Skip to article frontmatterSkip to article content
Site not loading correctly?

This may be due to an incorrect BASE_URL configuration. See the MyST Documentation for reference.

Create a new AWS account

When we create a new AWS account[1], we create it to be a AWS Member Account to our AWS Management Account 2i2c-sandbox. We then grant permissions to a group of IAM users in the management account to manage the created member account. Like this, we can sign in to manage the member accounts using users defined in the 2i2c-sandbox account.

More information on these terms can be found in AWS Access.

  1. Login at https://2i2c.awsapps.com/start/#

  2. Visit the Management Console of 2i2c-sandbox, the AWS Management Account

  3. Visit the Organizations Accounts Console and click “Add an AWS account”

  4. Enter an AWS account name

    Avoid using 2i2c in the account name in case the user decides to exercise their right to replicate at some point.

  5. Enter an email address for the account’s owner

    Use support+aws-<aws account name>@2i2c.org, like support+aws-smithsonian@2i2c.org. It will still be delivered to support@2i2c.org but still function as a unique username identifier. This is called subaddressing.

  6. Click “Create AWS account”

  7. AWS will send an email to freshdesk about this new account, opening a new ticket. Close the ticket in freshdesk to keep our support queue clean.

  8. While still logged in to the 2i2c-sandbox management account, go to the AWS accounts section of the IAM Identity Center

  9. To add the new account to our SSO:

    • Select the checkbox next to the new account and then click the “Assign users or groups” button

    • On the “Groups” tab, select the “2i2c-engineers” group. Click “Next”.

    • On the “Permission Set” page, select “AdministratorAccess”. Click “Next”.

    • On the “Review and submit assignments” page, click “Submit”.

You have successfully created a new AWS account and connected it to our AWS Organization’s Management Account! Now, setup a new cluster inside it via Terraform.

Checking quotas and requesting increases

Cloud providers like AWS require their users to request a Service Quota increase[2] for any substantial use of their services. Quotas act as an upper bound of for example the number of CPUs from a certain machine type and the amount of public IPs that the account can acquire.

When an AWS account is created under our AWS Organization, the default quotas that AWS applies to our organization are already set up for for the new account. By default, we don’t need to request quota increases here.

We typically need to increase the kinds of quotas described below. The values of these are all ‘Total CPUs’ and hence larger nodes consume more quota.

Manually requesting a quota increase

  1. Visit the Service Quotas console and select “AWS services” from the left-hand side menu

  2. Search for the service you would like to manage the quotas for, e.g., “Amazon Elastic Kubernetes Service (Amazon EKS)”

  3. Select the quota you would like to manage, e.g., “Nodes per managed node group”

  4. Click the “Request quota increase” button in the “Recent quota increase requests” section of the page

  5. Fill in the form that pops up and change the quota value (must be greater than the current quota value), then click “Request”

Footnotes