Cannot handle AWS ControlTower managed accounts

awslabs / aws-iam-aad

This package includes a set of PowerShell scripts that run inside an AWS Fargate task and keep AWS IAM roles synchronized with Azure Active Directory roles. It is used to setup single-sign-on federation between Azure AD and AWS Management Console.

Apache License 2.0

31 stars 21 forks source link

Cannot handle AWS ControlTower managed accounts #2

Open jessechahal opened 5 years ago

jessechahal commented 5 years ago

If you use AWS ControlTower to create and manage your AWS child/sub-accounts it creates different roles for StackSets. It seems like this repo will not working when the end user is leverage ControlTower (even though controltower uses aws organization, stacksets, etc...)

SepehrCloud commented 5 years ago

The issue with AWS Control Tower is due to cross-account roles already being created by Control Tower. The template provided here is a sample and doesn't work out of the box with all situations. I will endeavour to address Control Tower integration to be smoother.