Last active
May 17, 2019 07:09
-
-
Save visualdensity/2f3e25f1b392157a3c5970162b20d850 to your computer and use it in GitHub Desktop.
Very crude script to create sub-accounts via AWS Organizations. Creates account and then new group in master account to allow access
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| awsProfile={aws-cli-profile} | |
| masterAccountUser={iam-user-in-master-account} | |
| # absolute root | |
| root_id={org-root-id} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| source ./config.sh | |
| billingAccess=ALLOW | |
| while getopts "a:e:" opt; do | |
| case $opt in | |
| a) | |
| accountName=$OPTARG | |
| echo "Account name: $accountName" | |
| ;; | |
| e) | |
| email=$OPTARG | |
| echo "Email: $email" | |
| ;; | |
| \?) | |
| echo "Invalid option: -$OPTARG" >&2 | |
| usage | |
| exit 1 | |
| ;; | |
| esac | |
| done | |
| if [ "$accountName" == "" ]; | |
| then | |
| echo "You must specify an account name! What name to use?" >&2 | |
| read accountName | |
| fi | |
| if [ "$email" == "" ]; | |
| then | |
| echo "You need to include email! Which email to use?" >&2 | |
| read email | |
| fi | |
| echo | |
| ######################## | |
| # Step 1: Request new account creation | |
| ######################## | |
| echo "Requesting new account with the following..." | |
| echo "aws organizations create-account --email $email --account-name $accountName --iam-user-access-to-billing $billingAccess --profile $awsProfile" | |
| response=$(aws organizations create-account --email "$email" --account-name "$accountName" --iam-user-access-to-billing "$billingAccess" --profile "$awsProfile") | |
| #response=$(cat ./create_account_response.json) | |
| requestId=$(echo "$response" | jq -r '.CreateAccountStatus.Id') | |
| echo "Done...." | |
| echo $response | |
| echo | |
| ######################### | |
| ## Step 2: Check that the create account status is succeeded | |
| ######################### | |
| echo "Checking request status with the following..." | |
| echo "aws organizations describe-create-account-status --create-account-request-id $requestId --profile $awsProfile" | |
| succeeded=0 | |
| while [ $succeeded -ne 1 ] | |
| do | |
| statusResponse=$(aws organizations describe-create-account-status --create-account-request-id "$requestId" --profile "$awsProfile") | |
| state=$(echo "$statusResponse" | jq -r '.CreateAccountStatus.State') | |
| if [ $state == "SUCCEEDED" ]; then | |
| accountId=$(echo "$statusResponse" | jq -r '.CreateAccountStatus.AccountId') | |
| echo "Account created! Account ID: $accountId" | |
| succeeded=1 | |
| else | |
| echo "Nope... state is $state." | |
| echo "Sleeping for a few seconds..." | |
| sleep 3 | |
| fi | |
| done | |
| ######################## | |
| # Step 3: Generate IAM policy | |
| ######################## | |
| sid=$(date +%s) | |
| policyFileName="group_perm-$accountId.json" | |
| read -r -d '' policyDoc << EOD | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "Stmt$sid", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "sts:AssumeRole" | |
| ], | |
| "Resource": [ | |
| "arn:aws:iam::$accountId:role/OrganizationAccountAccessRole" | |
| ] | |
| } | |
| ] | |
| } | |
| EOD | |
| echo $policyDoc > ./"$policyFileName" | |
| ######################## | |
| # Step 4: Create IAM Group in Master to access new account | |
| ######################## | |
| echo "Creating IAM Group for new account..." | |
| groupName="SubAccountAccess-$accountName" | |
| iamGroupResponse=$(aws iam create-group --group-name $groupName --profile "$awsProfile") | |
| echo "Done" | |
| ######################### | |
| ## Step 5: Create IAM Group in Master to access new account | |
| ######################### | |
| echo "Attach policy to new $groupName group..." | |
| policyName="SubAccountAccessPolicy-$accountName" | |
| aws iam put-group-policy --group-name $groupName --policy-document file://./"$policyFileName" --policy-name $policyName --profile "$awsProfile" | |
| echo "Done" | |
| ######################## | |
| # Step 6: Add remotely user to new group | |
| ######################## | |
| echo "Adding 'remotely' user to $groupName group..." | |
| policyName="SubAccountAccessPolicy-$accountName" | |
| aws iam add-user-to-group --group-name $groupName --user-name $masterAccountUser --profile "$awsProfile" | |
| echo "Done!" | |
| echo | |
| echo | |
| echo "Your new account details:" | |
| echo " Account Name: $accountName" | |
| echo " Account ID: $accountId" | |
| echo " Master Account Group: $groupName (add user to this group to switch roles)" | |
| echo | |
| echo "Next, add the following to your ~/.aws/credentials:" | |
| cat << EOM | |
| [$accountName] | |
| role_arn = arn:aws:iam::$accountId:role/OrganizationAccountAccessRole | |
| source_profile = $awsProfile | |
| EOM | |
| echo | |
| echo "Then you can give it a quik check:" | |
| echo " aws iam list-users --profile $accountName" | |
| echo | |
| echo "Good luck!" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment