Menu
Cross-Account Manager
Cross-Account Manager

Step 2. Launch the Solution in a Sub-Account

After the master account stack launch completes in the master account, upload an account file to Amazon S3 and then launch the sub-account stack in that account.

  1. Note the AWS account ID(s) of the sub-account(s) you want to add and prepare the YAML-formatted (.yml or .yaml) account file.

    A sample account.yaml file is shown below.

    Copy
    accounts: - # AWS Account ID 999999999999 : # Email associated with the account email: you@example.com # Optional to group the accounts accountgroup : production 888888888888 : email: me@example.com accountgroup : development

    The accountgroup field is optional. When specified, it is stored in Amazon DynamoDB and used to create groupings where you can apply group-specific roles.

  2. Log in to the AWS Management Console of the master account, and open the Amazon S3 console.

  3. In the Amazon S3 configuration bucket (ConfigBucket output from the previous procedure), choose the accountfolder.

  4. Upload the account file. Use the solution-generated AWS KMS key (KMSKeyAlias output from the previous procedure) to encrypt the object during upload (see the AWS KMS Developer Guide for detailed instructions).

  5. If the upload is successful, the solution will remove the account file from the configuration bucket. Check the account folder to confirm the file was received and removed. (It will remain in the bucket’s version history.) You can also check Amazon DynamoDB to confirm the account record(s) were added successfully.

    Note

    You must successfully upload the account file to the configuration bucket before you continue to the next step.

  6. Log in to the AWS Management Console of the sub-account, and use the region selector in the console navigation bar to go to the same AWS Region where you launched the master account stack.

  7. Click the button below to launch the aws-cross-account-manager-sub AWS CloudFormation template.

    
                                Sub-account template launch button

    You can also download the template as a starting point for your own implementation.

    Note

    You must launch the sub-account AWS CloudFormation template in the same AWS Region where you launched the master account template (and where AWS Lambda is available). The template is launched in the US East (N. Virginia) Region by default. Use the region selector in the console navigation bar to go to a different AWS Region.

  8. On the Select Template page, verify that you selected the correct template and choose Next.

  9. On the Specify Details page, assign a name to your sub-account stack.

  10. Under Parameters, in the Master Account ID field, enter the AWS account ID for the master account.

  11. Choose Next, and on the Options page, choose Next.

  12. On the Review page, review and confirm the settings. Be sure to check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  13. Choose Create to deploy the stack.

    You can view the status of the stack in the AWS CloudFormation console in the Status column. You should see a status of CREATE_COMPLETE in roughly five minutes.

  14. To see details for the stack resources, choose the Outputs tab. You will see CrossAccountManager-Admin-DO-NOT-DELETE role, which is the special Administrator role that the solution created to allow the master account to manage roles in each sub account.