aws-lambdaboto3aws-organizations

Boto3 create account not returning AccountId


I'm trying to make a lambda that upon the input of account details, creates an account within an AWS Organisation. What I want to do is create the account, then move it to a specific OU. The account is created fine, but I can't move it to the OU as I'm not getting the AccountId returned in the response.

import json
import boto3
import string
import random

def lambda_handler(event, context):

    client = boto3.client('organizations')
    root_ou_id = "..."
    quarantine_ou_id = "..."
    
    random_string = get_random_string(5)
    
    user_name = random_string
    user_email = random_string + "@nctest.com"
    
    print("user_name: " + user_name)
    print("user_email: " + user_email)

    response = client.create_account(
    Email=user_email,
    AccountName=user_name,
    Tags=[
        {
            'Key': 'account',
            'Value': user_name
        },
        {
            'Key': 'email',
            'Value': user_email
        },
        {
            'Key': 'sandbox',
            'Value': ''
        },
        {
            'Key': 'created_by',
            'Value': 'lambda'
        }
    ])
    
    print("RESPONSE RECEIVED: " + json.dumps(response, indent=4, sort_keys=True, default=str))

    if 'FailureReason' in response['CreateAccountStatus']:
        return {
            'statusCode': 500,
            'body': json.dumps(response)
        }
    else:
        account_id = response['CreateAccountStatus']['AccountId']
        
        print(account_id)

        # Returns nothing at this time. https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/organizations/client/move_account.html
        client.move_account(
            AccountId=account_id,
            SourceParentId=root_ou_id,
            DestinationParentId=quarantine_ou_id
        )

        return {
            'statusCode': 200,
            'body': {
                'id': account_id,
                'account_name': user_name,
                'account_email': user_email,
                'status': "Account Created"

            }
        }

The function fails as the AccountId key isn't present:

[ERROR] KeyError: 'AccountId'

The response I get is this:

{
   "CreateAccountStatus":{
      "AccountName":"dnpms",
      "Id":"car-xxxx",
      "RequestedTimestamp":"2023-06-30 09:58:24.686000+00:00",
      "State":"IN_PROGRESS"
   },
   "ResponseMetadata":{
      "HTTPHeaders":{
         "content-length":"151",
         "content-type":"application/x-amz-json-1.1",
         "date":"Fri, 30 Jun 2023 09:58:23 GMT",
         "x-amzn-requestid":"xxxx"
      },
      "HTTPStatusCode":200,
      "RequestId":"xxxx",
      "RetryAttempts":0
   }
}

Boto3 docs for create accounts say this should be returned. I need this for the move account call.

Any ideas?


Solution

  • Reading the docs on boto3 it says it only provides the account id if the account is created successfully. Making a account request you get an id of the request. This id can be used to do the describe_create_account_status api call. And as soon the account is created successfully this will return the account id.

    https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/organizations/client/create_account.html#:~:text=AccountId%20(string)%20%E2%80%93,exactly%2012%20digits.