Workshop AWS Account Setup > Shared Services Account > Initial steps

Initial steps

Creating the shared services account

Make sure to replace ${ACCOUNT_EMAIL} with a correct mail address which you have access to.

AWS_PROFILE=myorg-master aws organizations create-account --email ${ACCOUNT_EMAIL} --account-name "Shared services"

The response should look like this:

{
    "CreateAccountStatus": {
        "Id": "car-ldsfjdflsjldfsjlsdffjlfds",
        "AccountName": "Shared services",
        "State": "IN_PROGRESS",
        "RequestedTimestamp": 1562429570.66
    }
}

Moving the account to the Core organizational unit

Get the root id of your organization:

AWS_PROFILE=myorg-master aws organizations list-roots --query 'Roots[].Id' --output text

Get the id of the organizational unit “Core”:

AWS_PROFILE=myorg-master aws organizations list-organizational-units-for-parent --parent-id ${ROOT_ID} --query 'OrganizationalUnits[?Name==`Core`].Id' --output text

Get the id of the new AWS account:

AWS_PROFILE=myorg-master aws organizations list-accounts --query 'Accounts[?Name==`Shared services`].Id' --output text

Move the new account to the organizational unit “Core”:

AWS_PROFILE=myorg-master aws organizations move-account --account-id ${ACCOUNT_ID} --source-parent-id ${ROOT_ID} --destination-parent-id {OU_CUSTOM_ID}

Setting up account access for the CLI

The role OrganizationAccountAccessRole is automatically created in the new account.
This allows access for all the users in the Administrators group.

Enhance the file ~/.aws/config as follows:

[profile myorg-shared-services]
role_arn = arn:aws:iam::${SHARED_SERVICES_AWS_ACCOUNT_ID}:role/OrganizationAccountAccessRole
mfa_serial = ${MFA_SERIAL}
source_profile = myorg-master

Replace ${SHARED_SERVICES_AWS_ACCOUNT_ID} with the account id of log archive and ${MFA_SERIAL} with the MFA serial of your user.

Get the account id as follows:

AWS_PROFILE=myorg-master aws organizations list-accounts --query 'Accounts[?Name==`Shared services`].Id' --output text

Testing CLI access

Type in the following command to check if CLI access is working:

AWS_PROFILE=myorg-shared-services aws sts get-caller-identity

The response should look as follows:

{
    "UserId": "AROAS6SDLJKFLJDJFDKLFDL:botocore-session-1562431482",
    "Account": "20123434555",
    "Arn": "arn:aws:sts::20123434555:assumed-role/OrganizationAccountAccessRole/botocore-session-1562431482"
}