AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

Account enrollment failed.

0

Hi, I am trying to enrol an existing account into my Control Tower Landing zone. The account was originally a member of a different AWS Organization, it was removed from that organization and joined to the same organization as the CT management account. I had already added the AWSControlTowerExecution role to the account and successfully joined it to the new AWS Organization. When I tried to enrol the account in CT the enrolment failed. I then discovered that I had the wrong account number in the trust relationship for the role. I corrected this, removed the account from the organization and removed the stack from Service Catalogue and tried again. The account has joined the AWS organization successfully and is in the Root OU, as before, however when I go to CT to enrol the account the state is Enrolment failed, I had expected it to say Not enrolled as I have not yet tried to enrol the account this time. It is almost like the enrolment hasn't cleared from the first failed attempt.

Any suggestions would be appreciated,

Thanks in advance, D

トピック
管理とガバナンス
タグ
AWS Control Tower
言語
English
declan117
質問済み 2年前1676ビュー
2回答
0
承認された回答

Hi There

From https://docs.aws.amazon.com/controltower/latest/userguide/troubleshooting.html#enrollment-failed

In this case, you must take two recovery steps before you can proceed with enrolling your existing account. First, you must terminate the Account Factory provisioned product through the AWS Service Catalog console. Next, you must use the AWS Organizations console to manually move the account out of the OU and back to the root. After that is done, create the AWSControlTowerExecution role in the account, and then fill in the Enroll account form again.

Since you already have the account in the root, try to create a new temporary OU outside of Control Tower through Organizations, move the failed account into that OU, then register the OU with CT to perform the enrollment. That will start the enrollment process again.

https://docs.aws.amazon.com/controltower/latest/userguide/importing-existing.html

profile pictureAWS
エキスパート
Matt-B
回答済み 2年前
  • declan117
    2年前

    Hi Matt, thanks for your reply. How do I then get the account into the OU where I want it to live? Can I move it to another OU whichis already registered in CT?

    Thanks, D

0

Hi Matt, I was able to create a new OU and move the failed account to this OU in AWS organizations. In CT I then registered the OU, the account enrolled successfully. I then moved it to the correct OU, in AWS Organizations and then updated the account via CT. It was enrolled successfully in correct OU.

Thanks for your help. Declan

declan117
回答済み 2年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ