AWS::SSO::Assignment - AWS CloudFormation

AWS::SSO::Assignment

Assigns access to a Principal for a specified AWS account using a specified permission set.

Note

The term principal here refers to a user or group that is defined in AWS SSO.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::SSO::Assignment", "Properties" : { "InstanceArn" : String, "PermissionSetArn" : String, "PrincipalId" : String, "PrincipalType" : String, "TargetId" : String, "TargetType" : String } }

YAML

Type: AWS::SSO::Assignment Properties: InstanceArn: String PermissionSetArn: String PrincipalId: String PrincipalType: String TargetId: String TargetType: String

Properties

InstanceArn

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.

Required: Yes

Type: String

Minimum: 10

Maximum: 1224

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Update requires: Replacement

PermissionSetArn

The ARN of the permission set.

Required: Yes

Type: String

Minimum: 10

Maximum: 1224

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

Update requires: Replacement

PrincipalId

An identifier for an object in AWS SSO, such as a user or group. PrincipalIds are GUIDs (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6). For more information about PrincipalIds in AWS SSO, see the AWS SSO Identity Store API Reference.

Required: Yes

Type: String

Minimum: 1

Maximum: 47

Pattern: ^([0-9a-f]{10}-|)[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}$

Update requires: Replacement

PrincipalType

The entity type for which the assignment will be created.

Required: Yes

Type: String

Allowed values: GROUP | USER

Update requires: Replacement

TargetId

TargetID is an AWS account identifier, typically a 10-12 digit string (For example, 123456789012).

Required: Yes

Type: String

Pattern: \d{12}

Update requires: Replacement

TargetType

The entity type for which the assignment will be created.

Required: Yes

Type: String

Allowed values: AWS_ACCOUNT

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns a generated ID, combined by all fields with the delimiter |.

For more information about using the Ref function, see Ref.

Examples

Creating a new assignment for AWS SSO

The following example creates a custom assignment, assigning the user "user_id" access to account "arn:aws:organizations::org_master_id:account/org_id/accountId" with the permissions "PermissionSet".

JSON

{ "Assignment": { "Type": "AWS::SSO::Assignment", "Properties": { "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId", "PermissionSetArn": { "Fn::GetAtt": [ "PermissionSet", "PermissionSetArn" ] }, "TargetId": "accountId", "TargetType": "AWS_ACCOUNT", "PrincipalType": "USER", "PrincipalId": "user_id" } } }

YAML

Assignment: Type: AWS::SSO::Assignment Properties: InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId' PermissionSetArn: !GetAtt PermissionSet.PermissionSetArn TargetId: 'accountId' TargetType: 'AWS_ACCOUNT' PrincipalType: 'USER' PrincipalId: 'user_id'