Skip to content

Create a new Account in AWS

Arda Systems uses a multi-account structure in AWS to manage cloud resources. One Infrastructure is associated with an AWS account.

Collect the information

  • Google Workspace:
    • Access to the Admin Console of the Google Workspace Account or equivalent permissions to create Groups in the Google Workspace.
    • Email Address: The email address that will be used to create the AWS account.
  • AWS:
    • Root User Name and Password: Creating accounts is done through the AWS Root User. The Root User credentials can be accessed through 1Password in the Arda-SystemsOAM vault.
    • Account Name: The Name of the account needs to be the same as the name of the Infrastructure that will be associated with it.
    • Organizational Unit in Arda’s AWS Organizations Structure:
      • Development if it is a Development Infrastructure
      • Platform/Production if it is for a regular Production Infrastructure
      • Platform if it is for an OAM Infrastructure
    • Email Address: The email address that will be used to create the account. The same one as for the Google Workspace.

Getting the Email Address

The email address to be used must be: systems-<infrastructure>@arda.cards with the infrastructure name in lowercase. For example, if the infrastructure name is NonProd023, the email address will be systems-nonprod023@arda.cards.

Important

AWS only accepts email addresses that are less than 64 characters long. If the infrastructure name is longer than 64 characters, you will need to create a shorter name for the email address.

The email address is created in the Google Workspace account through its Admin Console:

  • Navigate to the Directory -> Groups section:

alt text

  • Click on the Create Group link and fill in the details:
    • Group Name: Systems <Infrastructure> (e.g., Systems NonProd023)
    • Group Email: systems-<infrastructure>@arda.cards (e.g., systems-nonprod023@arda.cards)
    • Group Description: Systems <Infrastructure> (e.g., Systems NonProd023)
    • Group Owners: Determined by the DevOps team. Copy from systems@arda.cards group.
    • In the permissions section, disable the Allow external members permissions.

Login into AWS as a Root User

Go to the AWS Root Login page and Select the Root User option. Enter the credentials or have 1Password fill them in for you.

AWS Root Login

Once logged in, you will be redirected to the AWS Management Console. From there navigate to the AWS Organizations service. You can find it by searching for Organizations in the search bar.

Note

On occasion, the login process may show an error message. Simply refresh the page or click on the Sign In button and proceed.

Select the Organizational Unit (OU) and Create the Account

In the AWS Organizations console, you will see a list of your organizational units (OUs). Select the OU that corresponds to the type of Infrastructure for which you are creating the new account (see above).

alt text

At the top right corner of the page, click on the orange Add an AWS account button. In the page that opens:

  • Select the Create an AWS account option
  • AWS account name: Enter the name of the Infrastructure (e.g., NonProd023)
  • Email address: Enter the email address you created in the Google Workspace (e.g., systems-nonprod023@arda.cards)
  • IAM role name: Leave the default value OrganizationAccountAccessRole
  • Tags: TBD.

Press the orange Create AWS account button at the bottom right of the page to create the account.

Set up access to the new account

Navigate to the IAM Identity Center service in the AWS Management Console. You can find it by searching for IAM Identity Center in the search bar. Make sure that you have the United States (Ohio) (us-east-2) region selected in the top right corner of the page.

Go to the AWS Accounts section in the left menu and select the Account you just created. Click on the Assign users or groups orange button in the top right corner of the page. In the page that opens, select the groups that will need access to that account. Do Not assign individual users. Click on the Next button in the bottom right corner of the page.

In the next page select the DevelopmentAdmin permission set. Click on the Next button in the bottom right corner of the page.

Review the information and click on the Submit button in the bottom right corner of the page.

Finalize

The account should be created and configured for access by the users in the selected groups. If there are additional permissions needed or new users to be added, do so in the IAM Identity Center Service through the Groups section to add users to the different groups or Permission Sets to give additional permissions to the selected groups.

Comments