I have just stood up Control Tower in my management account, and I'm trying to enroll and existing account, but getting an error: "AWS control tower cannot enroll the account. There's an error in the provisioned product in AWS Service Catalog: No launch paths found for resources:" I have looked around the community for answers like this: https://repost.aws/questions/QUdbDZOOwsQYGsE_DJIJR7hQ/control-tower-enrollment-error and have gone through the troubleshooting guide, also have the AWSControlTowerExecution role setup Any thoughts on what my issue could be?

This could be an issue with access to Service Catalog: https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_users.html You need to grant access to the proper group/user/roles to AWS Control Tower Account Factory Portfolio

Also, if you're logged in as the root, try doing this as an SSO user

Hi There

Adding to Roguen's answer, Please check https://docs.aws.amazon.com/controltower/latest/userguide/troubleshooting.html#no-launch-paths-found

and ensure you are complying with the 3 bullet points

  • You may be logged in as root. AWS Control Tower does not support creating accounts when you're logged in as root.

  • Your IAM Identity Center user has not been added to the appropriate permission group. You may need to add your IAM Identity Center user to one of these permission groups: AWSAccountFactory (for end-user access) or AWSServiceCatalogAdmins (for admin access).

  • If you are authenticated as an IAM user, you must add it to the AWS Service Catalog portfolio so that it has the correct permissions.

