I recently worked with a customer who’d been trying to vend a new account through their AWS Landing Zone for over an hour. The Service Catalog product looked fine in the console, but the CodePipeline was stuck with a cryptic “Failed” status. After digging through CloudWatch logs and checking IAM permissions, we discovered the issue was a combination of factors. In this post, I’ll walk through exactly what causes Account Vending Machine failures and how to fix them.
The Problem
When you launch the Account Vending Machine (AVM) product in Service Catalog, a CodePipeline execution starts. One or more stages fail, and the provisioned product gets stuck in an UNDER_CHANGE or FAILED state. The pipeline stage AWS-Landing-Zone-Launch-AVM shows “Failed” with no obvious error visible in the console.
Common error messages you might see:
| Error Type | Description |
|---|---|
| Lambda execution timeout | Task timed out after 900 seconds (15 minutes) |
| Access Denied | User is not authorized to perform: organizations:CreateAccount |
| Invalid manifest | InvalidParameter: OU does not exist or email already in use |
| API throttling | Rate exceeded for CreateAccount API |
Why Does This Happen?
Landing Zone uses a Lambda function embedded in the CodePipeline to handle account creation, baseline setup, and resource provisioning. Several things can break this process:
- Lambda timeout: The AVM Lambda has a hard 15-minute timeout. If account creation takes longer (especially when provisioning complex networking), it fails. This happens most often when AWS Organizations is under load or when the baseline StackSet has many resources.
- Insufficient IAM permissions: The AVM Lambda execution role needs explicit permissions for
organizations:CreateAccount,servicecatalog:UpdateProvisionedProduct, andcloudformation:DescribeStacks. Missing permissions silently fail at runtime. - AWS Organizations API throttling: AWS throttles the CreateAccount API to 1 account per 5 minutes. If you’re vending multiple accounts rapidly, you’ll hit this limit and the pipeline queues up.
- Invalid manifest.yaml parameters: Typos in OU names, invalid email addresses, or email addresses already registered to another AWS account cause the account creation step to fail.
- Email address already in use: Every AWS account needs a unique root email. If you’re reusing an email (even with alias notation that doesn’t work), the CreateAccount API rejects it.
The Fix
Step 1: Check the CodePipeline Execution
Start by examining the pipeline to find where it failed:
aws codepipeline list-pipeline-executions \
--pipeline-name AWS-Landing-Zone-Initiation \
--region us-east-1 \
--output table
Find the failed execution and get detailed status:
aws codepipeline get-pipeline-execution \
--pipeline-name AWS-Landing-Zone-Initiation \
--pipeline-execution-id abc12345-1234-1234-1234-123456789012 \
--region us-east-1
Step 2: Check CloudWatch Logs
The Lambda that powers AVM writes detailed logs. Find the log group first:
aws logs describe-log-groups \
--log-group-name-prefix /aws/lambda/AWS-Landing-Zone \
--region us-east-1
Then stream the logs from the Lambda:
aws logs tail /aws/lambda/AWS-Landing-Zone-LaunchAVM \
--follow \
--region us-east-1
Look for “Lambda timed out”, “AccessDenied”, or “InvalidParameter” messages.
Step 3: Verify the Service Catalog Product
Check if the provisioned product exists and its status:
aws servicecatalog list-provisioned-products \
--filters Key=Account,Value=SELF \
--region us-east-1 \
--output table
Describe the specific product to see stack events:
aws servicecatalog describe-provisioned-product \
--id pp-abc123def456 \
--region us-east-1
Step 4: Fix the Issue
For Lambda timeout: Check if baseline StackSet is deploying too many resources. Consider removing optional resources or increasing the Lambda timeout in the Landing Zone template (if you have access). For immediate relief, retry the pipeline after a few minutes.
For IAM permissions: Verify the AVM Lambda execution role has these policies:
organizations:CreateAccountservicecatalog:UpdateProvisionedProductcloudformation:*(or more restrictive equivalents)
For manifest.yaml errors: Validate your OU name exists:
aws organizations list-organizational-units-for-parent \
--parent-id r-xxxx \
--region us-east-1
Ensure the email address is unique (no other AWS account uses it). Use a new email or email alias service.
For rate limiting: Simply wait 5 minutes and retry:
aws codepipeline start-pipeline-execution \
--pipeline-name AWS-Landing-Zone-Initiation \
--region us-east-1
Is This Safe?
Retrying the pipeline is safe—if the account was partially created, AWS Organizations will skip the CreateAccount step on retry. Checking logs and permissions doesn’t modify anything and is always safe to do.
Key Takeaway
Account Vending Machine failures usually come down to timeouts, permissions, or invalid inputs. Always check CloudWatch logs first, verify IAM permissions on the Lambda role, and ensure your manifest.yaml parameters are correct before retrying.
Have questions or ran into a different Landing Zone issue? Connect with me on LinkedIn or X.