By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Create buckets in different accounts in organization

0

I have an organization and 2 accounts in it. Main-Account (management account) Member-Account

My software will have N Users and I need for each user (from my software) to have a Member-Account (on AWS) that will belong in my Organization (managed by Main-Account).

The Member-Accounts will be created through API using 'organizations' service and ACCESS_KEY for the Root user on Main-Account, or IAM User in Main-Account.

My idea is when a user is created on my software, to create Member-Account (on AWS) and create a bucket for this account. All of this needs to be created through API.

I don't know how to implement this. I tried:

  • IAM Users, but whenever I create an IAM User using my root user (Main-Account) the IAM User belongs to Main-Account. So this will not work
  • Identity center Users, but I cannot create ACCESS_KEY for this kind of user, so I cannot use this user through API
  • I tried to use the root user of the Member-Account, but I need to set up a password for this user -> login into the Console -> create ACCESS_KEY and then use the ACCESS_KEY for API, but until I create the ACCESS_KEY, I must use the Console.

Is there any way of achieving this ?

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS OrganizationsAWS IAM Identity Center
Language
English
dev_team_
asked 5 months ago225 views
2 Answers
1

Some options/ideas

  1. Use OrganizationAccountAccessRole or Create a role in each memeber account and assume that role from the management account to create the S3 Bucket

  2. Use cloudformation stack that automaticlly creates an S3 bucket in member accounts whent they join the org

  3. Use IAC (Cloudformation/Terraform) to create the new member account and S3 bucket at the same time.

profile picture
EXPERT
Gary Mclean
answered 5 months ago
profile pictureAWS
EXPERT
Jonathan_D
reviewed 5 months ago
  • dev_team_
    5 months ago

    If I want to create a role in each member account, I will need to login into the specific account through the console and create the role for it. I don't want to do that, I want to create all member accounts through API, and create buckets in the member accounts through API and never use the console (only the first time when I am setting everything up for the Main-Account)

1

Best practice is to not use the root account or create root access keys unless absolutely necessary. You can use roles within both accounts to accomplish what you want to do.

profile pictureAWS
EXPERT
kentrad
answered 5 months ago
profile pictureAWS
EXPERT
Jonathan_D
reviewed 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content