Source & Binary

Integrating your original AWS account(s)

Most likely, you’ve already opened (at least) one AWS account(s), and you’re probably a little apprehensive about what will happen to it once you adopt Substrate. Let’s address the two most common concerns right away:

  1. Don’t worry, you won’t be left maintaining two AWS worlds forever.
  2. Yes, you’ll be able to keep your AWS credit balance.

In fact, integrating your original AWS account(s) into your new Substrate-managed AWS organization is a good idea for a few reasons:

You can invite as many AWS accounts as you like into your new Substrate-managed AWS organization but only if you have not configured AWS Organizations manually in those accounts. If you have and you would still like to adopt Substrate, ask us at and we’ll work with you to make everything right.

Inviting the account into your organization

To begin, you’ll need root (not IAM user) login credentials for the AWS Console for the account you wish to invite into your organization. If you don’t have them now or you just don’t want to do this now, feel free to skip this section and come back to it later. When you’re ready, proceed:

  1. Open the Accounts page of your Intranet
  2. Assume the OrganizationAdministrator role in your management account
  3. Visit
  4. Click Add account
  5. Click Invite account
  6. Enter the email address of your original AWS account, the one that you’re inviting into your organization (or its account number, if you have that handy)
  7. Click Invite
  8. In an incognito window, sign into the AWS Console using root (not IAM user) credentials for the account you just invited into your organization
  9. In that incognito window, visit and delete any existing trails (to avoid very expensive surprises in your consolidated AWS bills)
  10. In that incognito window, visit
  11. Click Accept
  12. Click Confirm

If you stop here, you’ll have integrated billing data from your original AWS account into your organization and you’ll have the ability to constrain your original AWS account using service control policies.

To allow your admin accounts to access this original AWS account, use the AWS Console in your original AWS account to create the Administrator role as follows:

  1. Note all the role ARNs in the table listing your admin accounts in substrate.accounts.txt
  2. Create a new role named Administrator in your original AWS account with the following assume role policy, substituting your admin account number for ADMIN_ACCOUNT_NUMBER (and adding additional elements to that list if you have multiple admin accounts):

      "Version": "2012-10-17",
      "Statement": [
          "Effect": "Allow",
          "Principal": {
            "AWS": [
          "Action": "sts:AssumeRole"
  3. Attach the managed AdministratorAccess policy to this new role

This manual change in the AWS Console, which would usually be distasteful, has paved the way for Substrate to manage your original AWS account, especially this Administrator role. To complete the integration, run substrate create-account -domain domain -environment environment -quality quality -number 12-digit-account-number to tag your original AWS account, manage its Administrator and Auditor roles, and generate its basic Terraform directory structure.

After you’ve completed these steps, your original AWS account is part of your Substrate-managed AWS organization, just like any other service account.

Deleting unnecessary root access keys

Managing your infrastructure in service accounts