I currently have a regular/non-organization AWS account and I create EC2 instances via Boto3 using code like this:
ec2 = boto3.resource('ec2', region_name = region)
instances = ec2.create_instances(...)
I may need to change my account to an organization and create sub-accounts so I can use different credit cards to fund different accounts.
However, I am concerned how much my existing Boto3 scripts will need to change. Looking at the reference page for create_instances():
I don't see an argument which refers to a sub account.
Using Boto3 how do you create an instance for a specific sub account?
It is not possible to specify an AWS Account when making API calls to AWS. Instead, the account used is always the one that created the credentials being used to make the API call.
AWS identity entities (eg IAM User, IAM Role) are created in an AWS Account. When these credentials are used to make API calls to AWS, the resources will always be created in the AWS Account that 'owns' those credentials. Let's call it Account-A.
To create resources in a different account (Account-B), you will either need to use credentials from Account-B, or you can assume an IAM Role:
AssumeRole on the IAM Role in Account-BAssumeRole() on that role and also a trust policy on the IAM Role in Account-B that permits the IAM entity in Account-A to assume that roleAssumeRole(), a new set of temporary credentials is returned. These credentials belong to Account-B, so any resources created using those credentials will be in Account-B.So, using your AWS Organizations setup: