How can organization accounts be accessed programmatically?
I want to create accounts in an organization programmatically and once created, I would like to programmatically manage resources within the account. How can this be done without having to use the AWS Console to switch accounts or reset the password? Can I use the AWS API SDK with an access key from the organization account to target the sub account?
Figured out that I can use the AWS Security Token Service to assume the role of the account in the organization and before the actions I require
Yes, you can accomplish these tasks using the AWS SDK.
You could take a look at this AWS Bootstrap Kit example repository on GitHub. This repository contains examples of using the AWS Bootstrap Kit to set your development and deployment environment on AWS. You can get an impression how such centralized account and resource management could be accomplished.
Using AWS CDK, this example shows you how to create and manage a complete AWS Organization (including multiple accounts). You can also explore how to manage the resources in those accounts using the IaC approach - by deploying CDK constructs into various accounts of the organization. This is one possible approach.
You can also call the AWS API directly to achieve the same results, but the best practice is to use an IaC approach, for example with AWS CloudFormation or AWs CDK.
Essentially, the target accounts you want to manage must allow the central (root) account to do so. You do this by configuring the corresponding IAM roles in the target accounts and assuming them when managing the resources. The Bootstrap Kit example mentioned above shows you how to achieve that using AWS CDK.
Are there any examples of how to do this using the SDK? These accounts will be created on demand for customer workloads so I'd rather manage the process myself using the SDK.
Relevant questions
How can I restrict S3 bucket access to allow only VPC Flow logs from within an organization?
Accepted Answerasked 6 months agoHow to manage ECS Clusters across accounts?
asked 7 months agoSyncing Amplify Front-End Work across Organization Accounts
asked 11 hours agoWhen would I use a new organization when adding a new domain
asked 2 years agoHow can organization accounts be accessed programmatically?
Accepted Answerasked a month agoAPI reference create organization
asked 3 years agoCan Elasticsearch Service RIs be moved across accounts within an organization?
Accepted Answerasked 2 years agoOrganization Level Admin Accounts
asked 6 days agoDoes Systems Manager Patch Manager allow patching across multiple accounts and regions?
Accepted Answer30 day limit - Delete an Organization with Many Accounts
asked a month ago
After creating an account within an organization I'd like to create an IAM user with programatic access without having to switch roles or reset the password. Would prefer to do everything through the SDK.