Make sure to replace ${ACCOUNT_EMAIL} with a correct mail address which you have access to.
AWS_PROFILE=myorg-master aws organizations create-account --email ${ACCOUNT_EMAIL} --account-name "Log archive"
The response should look like this:
{
"CreateAccountStatus": {
"Id": "car-ldsfjdflsjldfsjlsdffjlfds",
"AccountName": "Log archive",
"State": "IN_PROGRESS",
"RequestedTimestamp": 1562429570.66
}
}
The role OrganizationAccountAccessRole is automatically created in the new account.
This allows access for all the users in the Administrators group.
Enhance the file ~/.aws/config as follows:
[profile myorg-log-archive]
role_arn = arn:aws:iam::${AWS_ACCOUNT_ID}:role/OrganizationAccountAccessRole
mfa_serial = ${MFA_SERIAL}
source_profile = myorg-master
Replace ${AWS_ACCOUNT_ID} with the account id of log archive and ${MFA_SERIAL} with the MFA serial of your user.
Get the account id as follows:
AWS_PROFILE=myorg-master aws organizations list-accounts --query 'Accounts[?Name==`Log archive`].Id' --output text
Type in the following command to check if CLI access is working:
AWS_PROFILE=myorg-log-archive aws sts get-caller-identity
The response should look as follows:
{
"UserId": "AROAS6SDLJKFLJDJFDKLFDL:botocore-session-1562431482",
"Account": "20123434555",
"Arn": "arn:aws:sts::20123434555:assumed-role/OrganizationAccountAccessRole/botocore-session-1562431482"
}