This page provides info on how to setup a new AWS account using org-formation. Org-formation allows us to fully automate the creation and management of new AWS accounts.
- Install node
- Install org-formation
Org-formation’s approach to account creation and management centers around AWS organizations where there is one Master/Management account and multiple member accounts. Management accounts require bootstrapping while member accounts do not.
Management account require manual bootstrapping however it only needs to be created once to manage many member accounts.
- Create an google group or email for the new AWS management account (i.e. [email protected])
- Manually create a new AWS account and setup payment for it.
- Make it an organizations account
- Go to AWS cloudformation console and
create stackwith org-ci-service-access.yaml template to bootstrap the account with a service user and role. Name the stackbootstrap-ci-service-access - Get the service user key, secret key and role from the cloudformation stack outputs.
- Configure an AWS CLI profile with the CiServiceUser and CiServiceRole.
- Logout of the root account.
- make a new folder for the management account and cd into the folder.
- setup an org-formation project (i.e. run “npx org-formation init --profile management-profile --region us-east-1 --verbose”)
- now you should have files for org-formation you can put under source control and setup CI/CD to deploy it to an AWS account.
- to deploy run perform-tasks command (i.e “npx org-formation perform-tasks --profile management-role --verbose --print-stack organization-tasks.yaml”)
- read the org-formation configuration and account management docs and learn how they work.
- As a next step it is recommended to setup SSO to give users access to the management account. Setting up SAML provider on AWS can be done with the org-formation's Community::IAM::SamlProvider
The power of org-formation is in it’s ability automate the creation and management of many member accounts. Org-formation handles all the bootstrapping required for member accounts.
Create an google group or email for the new AWS member account (i.e. [email protected])
Add a yaml section to organizations.yaml file like soo..
MemberOneAccount:
Type: OC::ORG::Account
Properties:
AccountName: org-sagebase-member-one
RootEmail: [email protected]
Alias: org-sagebase-member-one
Tags:
<<: !Include ./_default_org_tags.yaml
CostCenter: NIA AMP-AD CC / 101500
AccountOwner: [email protected]
budget-alarm-threshold: 1000
budget-alarm-threshold-email-recipient: [email protected]run “npx org-formation perform-tasks --profile management-role --verbose --print-stack organization-tasks.yaml”
Org-formation creates the new new member account1 thru the management account. Through this account creation process AWS will create a special role in the member account. It’s the AWSServiceRoleForOrganizations role.
Once the account is created the AWSServiceRoleForOrganizations role can be used to access the member account. Org-formation will also deploy all cloud resources defined in it’s templates to the member account.
The idea around accessing member accounts centers around assuming cross account roles. If you have access to the management account with permission to assume the AWSServiceRoleForOrganizations on the member account then you can get access to the member account.
To access the member account:
- login to the management account
- goto AWS console → switch roles
- enter the Account and Role info
Note: You can also access the member account with the AWS CLI by using the CLI to assume the AWSServiceRoleForOrganizations role.