# Interact with AWS Control Tower accounts from AWS Service Catalog This section tells how to handle your AWS Control Tower accounts with the capabilities of AWS Service Catalog. **Topics** + [ # Provision accounts in the Service Catalog console, with Account Factory ](provision-as-end-user.md) + [ # Automate Account Provisioning in AWS Control Tower by Service Catalog APIs ](automated-provisioning-walkthrough.md) + [ # Update the provisioned product in Service Catalog ](update-provisioned-product.md) + [ # Unenroll an account in Service Catalog ](unenroll-with-sc.md) # Provision accounts in the Service Catalog console, with Account Factory Create and provision an account The following procedure describes how to create and provision accounts as a user in IAM Identity Center through AWS Service Catalog. This procedure also is referred to as *advanced account provisioning*, or *manual account provisioning*. Optionally, you may be able to provision AWS Control Tower accounts programmatically, with the AWS CLI, with Service Catalog APIs, or with AWS Control Tower Account Factory for Terraform (AFT). You may be able to provision customized accounts in the console if you've previously set up custom blueprints. For more information about customization, see [Customize accounts with Account Factory Customization (AFC)](af-customization-page.md). **To provision accounts individually in Account Factory, as a user** 1. Sign in from your user portal URL. 1. From **Your applications**, choose **AWS Account**. 1. From the list of accounts, choose the account ID for your management account. This ID may also have a label, for example, **(Management)**. 1. From **AWSServiceCatalogEndUserAccess**, choose **Management console**. This opens the AWS Management Console for this user in this account. 1. Ensure that you've selected the correct AWS Region for provisioning accounts, which should be your AWS Control Tower Region. 1. Search for and choose **Service Catalog** to open the Service Catalog console. 1. In the navigation pane, choose **Products**. 1. Select **AWS Control Tower Account Factory**, then choose the **Launch product** button. This selection starts the wizard to provision a new account. 1. Fill in the information, and keep the following in mind: + The **SSOUserEmail** can be a new email address, or the email address associated with an existing IAM Identity Center user. Whichever you choose, this user will have administrative access to the account you're provisioning. + The **AccountEmail** must be an email address that isn't already associated with an AWS account. If you used a new email address in **SSOUserEmail**, you can use that email address here. 1. Don't define **TagOptions** and don't enable **Notifications**, otherwise the account can fail to be provisioned. When you're finished, choose **Launch product**. 1. Review your account settings, and then choose **Launch**. Don't create a resource plan, otherwise the account will fail to be provisioned. 1. Your account is now being provisioned. It can take a few minutes to complete. You can refresh the page to update the displayed status information. **Note** Up to five accounts can be provisioned at a time. # Automate Account Provisioning in AWS Control Tower by Service Catalog APIs AWS Control Tower is integrated with several other AWS services, such as AWS Service Catalog. You can use the APIs to create and provision your member accounts in AWS Control Tower, or to enroll existing member accounts. **Note** If you have opted out of IAM Identity Center in your landing zone settings, values you provide during account provisioning with the AWS Service Catalog APIs or console are not used. The video shows you how to provision accounts in an automated, batch fashion, by calling the AWS Service Catalog APIs. For provisioning, you'll call the [https://docs.aws.amazon.com//servicecatalog/latest/dg/API_ProvisionProduct.html](https://docs.aws.amazon.com//servicecatalog/latest/dg/API_ProvisionProduct.html) API from the AWS command line interface (CLI), and you'll specify a JSON file that contains the parameters for each account you'd like to set up. The video illustrates installing and using the [AWS Cloud9](https://docs.aws.amazon.com//cloud9/latest/user-guide/welcome.html) development environment to perform this work. The CLI commands would be the same if you use AWS Cloudshell instead of AWS Cloud9. **Note** You also can adapt this approach for automating account updates, by calling the [https://docs.aws.amazon.com//servicecatalog/latest/dg/API_UpdateProvisionedProduct.html](https://docs.aws.amazon.com//servicecatalog/latest/dg/API_UpdateProvisionedProduct.html) API of AWS Service Catalog for each account. You can write a script to update the accounts, one by one. As a completely different automation method, if you are familiar with Terraform, you can [provision accounts with AWS Control Tower Account Factory for Terraform (AFT)](taf-account-provisioning.md). **Sample automation administration role** Here is a sample template you can use to help configure your automation administration role in the management account. You would configure this role in your management account so it can perform the automation with Administrator access in the target accounts. ``` AWSTemplateFormatVersion: 2010-09-09 Description: Configure the SampleAutoAdminRole Resources: AdministrationRole: Type: AWS::IAM::Role Properties: RoleName: SampleAutoAdminRole AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: cloudformation.amazonaws.com Action: - sts:AssumeRole Path: / Policies: - PolicyName: AssumeSampleAutoAdminRole PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - sts:AssumeRole Resource: - "arn:aws:iam::*:role/SampleAutomationExecutionRole" ``` **Sample automation execution role** Here is a sample template you can use to help you set up your automation execution role. You would configure this role in the target accounts. ``` AWSTemplateFormatVersion: "2010-09-09" Description: "Create automation execution role for creating Sample Additional Role." Parameters: AdminAccountId: Type: "String" Description: "Account ID for the administrator account (typically management, security or shared services)." AdminRoleName: Type: "String" Description: "Role name for automation administrator access." Default: "SampleAutomationAdministrationRole" ExecutionRoleName: Type: "String" Description: "Role name for automation execution." Default: "SampleAutomationExecutionRole" SessionDurationInSecs: Type: "Number" Description: "Maximum session duration in seconds." Default: 14400 Resources: # This needs to run after AdminRoleName exists. ExecutionRole: Type: "AWS::IAM::Role" Properties: RoleName: !Ref ExecutionRoleName MaxSessionDuration: !Ref SessionDurationInSecs AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: AWS: - !Sub "arn:aws:iam::${AdminAccountId}:role/${AdminRoleName}" Action: - "sts:AssumeRole" Path: "/" ManagedPolicyArns: - "arn:aws:iam::aws:policy/AdministratorAccess" ``` After configuring these roles, you call the AWS Service Catalog APIs to perform the automated tasks. The CLI commands are given in the video. ## Sample provisioning input for Service Catalog API Here is a sample of the input you can give to the Service Catalog `ProvisionProduct` API if you're using the API to provision new AWS Control Tower accounts or to enroll existing member accounts: **Note** To enroll an existing member account using the `ProvisionProduct` API, the `AWSControlTowerExecution` IAM role must exist on the target account before you call the API. You can use the same input parameters shown in the following example for both new account provisioning and existing account enrollment. ``` { pathId: "lpv2-7n2o3nudljh4e", productId: "prod-y422ydgjge2rs", provisionedProductName: "Example product 1", provisioningArtifactId: "pa-2mmz36cfpj2p4", provisioningParameters: [ { key: "AccountEmail", value: "abc@amazon.com" }, { key: "AccountName", value: "ABC" }, { key: "ManagedOrganizationalUnit", value: "Custom (ou-xfe5-a8hb8ml8)" }, { key: "SSOUserEmail", value: "abc@amazon.com" }, { key: "SSOUserFirstName", value: "John" }, { key: "SSOUserLastName", value: "Smith" } ], provisionToken: "c3c795a1-9824-4fb2-a4c2-4b1841be4068" } ``` For more information, see the [API reference for Service Catalog](https://docs.aws.amazon.com//servicecatalog/latest/dg/API_ProvisionProduct.html). **Note** Notice that the format of the input string for the value of `ManagedOrganizationalUnit` has changed from `OU_NAME` to `OU_NAME (OU_ID)`. The video that follows does not mention this change. ## Video Walkthrough This video (6:58) describes how to automate account deployments in AWS Control Tower. For better viewing, select the icon at the lower right corner of the video to enlarge it to full screen. Captioning is available. [![AWS Videos](http://img.youtube.com/vi/LxxQTPdSFgw/0.jpg)](http://www.youtube.com/watch?v=LxxQTPdSFgw) # Update the provisioned product in Service Catalog The following procedure guides you through how to update your account in Account Factory or move it to a new OU, by updating the account's provisioned product in Service Catalog. **Note** If you have opted out of IAM Identity Center in your landing zone settings, values you provide during account provisioning with the AWS Service Catalog APIs or console are not used. **To update an Account Factory account or change its OU through Service Catalog** 1. Sign in to the AWS Management Console, and open the AWS Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/). **Note** You must sign in as a user with permissions to provision new products in Service Catalog (for example, an IAM Identity Center user in `AWSAccountFactory` or `AWSServiceCatalogAdmins` groups). 1. In the navigation pane, choose **Provisioning**, and then choose **Provisioned products**. 1. For each of the member accounts listed, perform the following steps to update all member accounts: 1. Select a member account. You're directed to the *Provisioned product details* page for that account. 1. On the *Provisioned product details* page, choose the **Events** tab. 1. Make a note of the following parameters: + **SSOUserEmail** (Available in provisioned product details) + **AccountEmail** (Available in provisioned product details) + **SSOUserFirstName** (Available in IAM Identity Center) + **SSOUSerLastName** (Available in IAM Identity Center) + **AccountName** (Available in IAM Identity Center) 1. From **Actions**, choose **Update**. 1. Choose the button next to the **Version** of the product you want to update, and choose **Next**. 1. Provide the parameter values that were mentioned previously. + If you want to keep the existing OU, for **ManagedOrganizationalUnit**, choose the OU that the account was already in. + If you want to migrate the account to a new OU, for **ManagedOrganizationalUnit**, choose the new OU for the account. A central cloud administrator can find this information in the AWS Control Tower console, on the **Organization** page. 1. Choose **Next**. 1. Review your changes, and then choose **Update**. This process can take a few minutes per account. # Unenroll an account in Service Catalog Unenrolling an account can be done in the Service Catalog console by an IAM Identity Center user in the `AWSAccountFactory` group, by terminating the Provisioned Product. For more information on IAM Identity Center users or groups, see [Manage users and access through AWS IAM Identity Center](https://docs.aws.amazon.com/controltower/latest/userguide/unmanage-account.html). The following procedure describes how to unenroll a member account in Service Catalog. **To unenroll an enrolled account through Service Catalog** 1. Open the Service Catalog console in your web browser at [https://console.aws.amazon.com/servicecatalog](https://console.aws.amazon.com/servicecatalog). 1. In the left navigation pane, choose **Provisioned products list**. 1. From the list of provisioned accounts, choose the name of the account that you want AWS Control Tower no longer to manage. 1. On the **Provisioned product details** page, from the **Actions** menu, choose **Terminate**. 1. From the dialog box that appears, choose **Terminate**. **Important** The word *terminate* is specific to Service Catalog. When you terminate an account in Service Catalog Account Factory, the account is not closed. This action removes the account from its OU and your landing zone. 1. When the account has been unenrolled, its status changes to **Not Enrolled**. 1. If you no longer need the account, close it. For more information about closing AWS accounts, see [Closing an account](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/close-account.html) in the *AWS Billing User Guide* **Note** Wait for the account's status to show **Not enrolled**.