I have an organization and 2 accounts in it.
- Main-Account (management account)
- Member-Account
My software will have N Users and I need for each user (from my software) to have a Member-Account (on AWS) that will belong in my Organization (managed by Main-Account).
The Member-Accounts will be created through API using 'organizations' service and ACCESS_KEY for the Root user on Main-Account, or IAM User in Main-Account.
My idea is when a user is created on my software, to create Member-Account (on AWS) and create a bucket for this account. All of this needs to be created through API.
I don't know how to implement this. I tried:
- IAM Users, but whenever I create an IAM User using my root user (Main-Account) the IAM User belongs to Main-Account. So this will not work
- Identity center Users, but I cannot create ACCESS_KEY for this kind of user, so I cannot use this user through API
- I tried to use the root user of the Member-Account, but I need to set up a password for this user -> login into the Console -> create ACCESS_KEY and then use the ACCESS_KEY for API, but until I create the ACCESS_KEY, I must use the Console.
Is there any way of achieving this ?
There are a few ways you can accomplish this. It sounds like you are directly calling the API using something like boto3 in Python. You might consider using Terraform as it makes some bits of this a bit easier.
But, to answer your question as you have it: