≡ Menu

8 Examples of Sharing AWS Managed AD with Multiple Accounts from CLI and Console

Once you create a Managed AD in an AWS account, you can share this AD with other accounts.

This is a common use-case when you have AWS Managed Active Directory in a shared services account that needs to be shared with other workload accounts.

The following are few points to keep in mind:

  • Sharing to another account can happen only within the same region where the Managed AD resides
  • Shared directory will be visible to all the VPCs in the workload accounts
  • The shared directory on the workload account will get a directory id that is different than the original directory id in the shared services account.
  • If Managed AD directory is in an account where organization is enabled, then you also have the option of sharing it with all the accounts within the organization or with a specific account


This tutorial covers the following examples:

  1. Share Managed AD – AWS CLI
  2. View Current Managed AD Shares – AWS CLI
  3. Accept Directory Sharing – AWS CLI
  4. Unshare Directory – AWS CLI
  5. Reject Sharing – AWS CLI
  6. Share Managed AD – AWS Console
  7. Accept or Reject Directory Sharing – AWS Console
  8. Unshare Directory – AWS Console

1. Share Managed AD – AWS CLI

First, set the source directory id, and the destination AWS workload account number.

DIRECTORY_ID=d-123abc4567
WORKLOAD_ACCOUNT=222222222222

Execute the following command to share the directory to the workload account. Execute this command using the shared services account credentials.

aws ds share-directory --directory-id ${DIRECTORY_ID} \
  --share-notes "AD Directory for workload accounts" \
  --share-target "Id=${WORKLOAD_ACCOUNT},Type=ACCOUNT" \
  --share-method HANDSHAKE

To setup your aws profiles properly before executing your CLI commands, refer to this: 15 AWS Configure Command Examples to Manage Multiple Profiles for CLI

In the above example:

  • DIRECTORY_ID – This is the Managed AD directory id that is in the shared services account
  • WORKLOAD_ACCOUNT – This is the AWS account number of the workload account to which you are sharing the Managed AD
  • share-method – Since we are specifically sharing with another account, use HANDSHAKE as the method

The following is the output of the above command, which displays the shared directory id.

{
    "SharedDirectoryId": "d-444efg5555"
}

2. View Current Managed AD Shares – AWS CLI

Once you’ve shared a directory, you can view the current status of the sharing, and also to get a list of all the existing shares as shown below.

DIRECTORY_ID=d-123abc4567

aws ds describe-shared-directories \
  --owner-directory-id ${DIRECTORY_ID}

The following is an example output:

{
  "SharedDirectories": [
    {
      "OwnerDirectoryId": "d-123abc4567",
      "ShareNotes": "AD Directory for workload accounts",
      "ShareMethod": "HANDSHAKE",
      "CreatedDateTime": 1558566663.171,
      "SharedAccountId": "222222222222",
      "SharedDirectoryId": "d-444efg5555",
      "ShareStatus": "PendingAcceptance",
      "OwnerAccountId": "111111111111",
      "LastUpdatedDateTime": 1558566663.171
    }
  ]
}

Note: In the above output, the ShareStatus is PendingAcceptance. This will change to “Shared” once the workload account accept the share request.

3. Accept Directory Sharing – AWS CLI

Use the workload account credentials to accept the directory sharing as shown below.

aws ds accept-shared-directory \
  --shared-directory-id d-444efg5555

In the above example, d-444efg5555 is the shared directory id (not the directory id of the Managed AD in the shared services account).

Few ways to get the shared directory id:

  • You’ll get this as an output from this CLI: aws ds share-directory
  • Login to the workload account, and get the directory id from the console
  • Use aws ds describe-shared-directories on the workload account, to get this id

4. Unshare Directory – AWS CLI

First, set the source directory id, and the destination AWS workload account number.

DIRECTORY_ID=d-123abc4567
WORKLOAD_ACCOUNT=222222222222

Execute the following command to share the directory to the workload account. Execute this command using the shared services account credentials.

aws ds unshare-directory --directory-id ${DIRECTORY_ID} \
  --unshare-target "Id=${WORKLOAD_ACCOUNT},Type=ACCOUNT"

5. Reject Sharing – AWS CLI

Use the workload account credentials to reject the directory sharing as shown below.

aws ds reject-shared-directory \
  --shared-directory-id d-444efg5555

In the above example, d-444efg5555 is the shared directory id (not the directory id of the Managed AD in the shared services account).

6. Share Managed AD – AWS Console

Login to your shared services account where Managed AD resides.

Go to Directory Service -> Directories -> Click on the directory id d-123abc4567 – Below the “Directory details”, click on “Scale & Share” tab.

[AWS Managed AD - Create Shared Directory]

From the action menu, click on “Create new shared directory”:

[AWS Managed AD Share Directory]

  • In the “Choose which AWS accounts to share with” section, select “Share this directory with other AWS accounts”
  • Enter the workload account number and click on Add
  • In the “Send a note” section, type a message that will be seen by the workload account. This is an optional field.
  • Click on “Share”

7. Accept or Reject Directory Sharing – AWS Console

Login to the workload account AWS console.

Go to Directory Service -> Directories shared with me.

On the top, you’ll see this message:
You have a pending invitation to use a shared directory hosted by another AWS account. An administrator in another AWS account has invited you to access their AWS Managed Microsoft AD directory.

Select this directory – Click on Review – Click on “Accept” (or) Click on “Reject”

[Managed AD Sharing Accept or Reject]

8. Unshare Directory – AWS Console

Login to your shared services account where Managed AD resides.

Go to Directory Service -> Directories -> Click on the directory id d-123abc4567 – Below the “Directory details”, click on “Scale & Share” tab.

From the action menu, click on “Unshare directory” – Click on “Unshare”

[Managed AD Unshare Directory]

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 0 comments… add one }

Leave a Comment