By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can SCPs interfere with the account creation process via AWS Organizations API?

0

In addition to the native FullAWSAccess SCP, I have 2 SCPs at the root of my organization

Sometimes, but not always, after creating an account through AWS Organizations, when I try to access APIs to create S3 buckets or DynamoDB tables, I get the following errors:

  • S3: "NotSignedUp: Your account is not signed up for the S3 service. You must sign up before you can use S3."
  • DynamoDB : "The AWS Access Key Id needs a subscription for the service"

In some cases, this error disappeared after a few minutes. In some cases, the error persists even hours after the account creation.

Question: what are the minimal permissions root users should keep so that account creation / set up via AWS Organizations results in fully functional accounts?

Topics
Management & Governance
Tags
AWS OrganizationsAWS Account ManagementService Control Policy
Language
English
Paul Santus - TerraCloud
asked 3 months ago210 views
2 Answers
1

Hello,

I understand that you are encountering difficulties creating new resources in the account. It appears that you are encountering the NotSignedUp and The AWS Access Key Id needs a subscription for the service error and require assistance. Please feel free to correct me in case I have misunderstood your concern.

Whenever an account is created into Organization, some services sometimes take upto 24 hours to get fully activated. If you would like to verify the status of the account, you can check the following two events in CloudTrail from the management account of your Organization.

i. CreateAccount (this event will tell you if the status is still “In_PROGRESS” or not) ii. CreateAccountResult (this event will let you know if any error has occurred while creating an account. If you are seeing that the account is created in Organization console, the status here should be as “SUCCEEDED”.)

With that being said I would suggest that you wait 24 hours for the creation process to complete if possible. Also, it is possible to expedite the process to activate sooner. You can login to the newly created account and then visit the following link (or in an incognito window of a browser, visit the following link): https://portal.aws.amazon.com/billing/signup?type=resubscribe#/resubscribed

If the issue persists after the 24-hour wait and resubscribing using the provided link, I recommend reaching out to the Billing & Accounts team. Due to the confidentiality of non-public account details, we are unable to discuss them publicly on the re:Post forum. Please contact the Billing & Accounts team, and we will be more than happy to assist you.

Wish you an AWeSome day ahead and stay safe ! 🙂

AWS
Ajay Shankar
answered 3 months ago
0

The trail shows CreateAccount => IN_PROGRESS. StackSets fail with error "AccountGate check failed"

I tried disabling the SCPs and creating a new account. The trail shows CreateAccount => IN_PROGRESS. If I perform aws organizations describe-create-account-status I get

"CreateAccountStatus": {
        "Id": "car-xxxxxxxxxxxxxxxxxxx",
        "AccountName": "xxxxxxxx",
        "State": "SUCCEEDED",
        "RequestedTimestamp": "2024-01-23T14:43:23.162000+01:00",
        "CompletedTimestamp": "2024-01-23T14:43:26.291000+01:00",
        "AccountId": "123456789012"
    }

StackSets are not failing (until now) but remain PENDING.

Not sure this one will go through either.

Paul Santus - TerraCloud
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content