A new trend in the market is to have your different environments in different AWS accounts. Instead of having DEV, PROD, and UAT in the same AWS account, customers prefer to have them in different accounts.
AWS Organization is the service that helps in achieving it. The organization is the central manager of all your accounts. The main advantage of it is billing. You can easily determine the billing for each of your environments. Other advantages include centralized access control of the account that helps in security. For example, the developers have access only to the development account, not the production.
Through AWS Organization, we can quickly create different AWS accounts and manage them. The account in which the Organization is used will be the master account. The account which is created through the Organisation will be the Child account. From here on we will be using master-child terminology.
In this article, we will create accounts using the Organisation through CLI. We will also switch roles to our child account to spin up infrastructure there.
On the local machine, configure AWS CLI for the master account.
- $ aws configure
- AWS Access Key ID [None]: <access-key>
- AWS Secret Access Key [None]: <secret-access-key>
- Default region name [None]: us-east-1
- Default output format [None]: json
Configure the AWS CLI on your local machine by providing the access key and secret key.
For the creation of child account, run the following command. This command creates a new child account under organisation. An email-id and account name is to be provided for the new account.
- aws organizations create-account --email <email-id> --account-name <account-name>
- aws organizations create-account --email [email protected] --account-name "abc-Dev"
Your new account is created, you can see it AWS Organisation. Whenever a new account is created, a cross-account role is automatically created ‘OrganizationAccountAccessRole’ in child account. This role is used to switch to child account to master account.
Assume cross-account role
After the accounts are created, to switch to child account the ‘OrganizationAccountAccessRole’ is used.
Attach the following inline policy to the role of instance in master account from which you wish to assume to the child account. Generally, we have a bastion server in the master account for this.
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Sid": "Stmt1568722637206",
- "Action": [
- "sts:AssumeRole"
- ],
- "Effect": "Allow",
- "Resource": "arn:aws:iam::accountIdNumber:role/OrganizationAccountAccessRole"
- }
- ]
- }
The following command generates temporary secret tokens to switch to the child account. Run this from the server in master account.
- aws sts assume-role --role-arn arn:aws:iam::<Account-id>:role/OrganizationAccountAccessRole --role-session-name <session-name>
- Example-
- aws sts assume-role --role-arn arn:aws:iam::<Account-id>:role/OrganizationAccountAccessRole --role-session-name Dev
Provide Credentials
Provide temporary token generated by the above command, to switch to the child account.
- export AWS_ACCESS_KEY_ID=<AWS Access Key>
- export AWS_SECRET_ACCESS_KEY=<AWS Secret Key>
- export AWS_SESSION_TOKEN=<Session Token>
Once this is done, you are in child account. You can now use AWS Cloud Formation commands to create the infrastructure in the child account.