AWS control tower 将账户移动到新的 OU 失败
AWS control tower moving account to new OU Fails
我曾经有一个 OU 让我们用帐户 prod 和 ss 调用 x,然后我创建了一个新的 OU 让 y 称之为 y。
现在我正在尝试将 prod 和 ss 从 OU x 移动到 OU y。然而,这一直失败。当我尝试重新注册 OU y 以确定这是否会修复它时,我收到以下错误:
Check the external resources that apply to y
and its member accounts. Choose Register OU again after the external resources are repaired.
在某个时候我下载了具有以下信息的预检查 sheet:
Add the IAM user to the AWS Service Catalog portfolio before registering your OU.
我转到服务目录并将自己添加为 IAM 用户,但问题仍然存在。
我该如何解决这个问题?
我遇到了同样的错误,最终原因是我在 AWS 管理帐户中以 root 身份登录。这会阻止 OU 在 Control Tower 中注册,并阻止相应的帐户注册。
我以 root 身份注销。当我再次登录时,这次使用具有管理员访问权限的 AWS 用户帐户,我能够正确注册 OU。
失败还有其他原因。 AWS 文档在 documentation.
中突出显示了以下“注册失败的常见原因”
- Your IAM principal may lack the necessary permissions to provision an account. To enroll an existing account, the AWSControlTowerExecution role must be present in the account you're enrolling.
- AWS Security Token Service (AWS STS) is disabled in your AWS account in your home region, or in any region supported by AWS Control Tower.
- You may be signed in to an account that needs to be added to the Account Factory Portfolio in AWS Service Catalog. The account must be added before you'll have access to Account Factory so you can create or enroll an account in AWS Control Tower. If the appropriate user or role is not added to the Account Factory Portfolio, you’ll receive an error when you attempt to add an account.
- You may be signed in as root.
- The account you're trying to enroll may have AWS Config settings that are residual. In particular, the account must not have a configuration recorder or delivery channel, so these must be deleted through the AWS CLI before you can enroll an account.
- If the account belongs to another OU with a management account, including another AWS Control Tower OU, you must terminate the account in its current OU before it can join another OU. Existing resources must be removed in the original OU. Otherwise, enrollment will fail.
正如我所说,在我的情况下是第四个原因:我以 root 身份登录。
我曾经有一个 OU 让我们用帐户 prod 和 ss 调用 x,然后我创建了一个新的 OU 让 y 称之为 y。
现在我正在尝试将 prod 和 ss 从 OU x 移动到 OU y。然而,这一直失败。当我尝试重新注册 OU y 以确定这是否会修复它时,我收到以下错误:
Check the external resources that apply to y
and its member accounts. Choose Register OU again after the external resources are repaired.
在某个时候我下载了具有以下信息的预检查 sheet:
Add the IAM user to the AWS Service Catalog portfolio before registering your OU.
我转到服务目录并将自己添加为 IAM 用户,但问题仍然存在。 我该如何解决这个问题?
我遇到了同样的错误,最终原因是我在 AWS 管理帐户中以 root 身份登录。这会阻止 OU 在 Control Tower 中注册,并阻止相应的帐户注册。
我以 root 身份注销。当我再次登录时,这次使用具有管理员访问权限的 AWS 用户帐户,我能够正确注册 OU。
失败还有其他原因。 AWS 文档在 documentation.
中突出显示了以下“注册失败的常见原因”
- Your IAM principal may lack the necessary permissions to provision an account. To enroll an existing account, the AWSControlTowerExecution role must be present in the account you're enrolling.
- AWS Security Token Service (AWS STS) is disabled in your AWS account in your home region, or in any region supported by AWS Control Tower.
- You may be signed in to an account that needs to be added to the Account Factory Portfolio in AWS Service Catalog. The account must be added before you'll have access to Account Factory so you can create or enroll an account in AWS Control Tower. If the appropriate user or role is not added to the Account Factory Portfolio, you’ll receive an error when you attempt to add an account.
- You may be signed in as root.
- The account you're trying to enroll may have AWS Config settings that are residual. In particular, the account must not have a configuration recorder or delivery channel, so these must be deleted through the AWS CLI before you can enroll an account.
- If the account belongs to another OU with a management account, including another AWS Control Tower OU, you must terminate the account in its current OU before it can join another OU. Existing resources must be removed in the original OU. Otherwise, enrollment will fail.
正如我所说,在我的情况下是第四个原因:我以 root 身份登录。