8 Examples of Sharing AWS Managed AD with Multiple Accounts from CLI and Console

Once you create a Managed AD in an AWS account, you can share this AD with other accounts.

This is a common use-case when you have AWS Managed Active Directory in a shared services account that needs to be shared with other workload accounts.

The following are few points to keep in mind:

• Sharing to another account can happen only within the same region where the Managed AD resides
• Shared directory will be visible to all the VPCs in the workload accounts
• The shared directory on the workload account will get a directory id that is different than the original directory id in the shared services account.
• If Managed AD directory is in an account where organization is enabled, then you also have the option of sharing it with all the accounts within the organization or with a specific account

This tutorial covers the following examples:

1. Share Managed AD – AWS CLI
2. View Current Managed AD Shares – AWS CLI
3. Accept Directory Sharing – AWS CLI
4. Unshare Directory – AWS CLI
5. Reject Sharing – AWS CLI
6. Share Managed AD – AWS Console
7. Accept or Reject Directory Sharing – AWS Console
8. Unshare Directory – AWS Console

1. Share Managed AD – AWS CLI

First, set the source directory id, and the destination AWS workload account number.

DIRECTORY_ID=d-123abc4567
WORKLOAD_ACCOUNT=222222222222

Execute the following command to share the directory to the workload account. Execute this command using the shared services account credentials.

aws ds share-directory --directory-id ${DIRECTORY_ID} \
  --share-notes "AD Directory for workload accounts" \
  --share-target "Id=${WORKLOAD_ACCOUNT},Type=ACCOUNT" \
  --share-method HANDSHAKE

To setup your aws profiles properly before executing your CLI commands, refer to this: 15 AWS Configure Command Examples to Manage Multiple Profiles for CLI

In the above example:

• DIRECTORY_ID – This is the Managed AD directory id that is in the shared services account
• WORKLOAD_ACCOUNT – This is the AWS account number of the workload account to which you are sharing the Managed AD
• share-method – Since we are specifically sharing with another account, use HANDSHAKE as the method

The following is the output of the above command, which displays the shared directory id.

{
    "SharedDirectoryId": "d-444efg5555"
}

2. View Current Managed AD Shares – AWS CLI

Once you’ve shared a directory, you can view the current status of the sharing, and also to get a list of all the existing shares as shown below.

DIRECTORY_ID=d-123abc4567

aws ds describe-shared-directories \
  --owner-directory-id ${DIRECTORY_ID}

The following is an example output:

{
  "SharedDirectories": [
    {
      "OwnerDirectoryId": "d-123abc4567",
      "ShareNotes": "AD Directory for workload accounts",
      "ShareMethod": "HANDSHAKE",
      "CreatedDateTime": 1558566663.171,
      "SharedAccountId": "222222222222",
      "SharedDirectoryId": "d-444efg5555",
      "ShareStatus": "PendingAcceptance",
      "OwnerAccountId": "111111111111",
      "LastUpdatedDateTime": 1558566663.171
    }
  ]
}

Note: In the above output, the ShareStatus is PendingAcceptance. This will change to “Shared” once the workload account accept the share request.

3. Accept Directory Sharing – AWS CLI

Use the workload account credentials to accept the directory sharing as shown below.

aws ds accept-shared-directory \
  --shared-directory-id d-444efg5555

In the above example, d-444efg5555 is the shared directory id (not the directory id of the Managed AD in the shared services account).

Few ways to get the shared directory id:

• You’ll get this as an output from this CLI: aws ds share-directory
• Login to the workload account, and get the directory id from the console
• Use aws ds describe-shared-directories on the workload account, to get this id

4. Unshare Directory – AWS CLI

First, set the source directory id, and the destination AWS workload account number.

DIRECTORY_ID=d-123abc4567
WORKLOAD_ACCOUNT=222222222222

Execute the following command to share the directory to the workload account. Execute this command using the shared services account credentials.

aws ds unshare-directory --directory-id ${DIRECTORY_ID} \
  --unshare-target "Id=${WORKLOAD_ACCOUNT},Type=ACCOUNT"

5. Reject Sharing – AWS CLI

Use the workload account credentials to reject the directory sharing as shown below.

aws ds reject-shared-directory \
  --shared-directory-id d-444efg5555

In the above example, d-444efg5555 is the shared directory id (not the directory id of the Managed AD in the shared services account).

6. Share Managed AD – AWS Console

Login to your shared services account where Managed AD resides.

Go to Directory Service -> Directories -> Click on the directory id d-123abc4567 – Below the “Directory details”, click on “Scale & Share” tab.

From the action menu, click on “Create new shared directory”:

• In the “Choose which AWS accounts to share with” section, select “Share this directory with other AWS accounts”
• Enter the workload account number and click on Add
• In the “Send a note” section, type a message that will be seen by the workload account. This is an optional field.
• Click on “Share”

7. Accept or Reject Directory Sharing – AWS Console

Login to the workload account AWS console.

Go to Directory Service -> Directories shared with me.

On the top, you’ll see this message:
You have a pending invitation to use a shared directory hosted by another AWS account. An administrator in another AWS account has invited you to access their AWS Managed Microsoft AD directory.

Select this directory – Click on Review – Click on “Accept” (or) Click on “Reject”

8. Unshare Directory – AWS Console

Login to your shared services account where Managed AD resides.

Go to Directory Service -> Directories -> Click on the directory id d-123abc4567 – Below the “Directory details”, click on “Scale & Share” tab.

From the action menu, click on “Unshare directory” – Click on “Unshare”