Make sure to replace ${ACCOUNT_EMAIL}
with a correct mail address which you have access to.
AWS_PROFILE=myorg-master aws organizations create-account --email ${ACCOUNT_EMAIL} --account-name "Transit"
The response should look like this:
{
"CreateAccountStatus": {
"Id": "car-ldsfjdflsjldfsjlsdffjlfds",
"AccountName": "Log archive",
"State": "IN_PROGRESS",
"RequestedTimestamp": 1562429570.66
}
}
Get the root id of your organization:
AWS_PROFILE=myorg-master aws organizations list-roots --query 'Roots[].Id' --output text
Get the id of the organizational unit “Core”:
AWS_PROFILE=myorg-master aws organizations list-organizational-units-for-parent --parent-id ${ROOT_ID} --query 'OrganizationalUnits[?Name==`Core`].Id' --output text
Get the id of the new AWS account:
AWS_PROFILE=myorg-master aws organizations list-accounts --query 'Accounts[?Name==`Transit`].Id' --output text
Move the new account to the organizational unit “Core”:
AWS_PROFILE=myorg-master aws organizations move-account --account-id ${ACCOUNT_ID} --source-parent-id ${ROOT_ID} --destination-parent-id {OU_CUSTOM_ID}
The role OrganizationAccountAccessRole
is automatically created in the new account.
This allows access for all the users in the Administrators
group.
Enhance the file ~/.aws/config
as follows:
[profile myorg-transit]
role_arn = arn:aws:iam::${TRANSIT_AWS_ACCOUNT_ID}:role/OrganizationAccountAccessRole
mfa_serial = ${MFA_SERIAL}
source_profile = myorg-master
Replace ${TRANSIT_AWS_ACCOUNT_ID}
with the account id of log archive and ${MFA_SERIAL}
with the MFA serial of your user.
Get the account id as follows:
AWS_PROFILE=myorg-master aws organizations list-accounts --query 'Accounts[?Name==`Transit`].Id' --output text
Type in the following command to check if CLI access is working:
AWS_PROFILE=myorg-transit aws sts get-caller-identity
The response should look as follows:
{
"UserId": "AROAS6SDLJKFLJDJFDKLFDL:botocore-session-1562431482",
"Account": "20123434555",
"Arn": "arn:aws:sts::20123434555:assumed-role/OrganizationAccountAccessRole/botocore-session-1562431482"
}
Enable RAM on the AWS Organization:
AWS_PROFILE=myorg-master aws organizations enable-aws-service-access --service-principal ram.amazonaws.com
Enable sharing within your AWS Organization:
AWS_PROFILE=myorg-master aws ram enable-sharing-with-aws-organization --region eu-central-1