Account
organizations.services.k8s.aws/v1alpha1
| Type | Link |
|---|---|
| GoDoc | organizations-controller/apis/v1alpha1#Account |
Metadata
| Property | Value |
|---|---|
| Scope | Namespaced |
| Kind | Account |
| ListKind | AccountList |
| Plural | accounts |
| Singular | account |
Contains information about an Amazon Web Services account that is a member of an organization.
Spec
email: string
iamUserAccessToBilling: string
name: string
roleName: string
tags:
- key: string
value: string
| Field | Description |
|---|---|
| email Required | string The email address of the owner to assign to the new member account. This email address must not already be associated with another Amazon Web Services account. You must use a valid email address to complete account creation. The rules for a valid email address: * The address must be a minimum of 6 and a maximum of 64 characters long. * All characters must be 7-bit ASCII characters. * There must be one and only one @ symbol, which separates the local name from the domain name. |
| iamUserAccessToBilling Optional | string If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions. If set to DENY, only the root user of the new account can access account billing information. For more information, see About IAM access to the Billing and Cost Management console (https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/grantaccess.html#ControllingAccessWebsite-Activate) in the Amazon Web Services Billing and Cost Management User Guide. If you don’t specify this parameter, the value defaults to ALLOW, and IAM users and roles with the required permissions can access billing information for the new account. |
| name Required | string The friendly name of the member account. |
| roleName Optional | string The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account. If you don’t specify this parameter, the role name defaults to OrganizationAccountAccessRole. For more information about how to use this role to access the member account, see the following links: * Creating the OrganizationAccountAccessRole in an invited member account (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role) in the Organizations User Guide * Steps 2 and 3 in IAM Tutorial: Delegate access across Amazon Web Services accounts using IAM roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html) in the IAM User Guide The regex pattern (http://wikipedia.org/wiki/regex) that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@- |
| tags Optional | array A list of tags that you want to attach to the newly created account. For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can’t set it to null. For more information about tagging, see Tagging Organizations resources (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html) in the Organizations User Guide. If any one of the tags is not valid or if you exceed the maximum allowed number of tags for an account, then the entire request fails and the account is not created. |
| tags.[] Required | object A custom key-value pair associated with a resource within your organization. |
You can attach tags to any of the following organization resources.
Amazon Web Services account
Organizational unit (OU)
Organization root
Policy || tags.[].key
Optional | string
| | tags.[].value
Optional | string
|
Status
accountID: string
ackResourceMetadata:
arn: string
ownerAccountID: string
region: string
completedTimestamp: string
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
createAccountRequestID: string
failureReason: string
govCloudAccountID: string
requestedTimestamp: string
state: string
| Field | Description |
|---|---|
| accountID Optional | string If the account was created successfully, the unique identifier (ID) of the new account. The regex pattern (http://wikipedia.org/wiki/regex) for an account ID string requires exactly 12 digits. |
| ackResourceMetadata Optional | object All CRs managed by ACK have a common Status.ACKResourceMetadata memberthat is used to contain resource sync state, account ownership, constructed ARN for the resource |
| ackResourceMetadata.arn Optional | string ARN is the Amazon Resource Name for the resource. This is a globally-unique identifier and is set only by the ACK service controller once the controller has orchestrated the creation of the resource OR when it has verified that an “adopted” resource (a resource where the ARN annotation was set by the Kubernetes user on the CR) exists and matches the supplied CR’s Spec field values. https://github.com/aws/aws-controllers-k8s/issues/270 |
| ackResourceMetadata.ownerAccountID Required | string OwnerAccountID is the AWS Account ID of the account that owns the backend AWS service API resource. |
| ackResourceMetadata.region Required | string Region is the AWS region in which the resource exists or will exist. |
| completedTimestamp Optional | string The date and time that the account was created and the request completed. |
| conditions Optional | array All CRs managed by ACK have a common Status.Conditions member thatcontains a collection of ackv1alpha1.Condition objects that describethe various terminal states of the CR and its backend AWS service API resource |
| conditions.[] Required | object Condition is the common struct used by all CRDs managed by ACK service |
| controllers to indicate terminal states of the CR and its backend AWS | |
| service API resource | |
| conditions.[].message Optional | string A human readable message indicating details about the transition. |
| conditions.[].reason Optional | string The reason for the condition’s last transition. |
| conditions.[].status Optional | string Status of the condition, one of True, False, Unknown. |
| conditions.[].type Optional | string Type is the type of the Condition |
| createAccountRequestID Optional | string The unique identifier (ID) that references this request. You get this value from the response of the initial CreateAccount request to create the account. The regex pattern (http://wikipedia.org/wiki/regex) for a create account request ID string requires “car-” followed by from 8 to 32 lowercase letters or digits. |
| failureReason Optional | string If the request failed, a description of the reason for the failure. * ACCOUNT_LIMIT_EXCEEDED: The account couldn’t be created because you reached the limit on the number of accounts in your organization. * CONCURRENT_ACCOUNT_MODIFICATION: You already submitted a request with the same information. * EMAIL_ALREADY_EXISTS: The account could not be created because another Amazon Web Services account with that email address already exists. * FAILED_BUSINESS_VALIDATION: The Amazon Web Services account that owns your organization failed to receive business license validation. * GOVCLOUD_ACCOUNT_ALREADY_EXISTS: The account in the Amazon Web Services GovCloud (US) Region could not be created because this Region already includes an account with that email address. * IDENTITY_INVALID_BUSINESS_VALIDATION: The Amazon Web Services account that owns your organization can’t complete business license validation because it doesn’t have valid identity data. * INVALID_ADDRESS: The account could not be created because the address you provided is not valid. * INVALID_EMAIL: The account could not be created because the email address you provided is not valid. * INVALID_PAYMENT_INSTRUMENT: The Amazon Web Services account that owns your organization does not have a supported payment method associated with the account. Amazon Web Services does not support cards issued by financial institutions in Russia or Belarus. For more information, see Managing your Amazon Web Services payments (https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-general.html). * INTERNAL_FAILURE: The account could not be created because of an internal failure. Try again later. If the problem persists, contact Amazon Web Services Customer Support. * MISSING_BUSINESS_VALIDATION: The Amazon Web Services account that owns your organization has not received Business Validation. * MISSING_PAYMENT_INSTRUMENT: You must configure the management account with a valid payment method, such as a credit card. * PENDING_BUSINESS_VALIDATION: The Amazon Web Services account that owns your organization is still in the process of completing business license validation. * UNKNOWN_BUSINESS_VALIDATION: The Amazon Web Services account that owns your organization has an unknown issue with business license validation. |
| govCloudAccountID Optional | string If the account was created successfully, the unique identifier (ID) of the new account in the Amazon Web Services GovCloud (US) Region. |
| requestedTimestamp Optional | string The date and time that the request was made for the account creation. |
| state Optional | string The status of the asynchronous request to create an Amazon Web Services account. |