By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ControlTower AFT Account Factory - How to Provision new accounts without SSO parameters?

0

Working on a project where we are using Control Tower and opted for Self-managed during setup as the use case is to use SSO of the existing AWSOrganisation.

Requirements

  • Use the existing SSO roles for staff access instead of those supplied with Control Tower
  • Existing IAM Identity Center/ SSO configuration needs to be retained, so people keep their access
  • New SSO users should not be created.

It seems the value of control_tower_parameters in Account Factory for Terraform (AFT) in the account request Terraform file has SSO as mandatory parameter. How can you opt out of specifying SSO parameters during the account request so that the existing SSO is used?

AccountEmail AccountName ManagedOrganizationalUnit SSOUserEmail SSOUserFirstName SSOUserLastName

#
module "sandbox_account_01" {
  source = "./modules/aft-account-request"

  control_tower_parameters = {
    AccountEmail = "john.doe@amazon.com"
    AccountName  = "sandbox-account-01"
    # Syntax for top-level OU
    ManagedOrganizationalUnit = "Sandbox"
    # Syntax for nested OU
    # ManagedOrganizationalUnit = "Sandbox (ou-xfe5-a8hb8ml8)"
    SSOUserEmail     = "john.doe@amazon.com"
    SSOUserFirstName = "John"
    SSOUserLastName  = "Doe"
  }
Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS Control TowerAWS Service CatalogAWS IAM Identity CenterTerraform
Language
English
CloudJedi_
asked 15 days ago475 views
1 Answer
3

For the SSOUserEmail, this can either be a new email, or an existing email associated with an existing IAM user. While Control Tower's Account Factory currently requires an 'SSOUserEmail' parameter, you can work around it by using an existing SSO user's email address.

Here's a breakdown of the situation:

  • Control Tower expects an SSO user email (SSOUserEmail) during account creation.
  • You want to leverage your existing SSO configuration and avoid creating new SSO users.

Solution:

  1. Use Existing SSO User Email: When specifying the SSOUserEmail parameter in Account Factory Terraform (AFT), provide the email address of an existing user within your SSO system. This email doesn't have to be associated with an IAM user in Control Tower.

Important Caveats:

  • Control Tower will attempt to create a new SSO user if the provided email doesn't exist in your SSO system. To prevent this, ensure the email belongs to a valid user in your existing SSO.
  • Using an invalid email will likely cause enrollment failure during the account creation process.

Updating SSO Account Email:

If you need to update the SSO email address associated with the account later:

  • Modify the Provisioned Product within Service Catalog to reflect the desired SSOUserEmail change.[1]

Control Tower doesn't currently offer a way to entirely skip the SSO user creation step during account enrollment. In summary, you can leverage existing SSO users by providing their email addresses during account provisioning in Control Tower AFT. However, ensure the emails belong to valid users in your SSO system to avoid enrollment failures.

References:

  1. Updating provisioned products- https://docs.aws.amazon.com/servicecatalog/latest/userguide/enduser-update.html
  2. Tips on Managing Account Factory Accounts- https://docs.aws.amazon.com/controltower/latest/userguide/account-factory.html#closing-and-repurposing
AWS
merinkj
answered 14 days ago
  • CloudJedi_
    14 days ago

    Thanks @merinkj What happens when you specify the email address of an existing user within SSO during enrollment? Does it give Admin permissions during account enrollment to this SSO User? Does the SSO email address need to be unique for each account or can we share the same SSO email address for all accounts?

  • merinkj
    11 days ago

    Q)What happens when you specify the email address of an existing user within SSO during enrollment? Does it give Admin permissions during account enrollment to this SSO User? A)When you use an existing user's email address for SSO enrollment in a new account, Control tower will recognise an SSO User with that email DOES exist, and it will grant Admin permissions to that user to the newly created account . Q)Does the SSO email address need to be unique for each account or can we share the same SSO email address for all accounts? A) You could use same SSO email address for multiple accounts while placing aft-account-request.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content