UsageΒΆ

To use aws-account-lifecycle:

aws-account-lifecycle --help
Usage: aws-account-lifecycle [OPTIONS] COMMAND [ARGS]...

  Main entry point of the CLI.

Options:
  --help  Show this message and exit.

Commands:
  billing-iam-activate    Activate IAM access to billing console on an...
  create                  Create a new account through Control Tower.
  mfa-activate            Activate virtual MFA on an account.
  mfa-deactivate          Deactivate virtual MFA on an account.
  request-password-reset  Request a password reset for an account.
  reset-password          Reset the password of an account.
  terminate               Terminate (suspend for 90 days first) an account.
  update-email            Update the email of an account.
  update-name             Update the name of an account.

Activating IAM access on billing console

aws-account-lifecycle billing-iam-activate --help
Usage: aws-account-lifecycle billing-iam-activate [OPTIONS]

  Activate IAM access to billing console on an account.

Options:
  Logging options: [mutually_exclusive]
                                  Sets the level of logging interactively or
                                  accepts a configuration file.
    -l, --log-level [debug|info|warning|error]
                                  Provide the log level. Defaults to info.
                                  Mutually exclusive with providing a logging
                                  configuration file.
    -L, --log-config FILENAME     A config file for logging, mutually
                                  exclusive with setting the logging level
                                  interactively.
  -t, --2captcha-token TEXT       A valid token for the 2captcha service if
                                  automatic captcha solving is required. Can
                                  read from "TWO_CAPTCHA_API_TOKEN"
                                  environment variable
  -m, --mfa-seed TEXT             The original mfa seed of the account if
                                  virtual MFA is enabled.
  -r, --region TEXT               The home region of the account, can read
                                  from "AWS_DEFAULT_REGION" environment
                                  variable  [required]
  -p, --password TEXT             The root password of the account.
                                  [required]
  -e, --email TEXT                The email to use.  [required]
  --help                          Show this message and exit.

Creating an account

aws-account-lifecycle create --help
Usage: aws-account-lifecycle create [OPTIONS]

  Create a new account through Control Tower.

Options:
  Logging options: [mutually_exclusive]
                                  Sets the level of logging interactively or
                                  accepts a configuration file.
    -l, --log-level [debug|info|warning|error]
                                  Provide the log level. Defaults to info.
                                  Mutually exclusive with providing a logging
                                  configuration file.
    -L, --log-config FILENAME     A config file for logging, mutually
                                  exclusive with setting the logging level
                                  interactively.
  -e, --email TEXT                The email to use.  [required]
  -r, --region TEXT               The home region of the account, can read
                                  from "AWS_DEFAULT_REGION" environment
                                  variable  [required]
  -n, --name TEXT                 The name of the account.  [required]
  -a, --arn TEXT                  The arn of the role that can access Control
                                  Tower.  [required]
  -o, --organizational-unit TEXT  The OU to create the account under. Defaults
                                  to "Custom".  [required]
  -h, --parent-hierarchy TEXT     The parent hierarchy of the OU if any, space
                                  delimited. If you want the OU to be created
                                  under Root/GrandParentOU/ParentOU the
                                  arguments would be `-h Root -h GrandParentOU
                                  -h ParentOU`
  -p, --product-name TEXT         The product name of the account. Defaults to
                                  the account name if not set.
  -se, --sso-email TEXT           The email for an SSO user. It defaults to
                                  the account email if not set.
  -sf, --sso-first-name TEXT      The first name for an SSO user. It defaults
                                  to "Control".
  -sl, --sso-last-name TEXT       The last name for an SSO user. It defaults
                                  to "Tower".
  -f, --force-ou-hierarchy-creation
                                  If set and a parent hierarchy is provided
                                  then then the tool will try to create it
                                  even if it does not exist.
  --help                          Show this message and exit.

Activating MFA

aws-account-lifecycle mfa-activate --help
Usage: aws-account-lifecycle mfa-activate [OPTIONS]

  Activate virtual MFA on an account.

Options:
  Logging options: [mutually_exclusive]
                                  Sets the level of logging interactively or
                                  accepts a configuration file.
    -l, --log-level [debug|info|warning|error]
                                  Provide the log level. Defaults to info.
                                  Mutually exclusive with providing a logging
                                  configuration file.
    -L, --log-config FILENAME     A config file for logging, mutually
                                  exclusive with setting the logging level
                                  interactively.
  -t, --2captcha-token TEXT       A valid token for the 2captcha service if
                                  automatic captcha solving is required. Can
                                  read from "TWO_CAPTCHA_API_TOKEN"
                                  environment variable
  -m, --mfa-seed TEXT             The original mfa seed of the account if
                                  virtual MFA is enabled.
  -r, --region TEXT               The home region of the account, can read
                                  from "AWS_DEFAULT_REGION" environment
                                  variable  [required]
  -p, --password TEXT             The root password of the account.
                                  [required]
  -e, --email TEXT                The email to use.  [required]
  -d, --device-name TEXT          The name of the virtual device. Defaults to
                                  "root-account-mfa-device"  [required]
  --help                          Show this message and exit.

Deactivating MFA

aws-account-lifecycle mfa-deactivate --help
Usage: aws-account-lifecycle mfa-deactivate [OPTIONS]

  Deactivate virtual MFA on an account.

Options:
  Logging options: [mutually_exclusive]
                                  Sets the level of logging interactively or
                                  accepts a configuration file.
    -l, --log-level [debug|info|warning|error]
                                  Provide the log level. Defaults to info.
                                  Mutually exclusive with providing a logging
                                  configuration file.
    -L, --log-config FILENAME     A config file for logging, mutually
                                  exclusive with setting the logging level
                                  interactively.
  -t, --2captcha-token TEXT       A valid token for the 2captcha service if
                                  automatic captcha solving is required. Can
                                  read from "TWO_CAPTCHA_API_TOKEN"
                                  environment variable
  -m, --mfa-seed TEXT             The original mfa seed of the account if
                                  virtual MFA is enabled.
  -r, --region TEXT               The home region of the account, can read
                                  from "AWS_DEFAULT_REGION" environment
                                  variable  [required]
  -p, --password TEXT             The root password of the account.
                                  [required]
  -e, --email TEXT                The email to use.  [required]
  -d, --device-serial TEXT        The serial of the virtual device in the form
                                  of arn:aws:iam::ACCOUNTID:mfa/DEVICE_NAME.
                                  [required]
  --help                          Show this message and exit.

Request a password reset

aws-account-lifecycle request-password-reset --help
Usage: aws-account-lifecycle request-password-reset [OPTIONS]

  Request a password reset for an account.

Options:
  Logging options: [mutually_exclusive]
                                  Sets the level of logging interactively or
                                  accepts a configuration file.
    -l, --log-level [debug|info|warning|error]
                                  Provide the log level. Defaults to info.
                                  Mutually exclusive with providing a logging
                                  configuration file.
    -L, --log-config FILENAME     A config file for logging, mutually
                                  exclusive with setting the logging level
                                  interactively.
  -e, --email TEXT                The email to use.  [required]
  -t, --2captcha-token TEXT       A valid token for the 2captcha service if
                                  automatic captcha solving is required. Can
                                  read from "TWO_CAPTCHA_API_TOKEN"
                                  environment variable
  --help                          Show this message and exit.

Reset password

aws-account-lifecycle reset-password --help
Usage: aws-account-lifecycle reset-password [OPTIONS]

  Reset the password of an account.

Options:
  Logging options: [mutually_exclusive]
                                  Sets the level of logging interactively or
                                  accepts a configuration file.
    -l, --log-level [debug|info|warning|error]
                                  Provide the log level. Defaults to info.
                                  Mutually exclusive with providing a logging
                                  configuration file.
    -L, --log-config FILENAME     A config file for logging, mutually
                                  exclusive with setting the logging level
                                  interactively.
  -r, --reset-url TEXT            [required]
  -p, --password TEXT             The root password of the account.
                                  [required]
  --help                          Show this message and exit.

Terminate an account

aws-account-lifecycle terminate --help
Usage: aws-account-lifecycle terminate [OPTIONS]

  Terminate (suspend for 90 days first) an account.

Options:
  Logging options: [mutually_exclusive]
                                  Sets the level of logging interactively or
                                  accepts a configuration file.
    -l, --log-level [debug|info|warning|error]
                                  Provide the log level. Defaults to info.
                                  Mutually exclusive with providing a logging
                                  configuration file.
    -L, --log-config FILENAME     A config file for logging, mutually
                                  exclusive with setting the logging level
                                  interactively.
  -t, --2captcha-token TEXT       A valid token for the 2captcha service if
                                  automatic captcha solving is required. Can
                                  read from "TWO_CAPTCHA_API_TOKEN"
                                  environment variable
  -m, --mfa-seed TEXT             The original mfa seed of the account if
                                  virtual MFA is enabled.
  -r, --region TEXT               The home region of the account, can read
                                  from "AWS_DEFAULT_REGION" environment
                                  variable  [required]
  -p, --password TEXT             The root password of the account.
                                  [required]
  -e, --email TEXT                The email to use.  [required]
  --help                          Show this message and exit.

Update an account email

aws-account-lifecycle update-email --help
Usage: aws-account-lifecycle update-email [OPTIONS]

  Update the email of an account.

Options:
  Logging options: [mutually_exclusive]
                                  Sets the level of logging interactively or
                                  accepts a configuration file.
    -l, --log-level [debug|info|warning|error]
                                  Provide the log level. Defaults to info.
                                  Mutually exclusive with providing a logging
                                  configuration file.
    -L, --log-config FILENAME     A config file for logging, mutually
                                  exclusive with setting the logging level
                                  interactively.
  -t, --2captcha-token TEXT       A valid token for the 2captcha service if
                                  automatic captcha solving is required. Can
                                  read from "TWO_CAPTCHA_API_TOKEN"
                                  environment variable
  -m, --mfa-seed TEXT             The original mfa seed of the account if
                                  virtual MFA is enabled.
  -r, --region TEXT               The home region of the account, can read
                                  from "AWS_DEFAULT_REGION" environment
                                  variable  [required]
  -p, --password TEXT             The root password of the account.
                                  [required]
  -e, --email TEXT                The email to use.  [required]
  -n, --new-email TEXT            The email to update to.  [required]
  --help                          Show this message and exit.

Update an account name

aws-account-lifecycle update-name --help
Usage: aws-account-lifecycle update-name [OPTIONS]

  Update the name of an account.

Options:
  Logging options: [mutually_exclusive]
                                  Sets the level of logging interactively or
                                  accepts a configuration file.
    -l, --log-level [debug|info|warning|error]
                                  Provide the log level. Defaults to info.
                                  Mutually exclusive with providing a logging
                                  configuration file.
    -L, --log-config FILENAME     A config file for logging, mutually
                                  exclusive with setting the logging level
                                  interactively.
  -t, --2captcha-token TEXT       A valid token for the 2captcha service if
                                  automatic captcha solving is required. Can
                                  read from "TWO_CAPTCHA_API_TOKEN"
                                  environment variable
  -m, --mfa-seed TEXT             The original mfa seed of the account if
                                  virtual MFA is enabled.
  -r, --region TEXT               The home region of the account, can read
                                  from "AWS_DEFAULT_REGION" environment
                                  variable  [required]
  -p, --password TEXT             The root password of the account.
                                  [required]
  -e, --email TEXT                The email to use.  [required]
  -n, --name TEXT                 The name of the account.  [required]
  --help                          Show this message and exit.