create-account-assignment calls fail from CLI, work in console

Question

Hello there -  
  
I'm running into a problem where I'm trying to run `aws sso-admin create-account-assignment` from a terminal and while the request is accepted, I then run `aws sso-admin describe-account-assignment-creation-status with the returned requestId and eventually the status transitions to "FAILED" with the error message:  
  
{  
    "AccountAssignmentCreationStatus": {  
        "Status": "FAILED",  
        "RequestId": "\[REDACTED]",  
        "FailureReason": "An unexpected internal service exception was encountered",  
        "TargetId": "\[REDACTED]",  
        "TargetType": "AWS_ACCOUNT",  
        "PermissionSetArn": "arn:aws:sso:::permissionSet/ssoins-\[REDACTED]/ps-\[REDACTED]",  
        "PrincipalType": "GROUP",  
        "PrincipalId": "\[REDACTED]",  
        "CreatedDate": "2021-09-17T18:20:33.708000-04:00"  
    }  
}  
  
This is when using AWS Access Keys associated with a user in my organizational account.  When I attempt to attach the same permission set to the same group and account in the console, the request succeeds.  
  
Has anyone experienced this issue and have an idea what might be going on.  Unfortunately, I'm on a basic plan which doesn't include support.  
  
Thanks.

Answer

Well, I **think** I found out what was going on.  The account I was attempting to assign a permission set assignment to was the organizational root account.   When I switched to another account within my organization it worked fine from the CLI.  Not sure why it works when in the in the console though.  
  
This gets me unblocked as I can continue with my experimentations becoming familiar with SSO -- especially as managed via terraform.  
  
Cheers.

create-account-assignment calls fail from CLI, work in console

Relevant content