A programmatic way to create an account in AWS Control Tower.

Introduction

AWS Control Tower is used to manage and orchestrate multiple accounts in different organizational units but under a single root account. For many companies, a multi-account structure can help meet the unique needs of each application team or business group. You can enforce security and billing configurations while still giving each team some degree of autonomy over their account.

Background

Creating accounts for multiple teams with all the security guardrails and configuration is a tedious task. There could be chances of human errors. To address these issues automation comes into the picture. There are several ways to automate this account provisioning.

• AWS CLI
• AWS API
• Account Factory for Terraform
• Account vending through Amazon Lex ChatBot

The scope of this article is to cover account creation using AWS CLI and API.

Prerequisites

• AWS control tower setup should be available.
• AWS control tower account factory template should be available with the required CIDR and subnet configuration.
• AWS control tower service catalog products should be created and active.
• Need Access key and Secret key of an in-place admin user.

1- AWS CLI

Steps to follow

AWS CLI should be installed to proceed with the account creation using CLI. Refer to https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html for installation. The below steps are followed on Linux OS.

• Setup environment variable with the access key and secret key.

Setup AWS credentials

• Retrieve master account value and Define value for admin ARN.

MasterAcct=$(aws sts get-caller-identity — query ‘Account’ — output text)

AdminArn=”arn:aws:iam::${MasterAcct}:role/service-role/AWSControlTowerStackSetRole”

Get Master account and the Role ARN

Retrieve the product ID for the account factory product in the region specified earlier.

• prod_id=$(aws servicecatalog search-products — filters FullTextSearch=’AWS Control Tower Account Factory’ — region $AWS_DEFAULT_REGION — query “ProductViewSummaries[*].ProductId” — output text)

Get the service catalog product Id.

Retrieve the provisioning artifact for the account factory.

• pa_id=$(aws servicecatalog describe-product — id $prod_id — region $AWS_DEFAULT_REGION — query “ProvisioningArtifacts[-1].Id” — output text)

Get the factory template Id

Create a param.json file with the required parameters as shown in the below screenshots.

Derive the catalog name and email id from params.json. Catalog names can be anything unique. It can be the same as an account name. Here we are adding the prefix “CatalogFor” to the account name.

• export CatalogName=’CatalogFor’$(jq -r .[4].Value param.json)
• export EmailId=$(jq -r .[0].Value param.json)

Setup Unique Id for the account provisioning.

Write a command to create a new account programmatically.

• aws servicecatalog provision-product — product-id $prod_id — provisioning-artifact-id $pa_id — provisioned-product-name $CatalogName — provisioning-parameters file://param.json

Create the account

2- AWS SDK API

This is another way to create an account in AWS Control Tower. Below is the sample API request. The version used is AWS SDK for Java API 2.17.99.

For more details, refer to the AWS document.

public void awsCreateAccount(){
Region region = Region.US_WEST_2;
AwsBasicCredentials.create(“”, “”);
AwsBasicCredentials awsBasicCreds = AwsBasicCredentials.create(“”, “”);
ServiceCatalogClient serviceCatalogClient = ServiceCatalogClient.builder()
.region(region)
.credentialsProvider(StaticCredentialsProvider.create(awsBasicCreds))
.build();
ProvisioningPreferences provisioningPreferences = ProvisioningPreferences.builder()
.stackSetAccounts(“”)
.build();
ProvisionProductRequest provisionProductRequest = ProvisionProductRequest.builder()
.productId(“prod-2au6asfsdfsfds”)
.provisioningArtifactId(“pa-dsfdsfdfsfs”)
.provisionedProductName(“CatalogFortest-Custom-Account”)
.provisioningParameters(ProvisioningParameter.builder()
.key(“SSOUserEmail”)
.value(“test@example.com”)
.build(),
ProvisioningParameter.builder()
.key(“SSOUserFirstName”)
.value(“test”)
.build()
, ProvisioningParameter.builder()
.key(“SSOUserLastName”)
.value(“test”)
.build()
, ProvisioningParameter.builder()
.key(“ManagedOrganizationalUnit”)
.value(“OU_Name (OU_ID)”)
.build()
, ProvisioningParameter.builder()
.key(“AccountName”)
.value(“test-Custom-Account”)
.build()
, ProvisioningParameter.builder()
.key(“AccountEmail”)
.value(“test@example.com”)
.build())
.build();
ProvisionProductResponse provisionProductResponse = serviceCatalogClient.provisionProduct(provisionProductRequest);
System.out.println(provisionProductResponse.toString());
}

Account Status

Check the status of account creation in the console by logging in with the AWS control tower admin or root user. The status should be Available.

An email will be sent to the registered email which is used while creating the account.

Steps to access AWS Control Tower Account

Go to the AWS Management Console and click on Sign in to get to the below page.

Make sure you have selected the Root user option and then enter the root user email address and click on the Next button, you will get the security check window to enter Captcha and Submit.

Now you will get the password window, click on the forgot password and again enter Captcha and send email. You will get the link on root email to reset the password.

Now change the password and login.

Summary

The account will be created with all the mandatory guardrails and SCPs (Service control policies). There is no additional charge to use AWS Control Tower. However, when you set up AWS Control Tower, you will begin to incur costs for AWS services configured to set up your landing zone and mandatory guardrails. While some AWS services like AWS Organizations and AWS Single Sign-On (SSO) come at no additional charge, you will pay for services such as AWS Service Catalog, AWS CloudTrail, AWS Config, Amazon CloudWatch, Amazon Simple Notification Service (SNS), Amazon Simple Storage Service (S3), and Amazon Virtual Private Cloud (VPC), based on your usage of these services. You only pay for what you use, as you use it.

References

https://docs.aws.amazon.com/servicecatalog/latest/dg/API_ProvisionProduct.html

https://docs.aws.amazon.com/controltower/latest/userguide/automated-provisioning-walkthrough.html

https://docs.aws.amazon.com/controltower/latest/userguide/account-factory.html

Visit us at https://www.globant.com/studio/cloud-ops