AWS Organizations

2017/11/16 - AWS Organizations - 3 new api methods

Changes  This release adds APIs that you can use to enable and disable integration with AWS services designed to work with AWS Organizations. This integration allows the AWS service to perform operations on your behalf on all of the accounts in your organization. Although you can use these APIs yourself, we recommend that you instead use the commands provided in the other AWS service to enable integration with AWS Organizations.

ListAWSServiceAccessForOrganization (new) Link ¶

Returns a list of the AWS services that you enabled to integrate with your organization. After a service on this list creates the resources that it requires for the integration, it can perform operations on your organization and its accounts.

For more information about integrating other services with AWS Organizations, including the list of services that currently work with Organizations, see Integrating AWS Organizations with Other AWS Services in the AWS Organizations User Guide .

This operation can be called only from the organization's master account.

See also: AWS API Documentation

Request Syntax

client.list_aws_service_access_for_organization(
    NextToken='string',
    MaxResults=123
)
type NextToken

string

param NextToken

Use this parameter if you receive a NextToken response in a previous request that indicates that there is more output available. Set it to the value of the previous call's NextToken response to indicate where the output should continue from.

type MaxResults

integer

param MaxResults

(Optional) Use this to limit the number of results you want included in the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the maximum you specify, the NextToken response element is present and has a value (is not null). Include that value as the NextToken request parameter in the next call to the operation to get the next part of the results. Note that Organizations might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.

rtype

dict

returns

Response Syntax

{
    'EnabledServicePrincipals': [
        {
            'ServicePrincipal': 'string',
            'DateEnabled': datetime(2015, 1, 1)
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • EnabledServicePrincipals (list) --

      A list of the service principals for the services that are enabled to integrate with your organization. Each principal is a structure that includes the name and the date that it was enabled for integration with AWS Organizations.

      • (dict) --

        A structure that contains details of a service principal that is enabled to integrate with AWS Organizations.

        • ServicePrincipal (string) --

          The name of the service principal. This is typically in the form of a URL, such as: servicename.amazonaws.com .

        • DateEnabled (datetime) --

          The date that the service principal was enabled for integration with AWS Organizations.

    • NextToken (string) --

      If present, this value indicates that there is more output available than is included in the current response. Use this value in the NextToken request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the NextToken response element comes back as null .

DisableAWSServiceAccess (new) Link ¶

Disables the integration of an AWS service (the service that is specified by ServicePrincipal ) with AWS Organizations. When you disable integration, the specified service no longer can create a service-linked role in new accounts in your organization. This means the service can't perform operations on your behalf on any new accounts in your organization. The service can still perform operations in older accounts until the service completes its clean-up from AWS Organizations.

Warning

We recommend that you disable integration between AWS Organizations and the specified AWS service by using the console or commands that are provided by the specified service. Doing so ensures that the other service is aware that it can clean up any resources that are required only for the integration. How the service cleans up its resources in the organization's accounts depends on that service. For more information, see the documentation for the other AWS service.

After you perform the DisableAWSServiceAccess operation, the specified service can no longer perform operations in your organization's accounts unless the operations are explicitly permitted by the IAM policies that are attached to your roles.

For more information about integrating other services with AWS Organizations, including the list of services that work with Organizations, see Integrating AWS Organizations with Other AWS Services in the AWS Organizations User Guide .

This operation can be called only from the organization's master account.

See also: AWS API Documentation

Request Syntax

client.disable_aws_service_access(
    ServicePrincipal='string'
)
type ServicePrincipal

string

param ServicePrincipal

[REQUIRED]

The service principal name of the AWS service for which you want to disable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com .

returns

None

EnableAWSServiceAccess (new) Link ¶

Enables the integration of an AWS service (the service that is specified by ServicePrincipal ) with AWS Organizations. When you enable integration, you allow the specified service to create a service-linked role in all the accounts in your organization. This allows the service to perform operations on your behalf in your organization and its accounts.

Warning

We recommend that you enable integration between AWS Organizations and the specified AWS service by using the console or commands that are provided by the specified service. Doing so ensures that the service is aware that it can create the resources that are required for the integration. How the service creates those resources in the organization's accounts depends on that service. For more information, see the documentation for the other AWS service.

For more information about enabling services to integrate with AWS Organizations, see Integrating AWS Organizations with Other AWS Services in the AWS Organizations User Guide .

This operation can be called only from the organization's master account and only if the organization has enabled all features.

See also: AWS API Documentation

Request Syntax

client.enable_aws_service_access(
    ServicePrincipal='string'
)
type ServicePrincipal

string

param ServicePrincipal

[REQUIRED]

The service principal name of the AWS service for which you want to enable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com .

returns

None