By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

New Account create with Account Factory keep failed to enrolled in ou

0

I have control tower environment and have few ou, accounts made during landing zone initialization process.

After landing zone creation is done, I made new ou on organization of management account and try to create some accounts with account factory also located in management account.

FYI, i login to management account via SSO user with AWSAdministratorAccess policy

The issue is whenever i tried to create account after account is being made it keep failed to enrolled in ou i specified during create process and management console saying two possible cause of failure.

  • your IAM principal lacks the necessary permissions to provision an account. To enroll an existing account, the AWSControlTowerExecution role must be present in the account you're enrolling.
  • AWS Security Token Service(AWS STS) is disabled in your AWS account in your home region.

The funnything is im not trying to enroll existing account to ou, its all brand new account. so i think its bit of nonsense AWS said that.

Is anyone encountered situations like this before or now? and if anyone know the cause and workaround it will be really pleasure to get some enlightment from your experiences.

Topics
Management & Governance
Tags
AWS Control TowerAWS OrganizationsAWS Account Management
Language
English
V
asked 8 months ago304 views
2 Answers
0

Hi Sorry, your question is not 100% clear. Are you trying to provision account via Service Catalog Account factory? If yes, in that case, you should sign in using portal and use AWSServiceCatalogEndUserAccess to go to management console. https://docs.aws.amazon.com/controltower/latest/userguide/provision-as-end-user.html

If this is not the case, can you share some steps and screen shot of how you are provisioning accounts?

AWS
rePost-User-5454640
answered 8 months ago
  • V
    8 months ago

    What im trying to do is provisioning account from Account Factory menu inside Control Tower Service dashboard. So with AWSServiceCatalogEndUserAccess level access i cant access Control Tower dashboard and other menu.

0

Thanks for the reply User#5454640I!

I tried provision the account from Account Factory menu inside control tower dashboard and use AWSAdministratorAccess to access the portal.

I think AWSAdministratorAccess include access level AWSServiceCatalogEndUserAccess have but ill try to provision with AWSServiceCatalogEndUserAccess level like you suggestions anyway.

Thanks for the tip.

V
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content