使用 Organizati AWS CLI - AWS Command Line Interface

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用 Organizati AWS CLI

以下代码示例向您展示了如何使用 with Organizations 来执行操作和实现常见场景。 AWS Command Line Interface

操作是大型程序的代码摘录,必须在上下文中运行。您可以通过操作了解如何调用单个服务函数,还可以通过函数相关场景的上下文查看操作。

每个示例都包含一个指向完整源代码的链接,您可以在其中找到有关如何在上下文中设置和运行代码的说明。

主题

操作

以下代码示例显示了如何使用accept-handshake

AWS CLI

接受来自其他账户的握手

组织的所有者比尔此前曾邀请 Juan 的账户加入他的组织。以下示例显示 Juan 的账户接受了握手并因此同意了邀请。

aws organizations accept-handshake --handshake-id h-examplehandshakeid111

输出显示以下内容:

{ "Handshake": { "Action": "INVITE", "Arn": "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111", "RequestedTimestamp": 1481656459.257, "ExpirationTimestamp": 1482952459.257, "Id": "h-examplehandshakeid111", "Parties": [ { "Id": "o-exampleorgid", "Type": "ORGANIZATION" }, { "Id": "juan@example.com", "Type": "EMAIL" } ], "Resources": [ { "Resources": [ { "Type": "MASTER_EMAIL", "Value": "bill@amazon.com" }, { "Type": "MASTER_NAME", "Value": "Org Master Account" }, { "Type": "ORGANIZATION_FEATURE_SET", "Value": "ALL" } ], "Type": "ORGANIZATION", "Value": "o-exampleorgid" }, { "Type": "EMAIL", "Value": "juan@example.com" } ], "State": "ACCEPTED" } }

以下代码示例显示了如何使用attach-policy

AWS CLI

将策略附加到根、OU 或账户

示例 1

以下示例说明如何将服务控制策略 (SCP) 附加到 OU:

aws organizations attach-policy --policy-id p-examplepolicyid111 --target-id ou-examplerootid111-exampleouid111

示例 2

以下示例演示如何将服务控制策略直接附加到账户:

aws organizations attach-policy --policy-id p-examplepolicyid111 --target-id 333333333333

以下代码示例显示了如何使用cancel-handshake

AWS CLI

取消从其他账户发送的握手

Bill 之前曾向 Susan 的账户发送过加入其组织的邀请。他改变了主意,决定在苏珊接受邀请之前取消邀请。以下示例显示了 Bill 的取消:

aws organizations cancel-handshake --handshake-id h-examplehandshakeid111

输出包括一个握手对象,该对象显示现在CANCELED的状态为:

{ "Handshake": { "Id": "h-examplehandshakeid111", "State":"CANCELED", "Action": "INVITE", "Arn": "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111", "Parties": [ { "Id": "o-exampleorgid", "Type": "ORGANIZATION" }, { "Id": "susan@example.com", "Type": "EMAIL" } ], "Resources": [ { "Type": "ORGANIZATION", "Value": "o-exampleorgid", "Resources": [ { "Type": "MASTER_EMAIL", "Value": "bill@example.com" }, { "Type": "MASTER_NAME", "Value": "Master Account" }, { "Type": "ORGANIZATION_FEATURE_SET", "Value": "CONSOLIDATED_BILLING" } ] }, { "Type": "EMAIL", "Value": "anika@example.com" }, { "Type": "NOTES", "Value": "This is a request for Susan's account to join Bob's organization." } ], "RequestedTimestamp": 1.47008383521E9, "ExpirationTimestamp": 1.47137983521E9 } }

以下代码示例显示了如何使用create-account

AWS CLI

创建自动属于组织的成员账户

以下示例演示如何创建组织的成员账户。为成员账户配置的名称为 Production Account,电子邮件地址为 susan@example.com。 OrganizationAccountAccessRole 由于未指定 roleName 参数,Organizations 会使用默认名称自动创建IAM角色。此外,ALLOW由于未指定 IamUserAccessToBilling 参数,因此允许具有足够权限的IAM用户或角色访问账户账单数据的设置被设置为默认值。Organiations 会自动向 Susan 发送一封 “欢迎来到 AWS” 电子邮件:

aws organizations create-account --email susan@example.com --account-name "Production Account"

输出包括一个请求对象,以显示状态目前为 IN_PROGRESS

{ "CreateAccountStatus": { "State": "IN_PROGRESS", "Id": "car-examplecreateaccountrequestid111" } }

稍后,您可以通过向 describe-create-account-status命令提供 Id 响应值作为 create-account-request-id参数值来查询请求的当前状态。

有关更多信息,请参阅《Organi AWS zations 用户指南》中的在AWS 组织中创建帐户。

以下代码示例显示了如何使用create-organization

AWS CLI

示例 1:创建新组织

Bill 想使用账户 111111111111 中的凭证创建一个组织。以下示例显示该账户成为新组织中的主账户。由于他没有指定功能集,因此,新组织默认为在根上启用所有功能并启用服务控制策略。

aws organizations create-organization

输出包括一个组织对象,其中包含有关新组织的详细信息:

{ "Organization": { "AvailablePolicyTypes": [ { "Status": "ENABLED", "Type": "SERVICE_CONTROL_POLICY" } ], "MasterAccountId": "111111111111", "MasterAccountArn": "arn:aws:organizations::111111111111:account/o-exampleorgid/111111111111", "MasterAccountEmail": "bill@example.com", "FeatureSet": "ALL", "Id": "o-exampleorgid", "Arn": "arn:aws:organizations::111111111111:organization/o-exampleorgid" } }

示例 2:创建仅启用整合账单功能的新组织

以下示例创建仅支持整合账单功能的组织:

aws organizations create-organization --feature-set CONSOLIDATED_BILLING

输出包括一个组织对象,其中包含有关新组织的详细信息:

{ "Organization": { "Arn": "arn:aws:organizations::111111111111:organization/o-exampleorgid", "AvailablePolicyTypes": [], "Id": "o-exampleorgid", "MasterAccountArn": "arn:aws:organizations::111111111111:account/o-exampleorgid/111111111111", "MasterAccountEmail": "bill@example.com", "MasterAccountId": "111111111111", "FeatureSet": "CONSOLIDATED_BILLING" } }

有关更多信息,请参阅《AWS Organizations 用户指南》中的“创建组织”。

以下代码示例显示了如何使用create-organizational-unit

AWS CLI

在根 OU 或父 OU 中创建 OU

以下示例演示如何创建名为 AccountingOU 的 OU:

aws organizations create-organizational-unit --parent-id r-examplerootid111 --name AccountingOU

输出包括一个 organizationalUnit 对象,其中包含有关新 OU 的详细信息:

{ "OrganizationalUnit": { "Id": "ou-examplerootid111-exampleouid111", "Arn": "arn:aws:organizations::111111111111:ou/o-exampleorgid/ou-examplerootid111-exampleouid111", "Name": "AccountingOU" } }

以下代码示例显示了如何使用create-policy

AWS CLI

示例 1:使用策略的文本源文件创建JSON策略

以下示例说明如何创建名为的服务控制策略 (SCP) AllowAllS3Actions。策略内容取自本地计算机上名为 policy.json 的文件。

aws organizations create-policy --content file://policy.json --name AllowAllS3Actions, --type SERVICE_CONTROL_POLICY --description "Allows delegation of all S3 actions"

输出包括一个策略对象,其中包含有关新策略的详细信息:

{ "Policy": { "Content": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":[\"*\"]}]}", "PolicySummary": { "Arn": "arn:aws:organizations::o-exampleorgid:policy/service_control_policy/p-examplepolicyid111", "Description": "Allows delegation of all S3 actions", "Name": "AllowAllS3Actions", "Type":"SERVICE_CONTROL_POLICY" } } }

示例 2:创建以JSON策略为参数的策略

以下示例向您展示了如何创建相同的策略SCP,这次是将策略内容作为JSON字符串嵌入到参数中。字符串必须在双引号前使用反斜杠进行转义,以确保在参数中将其视为文本,参数本身用双引号引起来:

aws organizations create-policy --content "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":[\"*\"]}]}" --name AllowAllS3Actions --type SERVICE_CONTROL_POLICY --description "Allows delegation of all S3 actions"

有关在组织中创建和使用策略的更多信息,请参阅《AWS Organizations 用户指南》中的“管理组织策略”。

以下代码示例显示了如何使用decline-handshake

AWS CLI

拒绝从其他账户发送的握手

以下示例显示,账号 222222222222 的所有者 Susan 拒绝了加入比尔组织的邀请。该 DeclineHandshake 操作返回一个 handshake 对象,显示现在DECLINED的状态为:

aws organizations decline-handshake --handshake-id h-examplehandshakeid111

输出包括一个握手对象,该对象显示以下新状态:DECLINED

{ "Handshake": { "Id": "h-examplehandshakeid111", "State": "DECLINED", "Resources": [ { "Type": "ORGANIZATION", "Value": "o-exampleorgid", "Resources": [ { "Type": "MASTER_EMAIL", "Value": "bill@example.com" }, { "Type": "MASTER_NAME", "Value": "Master Account" } ] }, { "Type": "EMAIL", "Value": "susan@example.com" }, { "Type": "NOTES", "Value": "This is an invitation to Susan's account to join the Bill's organization." } ], "Parties": [ { "Type": "EMAIL", "Id": "susan@example.com" }, { "Type": "ORGANIZATION", "Id": "o-exampleorgid" } ], "Action": "INVITE", "RequestedTimestamp": 1470684478.687, "ExpirationTimestamp": 1471980478.687, "Arn": "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111" } }

以下代码示例显示了如何使用delete-organization

AWS CLI

删除组织

以下示例演示如何删除组织。要执行此操作,您必须是组织中主账户的管理员。该示例假设您之前已从组织中删除了所有成员账户和政策:OUs

aws organizations delete-organization

以下代码示例显示了如何使用delete-organizational-unit

AWS CLI

删除 OU

以下示例说明如何删除 OU。该示例假设您之前已OUs从 OU 中删除了所有账户和其他账户:

aws organizations delete-organizational-unit --organizational-unit-id ou-examplerootid111-exampleouid111

以下代码示例显示了如何使用delete-policy

AWS CLI

删除策略

以下示例演示如何删除组织的策略。该示例假设您之前已将策略与所有实体分离:

aws organizations delete-policy --policy-id p-examplepolicyid111

以下代码示例显示了如何使用describe-account

AWS CLI

获取有关账户的详细信息

以下示例向您展示了如何请求有关账户的详细信息:

aws organizations describe-account --account-id 555555555555

输出显示了一个账户对象,其中包含有关该账户的详细信息:

{ "Account": { "Id": "555555555555", "Arn": "arn:aws:organizations::111111111111:account/o-exampleorgid/555555555555", "Name": "Beta account", "Email": "anika@example.com", "JoinedMethod": "INVITED", "JoinedTimeStamp": 1481756563.134, "Status": "ACTIVE" } }

以下代码示例显示了如何使用describe-create-account-status

AWS CLI

获取有关创建账户请求的最新状态

以下示例说明如何为先前在组织中创建账户的请求请求最新状态。指定的--request-id 来自最初调用 create-account 的响应。账户创建请求通过状态字段显示 Organizations 已成功完成账户的创建。

命令:

aws organizations describe-create-account-status --create-account-request-id car-examplecreateaccountrequestid111

输出:

{ "CreateAccountStatus": { "State": "SUCCEEDED", "AccountId": "555555555555", "AccountName": "Beta account", "RequestedTimestamp": 1470684478.687, "CompletedTimestamp": 1470684532.472, "Id": "car-examplecreateaccountrequestid111" } }

以下代码示例显示了如何使用describe-handshake

AWS CLI

获取有关握手的信息

以下示例向您展示了如何请求有关握手的详细信息。握手 ID 要么来自对或的原始呼叫InviteAccountToOrganization,要么来自对或的呼叫:ListHandshakesForAccountListHandshakesForOrganization

aws organizations describe-handshake --handshake-id h-examplehandshakeid111

输出包括一个握手对象,其中包含有关请求的握手的所有详细信息:

{ "Handshake": { "Id": "h-examplehandshakeid111", "State": "OPEN", "Resources": [ { "Type": "ORGANIZATION", "Value": "o-exampleorgid", "Resources": [ { "Type": "MASTER_EMAIL", "Value": "bill@example.com" }, { "Type": "MASTER_NAME", "Value": "Master Account" } ] }, { "Type": "EMAIL", "Value": "anika@example.com" } ], "Parties": [ { "Type": "ORGANIZATION", "Id": "o-exampleorgid" }, { "Type": "EMAIL", "Id": "anika@example.com" } ], "Action": "INVITE", "RequestedTimestamp": 1470158698.046, "ExpirationTimestamp": 1471454698.046, "Arn": "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111" } }

以下代码示例显示了如何使用describe-organization

AWS CLI

获取有关当前组织的信息

以下示例向您展示了如何请求有关组织的详细信息:

aws organizations describe-organization

输出包括一个组织对象,其中包含有关该组织的详细信息:

{ "Organization": { "MasterAccountArn": "arn:aws:organizations::111111111111:account/o-exampleorgid/111111111111", "MasterAccountEmail": "bill@example.com", "MasterAccountId": "111111111111", "Id": "o-exampleorgid", "FeatureSet": "ALL", "Arn": "arn:aws:organizations::111111111111:organization/o-exampleorgid", "AvailablePolicyTypes": [ { "Status": "ENABLED", "Type": "SERVICE_CONTROL_POLICY" } ] } }

以下代码示例显示了如何使用describe-organizational-unit

AWS CLI

获取有关 OU 的信息

以下describe-organizational-unit示例请求有关 OU 的详细信息。

aws organizations describe-organizational-unit \ --organizational-unit-id ou-examplerootid111-exampleouid111

输出:

{ "OrganizationalUnit": { "Name": "Accounting Group", "Arn": "arn:aws:organizations::123456789012:ou/o-exampleorgid/ou-examplerootid111-exampleouid111", "Id": "ou-examplerootid111-exampleouid111" } }

以下代码示例显示了如何使用describe-policy

AWS CLI

获取有关策略的信息

以下示例演示如何请求有关策略的信息:

aws organizations describe-policy --policy-id p-examplepolicyid111

输出包括一个策略对象,其中包含有关策略的详细信息:

{ "Policy": { "Content": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": \"*\",\n \"Resource\": \"*\"\n }\n ]\n}", "PolicySummary": { "Arn": "arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid111", "Type": "SERVICE_CONTROL_POLICY", "Id": "p-examplepolicyid111", "AwsManaged": false, "Name": "AllowAllS3Actions", "Description": "Enables admins to delegate S3 permissions" } } }

以下代码示例显示了如何使用detach-policy

AWS CLI

从根、OU 或账户分离策略

以下示例演示了如何从 OU 分离策略:

aws organizations detach-policy --target-id ou-examplerootid111-exampleouid111 --policy-id p-examplepolicyid111

以下代码示例显示了如何使用disable-policy-type

AWS CLI

在根目录中禁用策略类型

以下示例说明如何在根目录中禁用服务控制策略 (SCP) 策略类型:

aws organizations disable-policy-type --root-id r-examplerootid111 --policy-type SERVICE_CONTROL_POLICY

输出显示 PolicyTypes 响应元素不再包含 SERVICE _ CONTROL _POLICY:

{ "Root": { "PolicyTypes": [], "Name": "Root", "Id": "r-examplerootid111", "Arn": "arn:aws:organizations::111111111111:root/o-exampleorgid/r-examplerootid111" } }

以下代码示例显示了如何使用enable-all-features

AWS CLI

启用组织中的所有功能

此示例显示管理员要求组织中所有受邀账户批准启用组织中的所有功能。 AWS Organizations 会向每个受邀成员账户注册的地址发送一封电子邮件,要求所有者通过接受发送的握手来批准对所有功能的更改。在所有受邀成员账户接受握手后,组织管理员可以完成对所有功能的更改,而具有适当权限的成员可以创建策略并将其应用于根OUs、和账户:

aws organizations enable-all-features

输出是一个握手对象,发送到所有受邀成员账户进行审批:

{ "Handshake": { "Action": "ENABLE_ALL_FEATURES", "Arn":"arn:aws:organizations::111111111111:handshake/o-exampleorgid/enable_all_features/h-examplehandshakeid111", "ExpirationTimestamp":1.483127868609E9, "Id":"h-examplehandshakeid111", "Parties": [ { "id":"o-exampleorgid", "type":"ORGANIZATION" } ], "requestedTimestamp":1.481831868609E9, "resources": [ { "type":"ORGANIZATION", "value":"o-exampleorgid" } ], "state":"REQUESTED" } }

以下代码示例显示了如何使用enable-policy-type

AWS CLI

允许在根目录中使用策略类型

以下示例说明如何在根目录中启用服务控制策略 (SCP) 策略类型:

aws organizations enable-policy-type --root-id r-examplerootid111 --policy-type SERVICE_CONTROL_POLICY

输出显示了一个根对象,其中显示了 policyTypes 响应元素,该SCPs元素现已启用:

{ "Root": { "PolicyTypes": [ { "Status":"ENABLED", "Type":"SERVICE_CONTROL_POLICY" } ], "Id": "r-examplerootid111", "Name": "Root", "Arn": "arn:aws:organizations::111111111111:root/o-exampleorgid/r-examplerootid111" } }

以下代码示例显示了如何使用invite-account-to-organization

AWS CLI

邀请账号加入组织

以下示例显示了 bill@example.com 拥有的主账户邀请 juan@example.com 拥有的账户加入组织:

aws organizations invite-account-to-organization --target '{"Type": "EMAIL", "Id": "juan@example.com"}' --notes "This is a request for Juan's account to join Bill's organization."

输出包括一个握手结构,该结构显示了发送到受邀账户的内容:

{ "Handshake": { "Action": "INVITE", "Arn": "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111", "ExpirationTimestamp": 1482952459.257, "Id": "h-examplehandshakeid111", "Parties": [ { "Id": "o-exampleorgid", "Type": "ORGANIZATION" }, { "Id": "juan@example.com", "Type": "EMAIL" } ], "RequestedTimestamp": 1481656459.257, "Resources": [ { "Resources": [ { "Type": "MASTER_EMAIL", "Value": "bill@amazon.com" }, { "Type": "MASTER_NAME", "Value": "Org Master Account" }, { "Type": "ORGANIZATION_FEATURE_SET", "Value": "FULL" } ], "Type": "ORGANIZATION", "Value": "o-exampleorgid" }, { "Type": "EMAIL", "Value": "juan@example.com" } ], "State": "OPEN" } }

以下代码示例显示了如何使用leave-organization

AWS CLI

以成员账户的身份离开组织

以下示例显示了一个成员账户的管理员请求离开其当前所属的组织:

aws organizations leave-organization

以下代码示例显示了如何使用list-accounts-for-parent

AWS CLI

检索指定父根或 OU 中所有账户的列表

以下示例说明如何请求 OU 中的账户列表:

aws organizations list-accounts-for-parent --parent-id ou-examplerootid111-exampleouid111

输出包含账户摘要对象的列表。

{ "Accounts": [ { "Arn": "arn:aws:organizations::111111111111:account/o-exampleorgid/333333333333", "JoinedMethod": "INVITED", "JoinedTimestamp": 1481835795.536, "Id": "333333333333", "Name": "Development Account", "Email": "juan@example.com", "Status": "ACTIVE" }, { "Arn": "arn:aws:organizations::111111111111:account/o-exampleorgid/444444444444", "JoinedMethod": "INVITED", "JoinedTimestamp": 1481835812.143, "Id": "444444444444", "Name": "Test Account", "Email": "anika@example.com", "Status": "ACTIVE" } ] }

以下代码示例显示了如何使用list-accounts

AWS CLI

检索组织中所有账户的列表

以下示例演示了如何请求组织中的账户列表:

aws organizations list-accounts

输出包含账户摘要对象的列表。

{ "Accounts": [ { "Arn": "arn:aws:organizations::111111111111:account/o-exampleorgid/111111111111", "JoinedMethod": "INVITED", "JoinedTimestamp": 1481830215.45, "Id": "111111111111", "Name": "Master Account", "Email": "bill@example.com", "Status": "ACTIVE" }, { "Arn": "arn:aws:organizations::111111111111:account/o-exampleorgid/222222222222", "JoinedMethod": "INVITED", "JoinedTimestamp": 1481835741.044, "Id": "222222222222", "Name": "Production Account", "Email": "alice@example.com", "Status": "ACTIVE" }, { "Arn": "arn:aws:organizations::111111111111:account/o-exampleorgid/333333333333", "JoinedMethod": "INVITED", "JoinedTimestamp": 1481835795.536, "Id": "333333333333", "Name": "Development Account", "Email": "juan@example.com", "Status": "ACTIVE" }, { "Arn": "arn:aws:organizations::111111111111:account/o-exampleorgid/444444444444", "JoinedMethod": "INVITED", "JoinedTimestamp": 1481835812.143, "Id": "444444444444", "Name": "Test Account", "Email": "anika@example.com", "Status": "ACTIVE" } ] }

以下代码示例显示了如何使用list-children

AWS CLI

检索子账号和OUs父 OU 或 root 账号

以下示例说明如何列出包含该帐户 444444444444 的根或 OU:

aws organizations list-children --child-type ORGANIZATIONAL_UNIT --parent-id ou-examplerootid111-exampleouid111

输出显示了父项OUs包含的两个子项:

{ "Children": [ { "Id": "ou-examplerootid111-exampleouid111", "Type":"ORGANIZATIONAL_UNIT" }, { "Id":"ou-examplerootid111-exampleouid222", "Type":"ORGANIZATIONAL_UNIT" } ] }

以下代码示例显示了如何使用list-create-account-status

AWS CLI

示例 1:检索在当前组织中提出的账户创建请求的列表

以下示例说明如何为已成功完成的组织请求账户创建请求列表:

aws organizations list-create-account-status --states SUCCEEDED

输出包括一个对象数组,其中包含有关每个请求的信息。

{ "CreateAccountStatuses": [ { "AccountId": "444444444444", "AccountName": "Developer Test Account", "CompletedTimeStamp": 1481835812.143, "Id": "car-examplecreateaccountrequestid111", "RequestedTimeStamp": 1481829432.531, "State": "SUCCEEDED" } ] }

示例 2:检索当前组织中正在进行的账户创建请求的列表

以下示例获取组织正在处理的账户创建请求列表:

aws organizations list-create-account-status --states IN_PROGRESS

输出包括一个对象数组,其中包含有关每个请求的信息。

{ "CreateAccountStatuses": [ { "State": "IN_PROGRESS", "Id": "car-examplecreateaccountrequestid111", "RequestedTimeStamp": 1481829432.531, "AccountName": "Production Account" } ] }

以下代码示例显示了如何使用list-handshakes-for-account

AWS CLI

检索发送到账户的握手清单

以下示例说明如何获取与用于调用操作的凭据账户关联的所有握手列表:

aws organizations list-handshakes-for-account

输出包括握手结构列表,其中包含有关每次握手的信息,包括其当前状态:

{ "Handshake": { "Action": "INVITE", "Arn": "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111", "ExpirationTimestamp": 1482952459.257, "Id": "h-examplehandshakeid111", "Parties": [ { "Id": "o-exampleorgid", "Type": "ORGANIZATION" }, { "Id": "juan@example.com", "Type": "EMAIL" } ], "RequestedTimestamp": 1481656459.257, "Resources": [ { "Resources": [ { "Type": "MASTER_EMAIL", "Value": "bill@amazon.com" }, { "Type": "MASTER_NAME", "Value": "Org Master Account" }, { "Type": "ORGANIZATION_FEATURE_SET", "Value": "FULL" } ], "Type": "ORGANIZATION", "Value": "o-exampleorgid" }, { "Type": "EMAIL", "Value": "juan@example.com" } ], "State": "OPEN" } }

以下代码示例显示了如何使用list-handshakes-for-organization

AWS CLI

检索与组织相关的握手列表

以下示例说明如何获取与当前组织关联的握手列表:

aws organizations list-handshakes-for-organization

输出显示两次握手。第一个是对Juan账户的邀请,显示的状态为OPEN。第二个是对Anika账户的邀请,显示的ACCEPTED状态为:

{ "Handshakes": [ { "Action": "INVITE", "Arn": "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111", "ExpirationTimestamp": 1482952459.257, "Id": "h-examplehandshakeid111", "Parties": [ { "Id": "o-exampleorgid", "Type": "ORGANIZATION" }, { "Id": "juan@example.com", "Type": "EMAIL" } ], "RequestedTimestamp": 1481656459.257, "Resources": [ { "Resources": [ { "Type": "MASTER_EMAIL", "Value": "bill@amazon.com" }, { "Type": "MASTER_NAME", "Value": "Org Master Account" }, { "Type": "ORGANIZATION_FEATURE_SET", "Value": "FULL" } ], "Type": "ORGANIZATION", "Value": "o-exampleorgid" }, { "Type": "EMAIL", "Value": "juan@example.com" }, { "Type":"NOTES", "Value":"This is an invitation to Juan's account to join Bill's organization." } ], "State": "OPEN" }, { "Action": "INVITE", "State":"ACCEPTED", "Arn": "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111", "ExpirationTimestamp": 1.471797437427E9, "Id": "h-examplehandshakeid222", "Parties": [ { "Id": "o-exampleorgid", "Type": "ORGANIZATION" }, { "Id": "anika@example.com", "Type": "EMAIL" } ], "RequestedTimestamp": 1.469205437427E9, "Resources": [ { "Resources": [ { "Type":"MASTER_EMAIL", "Value":"bill@example.com" }, { "Type":"MASTER_NAME", "Value":"Master Account" } ], "Type":"ORGANIZATION", "Value":"o-exampleorgid" }, { "Type":"EMAIL", "Value":"anika@example.com" }, { "Type":"NOTES", "Value":"This is an invitation to Anika's account to join Bill's organization." } ] } ] }

以下代码示例显示了如何使用list-organizational-units-for-parent

AWS CLI

检索父 OU 或根目录OUs中的列表

以下示例向您展示了如何获取指定根目录OUs中的列表:

aws organizations list-organizational-units-for-parent --parent-id r-examplerootid111

输出显示指定的根包含两个,OUs并显示每个根的详细信息:

{ "OrganizationalUnits": [ { "Name": "AccountingDepartment", "Arn": "arn:aws:organizations::o-exampleorgid:ou/r-examplerootid111/ou-examplerootid111-exampleouid111" }, { "Name": "ProductionDepartment", "Arn": "arn:aws:organizations::o-exampleorgid:ou/r-examplerootid111/ou-examplerootid111-exampleouid222" } ] }

以下代码示例显示了如何使用list-parents

AWS CLI

列出账户OUs或子 OU 的父级或根目录

以下示例说明如何列出包含该账户 444444444444 的根组织单位或父 OU:

aws organizations list-parents --child-id 444444444444

输出显示指定账户位于具有指定 ID 的 OU 中:

{ "Parents": [ { "Id": "ou-examplerootid111-exampleouid111", "Type": "ORGANIZATIONAL_UNIT" } ] }

以下代码示例显示了如何使用list-policies-for-target

AWS CLI

检索直接SCPs关联到账户的列表

以下示例说明如何获取直接关联到账户的所有服务控制策略 (SCPs) 的列表,这些策略由 Filter 参数指定:

aws organizations list-policies-for-target --filter SERVICE_CONTROL_POLICY --target-id 444444444444

输出包括策略结构列表,其中包含有关策略的摘要信息。该列表不包括适用于该账户的策略,因为这些策略是从账户在 OU 层次结构中的位置继承的:

{ "Policies": [ { "Type": "SERVICE_CONTROL_POLICY", "Name": "AllowAllEC2Actions", "AwsManaged", false, "Id": "p-examplepolicyid222", "Arn": "arn:aws:organizations::o-exampleorgid:policy/service_control_policy/p-examplepolicyid222", "Description": "Enables account admins to delegate permissions for any EC2 actions to users and roles in their accounts." } ] }

以下代码示例显示了如何使用list-policies

AWS CLI

检索特定类型组织中所有策略的列表

以下示例向您展示了如何获取 filter 参数所指定的列表:SCPs

aws organizations list-policies --filter SERVICE_CONTROL_POLICY

输出包括含摘要信息的策略列表:

{ "Policies": [ { "Type": "SERVICE_CONTROL_POLICY", "Name": "AllowAllS3Actions", "AwsManaged": false, "Id": "p-examplepolicyid111", "Arn": "arn:aws:organizations::111111111111:policy/service_control_policy/p-examplepolicyid111", "Description": "Enables account admins to delegate permissions for any S3 actions to users and roles in their accounts." }, { "Type": "SERVICE_CONTROL_POLICY", "Name": "AllowAllEC2Actions", "AwsManaged": false, "Id": "p-examplepolicyid222", "Arn": "arn:aws:organizations::111111111111:policy/service_control_policy/p-examplepolicyid222", "Description": "Enables account admins to delegate permissions for any EC2 actions to users and roles in their accounts." }, { "AwsManaged": true, "Description": "Allows access to every operation", "Type": "SERVICE_CONTROL_POLICY", "Id": "p-FullAWSAccess", "Arn": "arn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccess", "Name": "FullAWSAccess" } ] }

以下代码示例显示了如何使用list-roots

AWS CLI

检索组织中的根源列表

此示例说明如何获取组织的根列表:

aws organizations list-roots

输出包括带有摘要信息的根结构列表:

{ "Roots": [ { "Name": "Root", "Arn": "arn:aws:organizations::111111111111:root/o-exampleorgid/r-examplerootid111", "Id": "r-examplerootid111", "PolicyTypes": [ { "Status":"ENABLED", "Type":"SERVICE_CONTROL_POLICY" } ] } ] }

以下代码示例显示了如何使用list-targets-for-policy

AWS CLI

检索策略所关联的根OUs、和账户的列表

以下示例说明如何获取指定策略所关联的根OUs、和账户的列表:

aws organizations list-targets-for-policy --policy-id p-FullAWSAccess

输出包括附件对象列表,其中包含有关策略所附加的根目录和帐户的摘要信息:OUs

{ "Targets": [ { "Arn": "arn:aws:organizations::111111111111:root/o-exampleorgid/r-examplerootid111", "Name": "Root", "TargetId":"r-examplerootid111", "Type":"ROOT" }, { "Arn": "arn:aws:organizations::111111111111:account/o-exampleorgid/333333333333;", "Name": "Developer Test Account", "TargetId": "333333333333", "Type": "ACCOUNT" }, { "Arn":"arn:aws:organizations::111111111111:ou/o-exampleorgid/ou-examplerootid111-exampleouid111", "Name":"Accounting", "TargetId":"ou-examplerootid111-exampleouid111", "Type":"ORGANIZATIONAL_UNIT" } ] }

以下代码示例显示了如何使用move-account

AWS CLI

要在根目录之间移动帐户,或者 OUs

以下示例向您展示了如何将组织中的主账户从根账户移至 OU:

aws organizations move-account --account-id 333333333333 --source-parent-id r-examplerootid111 --destination-parent-id ou-examplerootid111-exampleouid111

以下代码示例显示了如何使用remove-account-from-organization

AWS CLI

将账户作为主账户从组织中移除

以下示例向您展示了如何从组织中移除帐户:

aws organizations remove-account-from-organization --account-id 333333333333

以下代码示例显示了如何使用update-organizational-unit

AWS CLI

重命名 OU

此示例向您展示如何重命名 OU:在此示例中,组织单位重命名为 “AccountingOU”:

aws organizations update-organizational-unit --organizational-unit-id ou-examplerootid111-exampleouid111 --name AccountingOU

输出显示了新名称:

{ "OrganizationalUnit": { "Id": "ou-examplerootid111-exampleouid111" "Name": "AccountingOU", "Arn": "arn:aws:organizations::111111111111:ou/o-exampleorgid/ou-examplerootid111-exampleouid111"" } }

以下代码示例显示了如何使用update-policy

AWS CLI

示例 1:重命名策略

以下update-policy示例重命名了策略并对其进行了新的描述。

aws organizations update-policy \ --policy-id p-examplepolicyid111 \ --name Renamed-Policy \ --description "This description replaces the original."

输出显示了新的名称和描述。

{ "Policy": { "Content": "{\n \"Version\":\"2012-10-17\",\n \"Statement\":{\n \"Effect\":\"Allow\",\n \"Action\":\"ec2:*\",\n \"Resource\":\"*\"\n }\n}\n", "PolicySummary": { "Id": "p-examplepolicyid111", "AwsManaged": false, "Arn":"arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid111", "Description": "This description replaces the original.", "Name": "Renamed-Policy", "Type": "SERVICE_CONTROL_POLICY" } } }

示例 2:替换政策的JSON文本内容

以下示例向您展示了如何将上一个示例SCP中的JSON文本替换为允许 S3 代替的新JSON策略文本字符串EC2:

aws organizations update-policy \ --policy-id p-examplepolicyid111 \ --content "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"*\"}}"

输出显示了新内容:

{ "Policy": { "Content": "{ \"Version\": \"2012-10-17\", \"Statement\": { \"Effect\": \"Allow\", \"Action\": \"s3:*\", \"Resource\": \"*\" } }", "PolicySummary": { "Arn": "arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid111", "AwsManaged": false; "Description": "This description replaces the original.", "Id": "p-examplepolicyid111", "Name": "Renamed-Policy", "Type": "SERVICE_CONTROL_POLICY" } } }