CODEWITHSUNDEEP
amazon-web-servicesterraformamazon-iam
nicolas spencer
nicolas spencer

Reputation: 51

How to get the AWS Account Name using Terraform?

I'm trying to get the AWS Account Name to be able to use it later in my Terraform Code. I only have Account access so I not am able to use resources that need Organization privileges.

I thought this would work:

data "aws_iam_account_alias" "current" {}

output "account_id" {
  value = data.aws_iam_account_alias.current.account_alias
}

But it returns an empty list as the Account has no Aliases (turns out Account Name is different from Account Alias).

Is there any similar way to get the Account Name using Terraform? (having full account permission but no organization permission)

Upvotes: 5

Views: 11457

Answers (4)

rjhornsby
rjhornsby

Reputation: 11

This is doable in TF, but kind of painful. Absent creating your own SSM parameter in the account and referencing that in your TF, you have to query your AWS org for the name as noted by others.

  1. You'll likely need a provider alias that is configured to point at your org account, because your TF target is probably not the same account.
provider "aws" {
  alias   = "controltower"
  region  = "us-east-1"
  profile = "mycorp-controltower"
}

Don't forget the un-aliased/default provider pointed at your target account. Otherwise terraform will assume the "controltower" provider here for everything.

  1. Grab the org information. The only way I can find to do this is to get all org accounts first.
data.aws_caller_identity.current.account_id

data "aws_organizations_organization" "org" {
  provider = aws.controltower
}

data "aws_organizations_organizational_unit_descendant_accounts" "accounts" {
  parent_id = data.aws_organizations_organization.org.roots[0].id
  provider = aws.controltower
}
  1. Now you have a list of accounts that aren't keyed - it's just an array. Effectively, you have to search for your target account and extract the name:
[for acct in data.aws_organizations_organizational_unit_descendant_accounts.accounts.accounts: acct.name if acct.id == data.aws_caller_identity.current.account_id][0]

An SSM parameter would be easier than this, but on the downside its value would have to be managed properly ie if for some reason you changed the account's name. Calling the org data like this gets you an answer that won't drift.

Upvotes: 1

vladimirror
vladimirror

Reputation: 1068

AWS is horrible in naming, and AWS IAM account seems to be something different from AWS organization.

I believe what you are looking for is an AWS organization name, as I was looking for a name as well, but only got empty aliases, although I could be wrong.

You can get it here in Terraform.

Or from the CLI with:

aws aws organizations describe-account --account-id XXXXX

Edit: Link to the SO question which answered my question: The differences between IAM and AWS Organization

Upvotes: 0

MutantMahesh
MutantMahesh

Reputation: 1717

you can use:

data "aws_caller_identity" "current" {}

output "account_id" {
  value = data.aws_caller_identity.current.account_id
}

output "caller_arn" {
  value = data.aws_caller_identity.current.arn
}

output "caller_user" {
  value = data.aws_caller_identity.current.user_id
}

Source: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity

Upvotes: 5

logyball
logyball

Reputation: 178

You may use the aws_caller_identity data source to get the ID or ARN from the current account. It is analogous to the output of aws sts get-caller-identity. If you really need the Friendly Name of the account and not simply the ID, you can try to get it via the aws_organizations_organization data source, which exports all available accounts, with their ARN, ID, Name, and a few other attributes. Because you mentioned that you don't have organizations access, this might not be a viable solution.

Upvotes: 0

Related Questions