New Account Creation Error from AWS Control Tower

Question

I'm getting an error to enroll account into control tower, though my colleague is able to enroll new account with the same permission.

Error Details:- An unknown error occurred. Try again later, or contact AWS Support. No launch paths found for resource: prod-xxxxxxxxxxxx

AWS Control Tower can't create your account due to potential drift in your landing zone. Check your landing zone and try using the advanced account provisioning method to create your account.

Note: There is no Drift in our landing zone

I tried all the possible solution but still the same error exists. Does anyone face the same issue?

Answer 1

I got this error when I want to enroll an account on Account Account factory on Control Tower

AWS Control Tower can't create your account due to potential drift in your landing zone. Check your landing zone and try using the advanced account provisioning method to create your account.

Then I find this document and repair Landing zone from landing zone settings works for me:

https://docs.aws.amazon.com/controltower/latest/userguide/drift.html

Resolving drift
Although detection is automatic, the steps to resolve drift must be done through the console.

Many types of drift can be resolved through the Landing zone settings page. You can choose the Repair button in the Versions section to repair these types of drift.

If your OU has fewer than 300 accounts, you can repair drift by selecting Re-register OU on the OU page, to repair drift in Account Factory provisioned accounts, or SCP drift.

Update: I have this error today with similar issues when I want to create account

Error message: Unable to launch provisioned product because: No launch paths found for resource

I figure out because I login as an IAM identity user (SSO login), and on Service Catalog console, Administration ----> Portfolio ----> Access sections, you need to grand access to your Portfolio.

Answer 2

This is what I followed in sequence.

• As root user I repaired the landing zone from landing zone settings in AWS Control Tower: Did not work
• Logged out as root user and logged in as IAM user with admin privilege: Did not work
• Logged in as IAM user with admin access.
  • In AWS Service Catalogue go to Portfolios (left hand navigation pane).
  • Click on the portfolio associated with Control Tower. Portfolio name may be something like 'AWS Control Tower Account Factory Portfolio'.
  • Go to Groups, roles and users tab.
  • Click on add groups, roles, users
  • Go to users tab and add the IAM user which you use for creating new accounts through Control Tower: Worked

Answer 3

This error message is generated by AWS Service Catalog, which is the integrated service that helps provision accounts in AWS Control Tower.

Common Causes:

• You may be logged in as root. AWS Control Tower does not support creating accounts when you're logged in as root.
• Your SSO user has not been added to the appropriate permission group.
• If you are authenticated as an IAM user, you must add it to the AWS Service Catalog portfolio so that it has the correct permissions.