@Generated(value="jsii-pacmak/1.74.0 (build 6d08790)", date="2023-03-22T19:35:39.097Z") public class CfnAccount extends CfnResource implements IInspectable
Creates an AWS account that is automatically a member of the organization whose credentials made the request.
AWS CloudFormation uses the CreateAccount
operation to create accounts. This is an asynchronous request that AWS performs in the background. Because CreateAccount
operates asynchronously, it can return a successful completion message even though account initialization might still be in progress. You might need to wait a few minutes before you can successfully access the account. To check the status of the request, do one of the following:
Id
value of the CreateAccountStatus
response element from the CreateAccount
operation to provide as a parameter to the DescribeCreateAccountStatus
operation.CreateAccountResult
event. For information on using CloudTrail with AWS Organizations , see Logging and monitoring in AWS Organizations in the AWS Organizations User Guide.
The user who calls the API to create an account must have the organizations:CreateAccount
permission. If you enabled all features in the organization, AWS Organizations creates the required service-linked role named AWSServiceRoleForOrganizations
. For more information, see AWS Organizations and Service-Linked Roles in the AWS Organizations User Guide .
If the request includes tags, then the requester must have the organizations:TagResource
permission.
AWS Organizations preconfigures the new member account with a role (named OrganizationAccountAccessRole
by default) that grants users in the management account administrator permissions in the new member account. Principals in the management account can assume the role. AWS Organizations clones the company name and address information for the new account from the organization's management account.
For more information about creating accounts, see Creating an AWS account in Your Organization in the AWS Organizations User Guide.
This operation can be called only from the organization's management account.
Deleting Account resources
The default DeletionPolicy
for resource AWS::Organizations::Account
is Retain
. For more information about how AWS CloudFormation deletes resources, see DeletionPolicy Attribute .
- If you include multiple accounts in a single template, you must use the
DependsOn
attribute on each account resource type so that the accounts are created sequentially. If you create multiple accounts at the same time, Organizations returns an error and the stack operation fails.- You can't modify the following list of
Account
resource parameters using AWS CloudFormation updates.- AccountName
- RoleName
If you attempt to update the listed parameters, CloudFormation will attempt the update, but you will receive an error message as those updates are not supported from an Organizations management account or a registered delegated administrator account. Both the update and the update roll-back will fail, so you must skip the account resource update. To update parameters
AccountName
and
- When you create an account in an organization using the AWS Organizations console, API, or AWS CLI commands, we don't automatically collect the information required for the account to operate as a standalone account. That includes collecting the payment method and signing the end user license agreement (EULA). If you must remove an account from your organization later, you can do so only after you provide the missing information. Follow the steps at To leave an organization as a member account in the AWS Organizations User Guide .
- When you create an account in an organization using AWS CloudFormation , you can't specify a value for the
CreateAccount
operation parameterIamUserAccessToBilling
. The default value for parameterIamUserAccessToBilling
isALLOW
, and IAM users and roles with the required permissions can access billing information for the new account.- If you get an exception that indicates
DescribeCreateAccountStatus returns IN_PROGRESS state before time out
. You must check the account creation status using theDescribeCreateAccountStatus
operation. If the account state returns asSUCCEEDED
, you can import the account into AWS CloudFormation management usingresource import
.- If you get an exception that indicates you have exceeded your account quota for the organization, you can request an increase by using the Service Quotas console .
- If you get an exception that indicates the operation failed because your organization is still initializing, wait one hour and then try again. If the error persists, contact AWS Support .
- We don't recommend that you use the
CreateAccount
operation to create multiple temporary accounts. You can close accounts using theCloseAccount
operation or from the AWS Organizations console in the organization's management account. For information on the requirements and process for closing an account, see Closing an AWS account in the AWS Organizations User Guide .
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import software.amazon.awscdk.services.organizations.*; CfnAccount cfnAccount = CfnAccount.Builder.create(this, "MyCfnAccount") .accountName("accountName") .email("email") // the properties below are optional .parentIds(List.of("parentIds")) .roleName("roleName") .tags(List.of(CfnTag.builder() .key("key") .value("value") .build())) .build();
Modifier and Type | Class and Description |
---|---|
static class |
CfnAccount.Builder
A fluent builder for
CfnAccount . |
IInspectable.Jsii$Default, IInspectable.Jsii$Proxy
IConstruct.Jsii$Default
Modifier and Type | Field and Description |
---|---|
static java.lang.String |
CFN_RESOURCE_TYPE_NAME
The CloudFormation resource type name for this resource class.
|
Modifier | Constructor and Description |
---|---|
|
CfnAccount(Construct scope,
java.lang.String id,
CfnAccountProps props)
Create a new `AWS::Organizations::Account`.
|
protected |
CfnAccount(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) |
protected |
CfnAccount(software.amazon.jsii.JsiiObjectRef objRef) |
Modifier and Type | Method and Description |
---|---|
java.lang.String |
getAccountName()
The account name given to the account when it was created.
|
java.lang.String |
getAttrAccountId()
Returns the unique identifier (ID) of the account.
|
java.lang.String |
getAttrArn()
Returns the Amazon Resource Name (ARN) of the account.
|
java.lang.String |
getAttrJoinedMethod()
Returns the method by which the account joined the organization.
|
java.lang.String |
getAttrJoinedTimestamp()
Returns the date the account became a part of the organization.
|
java.lang.String |
getAttrStatus()
Returns the status of the account in the organization.
|
protected java.util.Map<java.lang.String,java.lang.Object> |
getCfnProperties() |
java.lang.String |
getEmail()
The email address associated with the AWS account.
|
java.util.List<java.lang.String> |
getParentIds()
The unique identifier (ID) of the root or organizational unit (OU) that you want to create the new account in.
|
java.lang.String |
getRoleName()
The name of an IAM role that AWS Organizations automatically preconfigures in the new member account.
|
TagManager |
getTags()
A list of tags that you want to attach to the newly created account.
|
void |
inspect(TreeInspector inspector)
Examines the CloudFormation resource and discloses attributes.
|
protected java.util.Map<java.lang.String,java.lang.Object> |
renderProperties(java.util.Map<java.lang.String,java.lang.Object> props) |
void |
setAccountName(java.lang.String value)
The account name given to the account when it was created.
|
void |
setEmail(java.lang.String value)
The email address associated with the AWS account.
|
void |
setParentIds(java.util.List<java.lang.String> value)
The unique identifier (ID) of the root or organizational unit (OU) that you want to create the new account in.
|
void |
setRoleName(java.lang.String value)
The name of an IAM role that AWS Organizations automatically preconfigures in the new member account.
|
addDeletionOverride, addDependsOn, addMetadata, addOverride, addPropertyDeletionOverride, addPropertyOverride, applyRemovalPolicy, applyRemovalPolicy, applyRemovalPolicy, getAtt, getCfnOptions, getCfnResourceType, getMetadata, getUpdatedProperites, isCfnResource, shouldSynthesize, toString, validateProperties
getRef
getCreationStack, getLogicalId, getStack, isCfnElement, overrideLogicalId
getNode, isConstruct, onPrepare, onSynthesize, onValidate, prepare, synthesize, validate
public static final java.lang.String CFN_RESOURCE_TYPE_NAME
protected CfnAccount(software.amazon.jsii.JsiiObjectRef objRef)
protected CfnAccount(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
public CfnAccount(Construct scope, java.lang.String id, CfnAccountProps props)
scope
- - scope in which this resource is defined. This parameter is required.id
- - scoped id of the resource. This parameter is required.props
- - resource properties. This parameter is required.public void inspect(TreeInspector inspector)
inspect
in interface IInspectable
inspector
- - tree inspector to collect and process attributes. This parameter is required.protected java.util.Map<java.lang.String,java.lang.Object> renderProperties(java.util.Map<java.lang.String,java.lang.Object> props)
renderProperties
in class CfnResource
props
- This parameter is required.public java.lang.String getAttrAccountId()
For example: 123456789012
.
public java.lang.String getAttrArn()
For example: arn:aws:organizations::111111111111:account/o-exampleorgid/555555555555
.
public java.lang.String getAttrJoinedMethod()
For example: INVITED | CREATED
.
public java.lang.String getAttrJoinedTimestamp()
For example: 2016-11-24T11:11:48-08:00
.
public java.lang.String getAttrStatus()
For example: ACTIVE | SUSPENDED | PENDING_CLOSURE
.
protected java.util.Map<java.lang.String,java.lang.Object> getCfnProperties()
getCfnProperties
in class CfnResource
public TagManager getTags()
For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to null
. For more information about tagging, see Tagging AWS Organizations resources in the AWS Organizations User Guide.
If any one of the tags is not valid or if you exceed the maximum allowed number of tags for an account, then the entire request fails and the account is not created.
public java.lang.String getAccountName()
public void setAccountName(java.lang.String value)
public java.lang.String getEmail()
The regex pattern for this parameter is a string of characters that represents a standard internet email address.
public void setEmail(java.lang.String value)
The regex pattern for this parameter is a string of characters that represents a standard internet email address.
public java.util.List<java.lang.String> getParentIds()
If you don't specify this parameter, the ParentId
defaults to the root ID.
This parameter only accepts a string array with one string value.
The regex pattern for a parent ID string requires one of the following:
public void setParentIds(java.util.List<java.lang.String> value)
If you don't specify this parameter, the ParentId
defaults to the root ID.
This parameter only accepts a string array with one string value.
The regex pattern for a parent ID string requires one of the following:
public java.lang.String getRoleName()
This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.
If you don't specify this parameter, the role name defaults to OrganizationAccountAccessRole
.
For more information about how to use this role to access the member account, see the following links:
The regex pattern that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-
public void setRoleName(java.lang.String value)
This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.
If you don't specify this parameter, the role name defaults to OrganizationAccountAccessRole
.
For more information about how to use this role to access the member account, see the following links:
The regex pattern that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-