Forked from https://github.com/aws-samples/account-factory
I found a tutorial and some code to create an Account Vending Machine for your Organization. Unfortunately it was outdated. I did some changes and wrote an updated how-to.
- Enable AWS Organizations
- Enable Service Catalog under AWS Organizations
- Create a Group for your Service Catalog End Users. Let's call it ServiceCatalogEndUsers
- Attach the following AWS Managed policies to ServiceCatalogEndUsers
- AWSServiceCatalogEndUserFullAccess
- AWSLambdaFullAccess
- IAMFullAccess
- AmazonS3FullAccess
- AWSCloudFormationReadOnlyAccess
- Create a user to run Service Catalog - it CANNOT BE THE ROOT ACCOUNT. I'll call it ServiceCatalogUser
- Add ServiceCatalogUser to ServiceCatalogEndUsers Group
- Attach the AWS Managed Policy AWSServiceCatalogAdminFullAccess to your own user
- Create an S3 bucket on the same region you want to run Service Catalog
- Check-out code from GitHub
- Edit the code you got from GitHub on accountbuilder.yml
- Edit sourcebucket Default to match the name of the bucket you created
- Upload AVM files to S3 Bucket
- Save the URL of the accountbuilder.yml file on S3. You will need that.
- Go to Service Catalog.
- Go to Portfolios, and Create Portfolio. You can use any name you want. Let's go with My Portfolio. Provide a description and put your name under the owner. Press Create.
- Now it will show up under the list of Portfolios. Click it.
- Click the Tab "Groups, Roles and Users", and click the orange "Add groups, roles, users" button on the right
- Select the ServiceCatalogEndUsers group we created above and Administrators under Groups, and click Add Access
- Now, on the left, click the Products link under Administration
- Click the orange button "Upload new Product"
- Fill in the blanks, and under Version Details choose "CloudFormation". Use the URL of the accountbuilder.yml template you saved earlier. Name it "Account Factory". All other fields do not require a specific value or can be left blank.
- Press "Review", ensure the data is correct and save
- The Account Factory Product will show up on your list.
- Now click the radio button on the left of the Product Name
- Click "Actions" and select "Add Product to Portfolio". By doing that, you're ensuring the users/roles will have the correct access to the Account Factory. It won't work if you skip this step. This is the last step you perform as an administrator. The Account Factory has been successfully created and users with the correct permissions will be able to use it to create accounts.
Now, open an incognito / private window on your browser. These steps are the ones the end-user will have to do to create accounts:
- Log in to the AWS Console using the user ServiceCatalogUser
- Go to Service Catalog, and click Products List on the left
- You will see the Account Factory Product you just created. Click on it.
- On the following screen, you will be able to launch the Account Factory. Click "Launch Product"
- Pick a name for the new product to be provisioned. An account is a provisioned product, so it's a good idea to use the name of the account as the name of Provisioned Product. Let's call it MyNewAccount Click Next.
- Fill the form on the next screen.
- Review the information entered, and Launch.
- Click "Provisioned Products" to review a list of the accounts created, including this one. Click MyNew Account on this screen
- This screen will provide you status of the account creation process, as well as a link to the CloudFormation stack used to generate it. You can click on it to check if the creation is working.
- When the account is created, it will say "Succeeded" and on the same screen information like username, Login URL and Account ID will be provided
- The owner of the e-mail provided will receive an e-mail from AWS informing that the account is ready. You will have to inform them the Login URL and password (that you provided on the form above) so they can login to the newly created account. And that's it! Wow that was easy.