Creating accounts
You create new accounts to your organization using the create account command.

Example

Create a new account:
tkm org accounts create \
--name my-account

Account defaults

When creating a new account, you can optionally specify if the account's IAM users should have access to the account's billing information and what is the name of the IAM role AWS Organizations creates in the account. You can use accountCreation property specify the default values for these options in the organization configuration file:
organization.yml
# This is how you set the defaults for account creation.
accountCreation:
defaults:
iamUserAccessToBilling: true
roleName: MyAccountAdminRole
masterAccountId: "098765432100"
organizationAdminRoleName: MyOrganizationAdminRole
serviceControlPolicies:
restrict-by-regions:
description: Restrict regions
FullAWSAccess:
description: AWS managed default policy
awsManaged: true
backupPolicies:
MyBackups:
description: Backup policy
organizationalUnits:
Root:
serviceControlPolicies: FullAWSAccess
accounts:
- "098765432100"
Root/Workloads:
serviceControlPolicies: restrict-by-regions
Root/Workloads/Dev: {}
Root/Workloads/Test: {}
Root/Workloads/Prod:
accounts:
- id: "876754648373"
name: MyAccount
description: This is a production account
Root/Sandbox:
accounts:
- id: "123456789012"
backupPolicies:
- MyBackups
- "448873940474"

Account contraints

You can set accepted pattern for account name and email by providing constraints property under account creation configuration:
organization.yml
accountCreation:
defaults:
iamUserAccessToBilling: true
roleName: MyAccountAdminRole
# This is how you set constraints for account name and email.
constraints:
# Account name must match this regex pattern
namePattern: "^my-account-[a-z0-9-]+quot;
# Account email must match this regex pattern
emailPattern: "^admin\\+my-account-[0-9a-z-][email protected]quot;
masterAccountId: "098765432100"
organizationAdminRoleName: MyOrganizationAdminRole
serviceControlPolicies:
restrict-by-regions:
description: Restrict regions
FullAWSAccess:
description: AWS managed default policy
awsManaged: true
backupPolicies:
MyBackups:
description: Backup policy
organizationalUnits:
Root:
serviceControlPolicies: FullAWSAccess
accounts:
- "098765432100"
Root/Workloads:
serviceControlPolicies: restrict-by-regions
Root/Workloads/Dev: {}
Root/Workloads/Test: {}
Root/Workloads/Prod:
accounts:
- id: "876754648373"
name: MyAccount
description: This is a production account
Root/Sandbox:
accounts:
- id: "123456789012"
backupPolicies:
- MyBackups
- "448873940474"
Copy link
On this page
Account defaults
Account contraints