balltrev
commented
2 years ago Hey @jo-koe, this is actually the intended behavior, in the documentation we call out why this is.
As per AWS Control Tower best practices, the management account is intended only to manage member accounts and for billing purposes. Do not run production workloads in the AWS Control Tower management account.
In accordance with best practices guidance, AWS Control Tower deployment puts the management account under the Root OU, so that it has full access and does not run additional resources. For this reason, the AWSControlTowerExecutionRole role is not deployed to the management account.
We recommend that you follow these best practices for the management account. If you have a specific use case that requires you to deploy stacksets in the management account, include accounts as a deployment target and specify the management account. Otherwise, do not include accounts as a deployment target. You must create the missing resources, including required IAM roles, in the management account.
jo-koe
Describe the bug As mentioned in the docs we can now deploy StackSets also to the management account. But this doesn't work as the management account doesn't have the
AWSControlTowerExecutionrole. Error message in Cloudformation:To Reproduce Deploy a StackSet to the Management account.
Expected behavior Deployment works.
Please complete the following information about the solution:
Screenshots N/A
Additional context N/A