Walkthrough: Automate Account Provisioning in AWS Control Tower by Service Catalog APIs
AWS Control Tower is integrated with several other AWS services, such as AWS Service Catalog. You can use the APIs to create and provision your member accounts in AWS Control Tower.
The video shows you how to provision accounts in an automated, batch fashion, by calling the
AWS Service Catalog APIs. For provisioning, you'll call the ProvisionProduct
API from the AWS command line interface (CLI), and
you'll specify a JSON file that contains the parameters for each account you'd like to set up.
The video illustrates installing and using the AWS Cloud9 development environment to
perform this work. The CLI commands would be the same if you use AWS Cloudshell instead of
AWS Cloud9.
Note
You also can adapt this approach for automating account updates, by calling the UpdateProvisionedProduct
API of AWS Service Catalog for each account. You can
write a script to update the accounts, one by one.
As a completely different automation method, if you are familiar with Terraform, you can provision accounts with AWS Control Tower Account Factory for Terraform (AFT).
Sample automation administration role
Here is a sample template you can use to help configure your automation administration role in the management account. You would configure this role in your management account so it can perform the automation with Administrator access in the target accounts.
AWSTemplateFormatVersion: 2010-09-09 Description: Configure the SampleAutoAdminRole Resources: AdministrationRole: Type: AWS::IAM::Role Properties: RoleName: SampleAutoAdminRole AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: cloudformation.amazonaws.com Action: - sts:AssumeRole Path: / Policies: - PolicyName: AssumeSampleAutoAdminRole PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - sts:AssumeRole Resource: - "arn:aws:iam::*:role/SampleAutomationExecutionRole"
Sample automation execution role
Here is a sample template you can use to help you set up your automation execution role. You would configure this role in the target accounts.
AWSTemplateFormatVersion: "2010-09-09" Description: "Create automation execution role for creating Sample Additional Role." Parameters: AdminAccountId: Type: "String" Description: "Account ID for the administrator account (typically management, security or shared services)." AdminRoleName: Type: "String" Description: "Role name for automation administrator access." Default: "SampleAutomationAdministrationRole" ExecutionRoleName: Type: "String" Description: "Role name for automation execution." Default: "SampleAutomationExecutionRole" SessionDurationInSecs: Type: "Number" Description: "Maximum session duration in seconds." Default: 14400 Resources: # This needs to run after AdminRoleName exists. ExecutionRole: Type: "AWS::IAM::Role" Properties: RoleName: !Ref ExecutionRoleName MaxSessionDuration: !Ref SessionDurationInSecs AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: AWS: - !Sub "arn:aws:iam::${AdminAccountId}:role/${AdminRoleName}" Action: - "sts:AssumeRole" Path: "/" ManagedPolicyArns: - "arn:aws:iam::aws:policy/AdministratorAccess"
After configuring these roles, you call the AWS Service Catalog APIs to perform the automated tasks. The CLI commands are given in the video.
Sample provisioning input for Service Catalog API
Here is a sample of the input you can give to the Service Catalog
ProvisionProduct
API if you're using the API to provision AWS Control Tower
accounts:
{ pathId: "lpv2-7n2o3nudljh4e", productId: "prod-y422ydgjge2rs", provisionedProductName: "Example product 1", provisioningArtifactId: "pa-2mmz36cfpj2p4", provisioningParameters: [ { key: "AccountEmail", value: "abc@amazon.com" }, { key: "AccountName", value: "ABC" }, { key: "ManagedOrganizationalUnit", value: "Custom (ou-xfe5-a8hb8ml8)" }, { key: "SSOUserEmail", value: "abc@amazon.com" }, { key: "SSOUserFirstName", value: "John" }, { key: "SSOUserLastName", value: "Smith" } ], provisionToken: "c3c795a1-9824-4fb2-a4c2-4b1841be4068" }
For more information, see the API reference for Service Catalog.
Note
Notice that the format of the input string for the value of
ManagedOrganizationalUnit
has changed from OU_NAME
to
OU_NAME (OU_ID)
. The video that follows does not mention this change.
Video Walkthrough
This video (6:58) describes how to automate account deployments in AWS Control Tower. For better viewing, select the icon at the lower right corner of the video to enlarge it to full screen. Captioning is available.