Create account

Create a new account into the organization.

Usage

tkm org accounts create \
  --name <account name> \
  --email <account email> \
  [--iam-user-access-to-billing <IAM user access to billing>] \
  [--role-name <account admin role> ] \
  [--alias <account alias>] \
  [--ou <organizational unit>] \
  [--config-file <path to account config file>]

Positional arguments

This command has no positional arguments.

Options

In addition to the , this command has the following options.

--name <name>
- The friendly name of the member account.
- Required.
--email <email>
- The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account. You must use a valid email address to complete account creation. You can't access the root user of the account or remove an account that was created with an invalid email address.
- Required.
--iam-user-access-to-billing <boolean>
- If set to true, the new account enables IAM users to access account billing information if they have the required permissions. Otherwise, only the root user of the new account can access account billing information.
- Optional, defaults to true.
--role-name <role>
- The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. The role has administrator permissions in the new member account.
- Optional, defaults to OrganizationAccountAccessRole.
--alias <alias>
- The account alias to create.
- Optional.
--ou <ou>
- Path to the organizational unit where the account should be added.
- Optional, defaults to Root.
--config-file <file>
- Path to a file containing account specific configuration.
- Optional.

IAM permissions

These are the minimum IAM permissions required to run this command.

Statement:
  - Effect: Allow
    Action:
      - organizations:DescribeOrganization
      - organizations:CreateAccount
      - organizations:DescribeCreateAccountStatus
      - organizations:ListRoots
      - organizations:ListTargetsForPolicy
      - organizations:ListAWSServiceAccessForOrganization
      - organizations:DescribePolicy
      - organizations:ListPolicies
      - organizations:ListAccountsForParent
      - organizations:ListAccounts
      - organizations:DescribeOrganization
      - organizations:ListOrganizationalUnitsForParent
      - organizations:MoveAccount
    Resource: "*"

Examples

Create a new account with email hello@example.com and name example.

tkm org accounts create \
  --email hello@example.com \
  --name example

Create a new account to organiational unit Root/Examples.

tkm org accounts create \
  --email hello@example.com \
  --name example \
  --ou Root/Examples

PreviousAccount NextCreate account alias

Last updated 4 years ago

Was this helpful?

tkm org accounts create \ --name <account name> \ --email <account email> \ [--iam-user-access-to-billing <IAM user access to billing>] \ [--role-name <account admin role> ] \ [--alias <account alias>] \ [--ou <organizational unit>] \ [--config-file <path to account config file>]

Options

In addition to the , this command has the following options.

--name <name>

The friendly name of the member account.
Required.

--email <email>

The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account. You must use a valid email address to complete account creation. You can't access the root user of the account or remove an account that was created with an invalid email address.
Required.

--iam-user-access-to-billing <boolean>

If set to true, the new account enables IAM users to access account billing information if they have the required permissions. Otherwise, only the root user of the new account can access account billing information.
Optional, defaults to true.

--role-name <role>

The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. The role has administrator permissions in the new member account.
Optional, defaults to OrganizationAccountAccessRole.

--alias <alias>

The account alias to create.
Optional.

--ou <ou>

Path to the organizational unit where the account should be added.
Optional, defaults to Root.

--config-file <file>

Path to a file containing account specific configuration.
Optional.

IAM permissions

These are the minimum IAM permissions required to run this command.

Statement:
  - Effect: Allow
    Action:
      - organizations:DescribeOrganization
      - organizations:CreateAccount
      - organizations:DescribeCreateAccountStatus
      - organizations:ListRoots
      - organizations:ListTargetsForPolicy
      - organizations:ListAWSServiceAccessForOrganization
      - organizations:DescribePolicy
      - organizations:ListPolicies
      - organizations:ListAccountsForParent
      - organizations:ListAccounts
      - organizations:DescribeOrganization
      - organizations:ListOrganizationalUnitsForParent
      - organizations:MoveAccount
    Resource: "*"