# Credentials

When managing the AWS organization, you need to have credentials with sufficient permissions to manage the organization itself, and also to assume administrative role to all accounts that belong to the organization.

Basically this means that Takomo's organization management commands need to be run with credentials of an IAM user located in the organization master account.

# Organization Admin Role

By default, Takomo uses the credentials currently available in the terminal session to execute operations that query information from the organization and also alter its state. It is also possible to tell Takomo to use a specific IAM role to execute these organization management operations by setting the organizationAdminRoleName property in the organization configuration file.

# Setting the organization admin role name

organizationAdminRoleName: "MyOrganizationAdminRole"

Please note that organizationAdminRoleName accepts role name and not full role ARN.

# Account Admin Role

When Takomo deploys configuration to the organization accounts, it assumes the account admin role. By default, the default organization access role OrganizationAccountAccessRole is used.

You can tell Takomo to use a specific IAM role by setting the accountAdminRoleName property in the organization configuration file. The role can be defined in three places: at the top level of the configuration file, under an organizational unit, and under an account. When an account is deployed, Takomo first checks if the role is found under the current account, then if it is found from the current organizational unit and lastly if it is found from the top level.

# Setting account admin role name at the top-level

accountAdminRoleName: "MyAccountAdminRole"

# Setting account admin role name at the organizational unit level

organizationalUnits:
  Root:
    accountAdminRoleName: "MyAccountAdminRole"

# Setting account admin role name at the account level

organizationalUnits:
  Root:
    accounts:
      - id: "123456789012"
        accountAdminRoleName: "MyAccountAdminRole"

# Account Bootstrap Role

It’s best practice to follow the principle of least privilege when deploying configuration to organization accounts. To achieve this, you should create an account administrator role with restricted permissions and use it to deploy configuration.

Now, the next question is, how to create this restricted role in the first place? You can create a separate bootstrap configuration to create the restricted role and other resources that are needed to deploy the rest of the configuration with scoped down permissions. You use accountBootstrapRoleName to specify which role to use to deploy the bootstrap configuration.

The role can be defined in three places: at the top level of the configuration file, under an organizational unit, and under an account. When an account is bootstrapped, Takomo first checks if the role is found under the current account, then if it is found from the current organizational unit and lastly if it is found from the top level.

Last Updated: 5/4/2020, 3:54:44 PM