- Newest
- Most votes
- Most comments
For the SSOUserEmail, this can either be a new email, or an existing email associated with an existing IAM user. While Control Tower's Account Factory currently requires an 'SSOUserEmail' parameter, you can work around it by using an existing SSO user's email address.
Here's a breakdown of the situation:
- Control Tower expects an SSO user email (SSOUserEmail) during account creation.
- You want to leverage your existing SSO configuration and avoid creating new SSO users.
Solution:
- Use Existing SSO User Email: When specifying the SSOUserEmail parameter in Account Factory Terraform (AFT), provide the email address of an existing user within your SSO system. This email doesn't have to be associated with an IAM user in Control Tower.
Important Caveats:
- Control Tower will attempt to create a new SSO user if the provided email doesn't exist in your SSO system. To prevent this, ensure the email belongs to a valid user in your existing SSO.
- Using an invalid email will likely cause enrollment failure during the account creation process.
Updating SSO Account Email:
If you need to update the SSO email address associated with the account later:
- Modify the Provisioned Product within Service Catalog to reflect the desired SSOUserEmail change.[1]
Control Tower doesn't currently offer a way to entirely skip the SSO user creation step during account enrollment. In summary, you can leverage existing SSO users by providing their email addresses during account provisioning in Control Tower AFT. However, ensure the emails belong to valid users in your SSO system to avoid enrollment failures.
References:
- Updating provisioned products- https://docs.aws.amazon.com/servicecatalog/latest/userguide/enduser-update.html
- Tips on Managing Account Factory Accounts- https://docs.aws.amazon.com/controltower/latest/userguide/account-factory.html#closing-and-repurposing
Relevant content
- AWS OFFICIALUpdated 18 days ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
Thanks @merinkj What happens when you specify the email address of an existing user within SSO during enrollment? Does it give Admin permissions during account enrollment to this SSO User? Does the SSO email address need to be unique for each account or can we share the same SSO email address for all accounts?
Q)What happens when you specify the email address of an existing user within SSO during enrollment? Does it give Admin permissions during account enrollment to this SSO User? A)When you use an existing user's email address for SSO enrollment in a new account, Control tower will recognise an SSO User with that email DOES exist, and it will grant Admin permissions to that user to the newly created account . Q)Does the SSO email address need to be unique for each account or can we share the same SSO email address for all accounts? A) You could use same SSO email address for multiple accounts while placing aft-account-request.