text

Testing CLI access

Type in the following command to check if CLI access is working:

AWS_PROFILE=myorg-app-prod aws sts get-caller-identity

The response should look as follows:

{
    "UserId": "AROAS6SDLJKFLJDJFDKLFDL:botocore-session-1562431482",
    "Account": "20123434555",
    "Arn": "arn:aws:sts::20123434555:assumed-role/OrganizationAccountAccessRole/botocore-session-1562431482"
}