stackoom
  简体   繁体   中英

New Account Creation Error from AWS Control Tower

 原文  2020-07-23 09:55:08       amazon-web-services/ aws-landing-zone

Question

I'm getting an error to enroll account into control tower, though my colleague is able to enroll new account with the same permission.

Error Details:- An unknown error occurred. Try again later, or contact AWS Support. No launch paths found for resource: prod-xxxxxxxxxxxx

AWS Control Tower can't create your account due to potential drift in your landing zone. Check your landing zone and try using the advanced account provisioning method to create your account.

Note: There is no Drift in our landing zone

I tried all the possible solution but still the same error exists. Does anyone face the same issue?

3 answers

solution1
 3  2020-08-13 13:47:05

This error message is generated by AWS Service Catalog, which is the integrated service that helps provision accounts in AWS Control Tower.

Common Causes:

  • You may be logged in as root. AWS Control Tower does not support creating accounts when you're logged in as root.
  • Your SSO user has not been added to the appropriate permission group.
  • If you are authenticated as an IAM user, you must add it to the AWS Service Catalog portfolio so that it has the correct permissions.

solution2
 1  2022-04-20 19:37:02

I got this error when I want to enroll an account on Account Account factory on Control Tower

AWS Control Tower can't create your account due to potential drift in your landing zone. Check your landing zone and try using the advanced account provisioning method to create your account.

Then I find this document and repair Landing zone from landing zone settings works for me:

https://docs.aws.amazon.com/controltower/latest/userguide/drift.html 

Resolving drift
Although detection is automatic, the steps to resolve drift must be done through the console.

Many types of drift can be resolved through the Landing zone settings page. You can choose the Repair button in the Versions section to repair these types of drift.

If your OU has fewer than 300 accounts, you can repair drift by selecting Re-register OU on the OU page, to repair drift in Account Factory provisioned accounts, or SCP drift.

solution3
 0  2021-03-10 15:38:58

This is what I followed in sequence.

  • As root user I repaired the landing zone from landing zone settings in AWS Control Tower: Did not work
  • Logged out as root user and logged in as IAM user with admin privilege: Did not work
  • Logged in as IAM user with admin access.
    • In AWS Service Catalogue go to Portfolios (left hand navigation pane).
    • Click on the portfolio associated with Control Tower. Portfolio name may be something like 'AWS Control Tower Account Factory Portfolio'.
    • Go to Groups, roles and users tab.
    • Click on add groups, roles, users
    • Go to users tab and add the IAM user which you use for creating new accounts through Control Tower: Worked

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS Control Tower existing audit and log account Terraform in aws multi account env created by AWS Control Tower AWS Control Tower setup failed Automated creation of a new environment in AWS Migrating data from live RDS database instance associated with one AWS account to a new RDS database instance associated with another AWS account aws congnito user pool migration to the new account Cannot create new AWS account in newly created AWS organization AWS CLI "aws configure" doesn't switch me to a new account Query AWS or OU in master account with CDK from another account? Terraform to get AWS data from Account A and use it in Account B
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM