Cannot create new AWS accounts using Landing Zone

[ShahradR]

Using an AWS Contol Tower-managed Landing Zone solution, we are not able to create new accounts using the quick account provisioning wizard.

Specifically, when the page is loaded, we are immediately returned with the following error.

If we try completing the form and creating the account anyway, an additional error message is returned.

[ShahradR]

This issue is currently blocking #1 – to complete the minimum viable product for the taskcat GitHub Action, we need to verify whether the action can deploy resources to an AWS account.

[ShahradR]

Based on the second error message, I tried resolving the configuration drift by repairing the landing zone, following this guide.

However, after the repair was complete, the problem persisted.

[ShahradR]

Found someone with a similar issue on the AWS Developer Forum – running aws servicecatalog list-launch-paths --product-id prod-************* returns the same error as the console.

Note that the product ID prod-************* has been obfuscated – you should use the same product ID returned in the console error message.

[ShahradR]

The issue was resolved by assigning an IAM group to the portfolio's permissions. This automatically created a launch path, and allowed the quick account provisioning wizard to complete.

It seems that a launch path is created automatically, and details which users can access what portfolios, given certain constraints. It's a bit complicated, so I will maybe follow-up with a more in-depth analysis. See this blog post by Ran Xing for more details and troubleshooting tips.

As far as this issue is concerned, however, adding the group to the portfolio has solved our problem.