By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Creating resources in a new sub-account of my organization is now giving SubscriptionRequiredException and OptInRequired errors. How do I get around this? Is this a bug in AWS?

2

I am programmatically creating accounts in my overall AWS organization then attempting to create resources (sns topics, sqs queues, lambdas, etc) for those accounts via terraform, using an IAM user's credentials that I also programmatically create for those accounts ahead of time.

The account and IAM creation works fine (I can see the account in the console), but when I attempt to run terraform apply I get either "SubscriptionRequiredException" or "OptInRequired The AWS Access Key Id needs a subscription for the service" errors.

I used to be able to do this just fine so it seems like either AWS changed something or they accidentally broke something in the last couple of years. I still have accounts I created 2-3 years ago using the exact same code that I can run terraform apply in just fine.

Here is another person complaining of the same issue (note: see the comment the OP made): https://www.reddit.com/r/aws/comments/v5iifl/losing_my_mind_while_trying_to_set_up/

I have checked that:

  • I have consolidated billing enabled for my org
  • One of my accounts is the management account
  • My monthly bill does go to the management accounts credit card for all expenses in the org

Does anyone know why I am getting these errors even though my org appears to be set up correctly? Can I opt-in/subscribe to services programmatically from my programmatically-created accounts somehow?

Topics
Management & Governance
Tags
AWS OrganizationsAWS Account ManagementAccount SupportTerraform
Language
English
fdllc
asked 9 months ago285 views
1 Answer
1

This has happened several times to me also with TF.. It usually resolves its self while services are "Activated". Try again in a few minutes/hours/tomorrow

profile picture
EXPERT
Gary Mclean
answered 9 months ago
  • fdllc
    9 months ago

    Hey Gary thanks for the response. Unfortunately in my case it took two days, after which I reached out to support and had them resolve it. If you follow the link to the other person's reddit post, they cite similar multi-day times that always involve support also. I used to be able to have an entire customer account created and provisioned within 25 minutes... now because of this error and the manual steps I have to take it takes days :(

  • Gary Mclean EXPERT
    9 months ago

    I feel your pain.. It never used to be like this.. We have similar issues when creating multi accounts and configuring services across accounts should take MINS with IaC..

    Thanks for the update

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content