search

AWS

AWS Client Accounts

We have a separate AWS account for each client. This makes billing easier, and keeps infrastructure separate between clients to improve security and reduce risk of misconfiguration.

The easiest way to switch between AWS client accounts is via SSO:

SSOchevron-right

hashtag
Adding a new client account

To add a new account, go to AWS Organizationsarrow-up-right. From there, click Add an AWS Account.

Add the client name as the AWS account name. For the root user email, use [email protected]

Then open the link in the email, enter the root user email and reset the password.

Once the account has been set up, add the AWS Account to the SSO options.

SSOchevron-right

hashtag
Removing an account from the Organisation

To allow clients to bill their account separately, sometimes accounts may need to be removed from the AWS Organization.

This requires the following steps:

Root/Parent Organisation (Chelsea Apps)

Child Account

Go to IAM Identity Centre and create a new Application. Select "External AWS Account".
Give the Application a name & description. Download the SAML metadata file. Leave the rest as is.
Go to IAM -> Identity Providers and add a provider
Select SAML, give it a name, and upload the SAML metadata file downloaded in Step 1.2
Go to the created provider and assign a role
Create a new role, selecting programmatic and console access. Give the Role sufficient policies.
Go to the Application in IAM Identity Center, and edit attribute mappings
Add a new mapping with the below values
Field
Value
Format

https://aws.amazon.com/SAML/Attributes/Role

arn:aws:iam::ACCOUNTID:saml-provider/SAMLPROVIDERNAME,arn:aws:iam::ACCOUNTID:role/ROLENAME

unspecified

hashtag

PreviousDeploymentNextSSO

Last updated

Was this helpful?