Shell script to call the AWS Organizations API to create an AWS account and parse out the AccountId

aws_create_account.sh

# Create an AWS account
# The account must use an email address not associated with any other AWS account
ACCOUNT_EMAIL='new-team@company.com'
ACCOUNT_NAME='new-team'

AWS_RESULT=$(aws organizations create-account --email ${ACCOUNT_EMAIL} --account-name "${ACCOUNT_NAME}")

# Get the request ID from the create-account operation
AWS_REQUEST_ID=`echo $AWS_RESULT | python -mjson.tool | grep '^\(.*\)Id\(.*\)$' | sed 's/^\(.*\)": "\(.*\)",$/\2/'`

# Check the status of the AWS account creation call.
# If it's not 'SUCCEEDED' or 'FAILED', wait 3 seconds and check again:
STATE='undefined'

while [[ "$STATE" != "SUCCEEDED" && "$STATE" != "FAILED" ]];
do
        AWS_STATUS_RESULT=$(aws organizations describe-create-account-status --create-account-request-id $AWS_REQUEST_ID)
        STATE=`echo $AWS_STATUS_RESULT | python -mjson.tool | grep '^\(.*\)State\(.*\)$' | sed 's/^\(.*\)": "\(.*\)"\(.*\)$/\2/'`
        echo "AWS account creation status = ${STATE}"
        sleep 3
done;

if [[ "$STATE" == "FAILED" ]]; then
        REASON=`echo $AWS_STATUS_RESULT | python -mjson.tool | grep '^\(.*\)FailureReason\(.*\)$' | sed 's/^\(.*\)": "\(.*\)"\(.*\)$/\2/'`
        echo "Account creation failed. Reason: ${REASON}"
else
        # Get the ID of the new account:
        AWS_ACCOUNT_ID=`echo $AWS_STATUS_RESULT | python -mjson.tool | grep '^\(.*\)AccountId\(.*\)$' | sed 's/^\(.*\)": "\(.*\)"\(.*\)$/\2/'`
        echo "AWS_ACCOUNT_ID = ${AWS_ACCOUNT_ID}"
fi

permissions-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "autoscaling:Describe*",
        "budgets:ViewBudget",
        "cloudfront:GetDistributionConfig",
        "cloudfront:ListDistributions",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrailStatus",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "codedeploy:List*",
        "codedeploy:BatchGet*",
        "directconnect:Describe*",
        "dynamodb:List*",
        "dynamodb:Describe*",
        "ec2:Describe*",
        "ecs:Describe*",
        "ecs:List*",
        "elasticache:Describe*",
        "elasticache:List*",
        "elasticfilesystem:DescribeFileSystems",
        "elasticfilesystem:DescribeTags",
        "elasticloadbalancing:Describe*",
        "elasticmapreduce:List*",
        "elasticmapreduce:Describe*",
        "es:ListTags",
        "es:ListDomainNames",
        "es:DescribeElasticsearchDomains",
        "health:DescribeEvents",
        "health:DescribeEventDetails",
        "health:DescribeAffectedEntities",
        "kinesis:List*",
        "kinesis:Describe*",
        "lambda:AddPermission",
        "lambda:GetPolicy",
        "lambda:List*",
        "lambda:RemovePermission",
        "logs:Get*",
        "logs:Describe*",
        "logs:FilterLogEvents",
        "logs:TestMetricFilter",
        "rds:Describe*",
        "rds:List*",
        "redshift:DescribeClusters",
        "redshift:DescribeLoggingStatus",
        "route53:List*",
        "s3:GetBucketLogging",
        "s3:GetBucketLocation",
        "s3:GetBucketNotification",
        "s3:GetBucketTagging",
        "s3:ListAllMyBuckets",
        "s3:PutBucketNotification",
        "ses:Get*",
        "sns:List*",
        "sns:Publish",
        "sqs:ListQueues",
        "support:*",
        "tag:getResources",
        "tag:getTagKeys",
        "tag:getTagValues"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}