AWS::SSO::PermissionSet
Specifies a permission set within a specified SSO instance.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::SSO::PermissionSet", "Properties" : { "Description" :String, "InlinePolicy" :Json, "InstanceArn" :String, "ManagedPolicies" :[ String, ... ], "Name" :String, "RelayStateType" :String, "SessionDuration" :String, "Tags" :[ Tag, ... ]} }
YAML
Type: AWS::SSO::PermissionSet Properties: Description:StringInlinePolicy:JsonInstanceArn:StringManagedPolicies:- StringName:StringRelayStateType:StringSessionDuration:StringTags:- Tag
Properties
Description-
The description of the AWS::SSO::PermissionSet.
Required: No
Type: String
Minimum:
1Maximum:
700Pattern:
[\u0009\u000A\u000D\u0020-\u007E\u00A0-\u00FF]*Update requires: No interruption
InlinePolicy-
The IAM inline policy that is attached to the permission set.
Required: No
Type: Json
Minimum:
1Maximum:
10240Pattern:
[\u0009\u000A\u000D\u0020-\u00FF]+Update requires: No interruption
InstanceArn-
The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
Required: Yes
Type: String
Minimum:
10Maximum:
1224Pattern:
arn:(aws|aws-us-gov|aws-cn|aws-iso|aws-iso-b):sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}Update requires: Replacement
ManagedPolicies-
A structure that stores the details of the IAM managed policy.
Required: No
Type: List of String
Update requires: No interruption
Name-
The name of the permission set.
Required: Yes
Type: String
Minimum:
1Maximum:
32Pattern:
[\w+=,.@-]+Update requires: Replacement
RelayStateType-
Used to redirect users within the application during the federation authentication process.
Required: No
Type: String
Minimum:
1Maximum:
240Pattern:
[a-zA-Z0-9&$@#\\\/%?=~\-_'"|!:,.;*+\[\]\ \(\)\{\}]+Update requires: No interruption
SessionDuration-
The length of time that the application user sessions are valid for in the ISO-8601 standard.
Required: No
Type: String
Minimum:
1Maximum:
100Pattern:
^(-?)P(?=\d|T\d)(?:(\d+)Y)?(?:(\d+)M)?(?:(\d+)([DW]))?(?:T(?:(\d+)H)?(?:(\d+)M)?(?:(\d+(?:\.\d+)?)S)?)?$Update requires: No interruption
Tags-
The tags to attach to the new AWS::SSO::PermissionSet.
Required: No
Type: List of Tag
Maximum:
50Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns a generated ID, such as
permission-arn|sso-instance-arn.
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
Examples
Creating a new custom permission set for AWS SSO
The following example creates a custom permission set PermissionSet
with a managed policies attachment and inline policy.
JSON
{ "PermissionSet": { "Type": "AWS::SSO::PermissionSet", "Properties": { "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId", "Name": "PermissionSet", "Description": "This is a sample permission set.", "SessionDuration": "PT8H", "ManagedPolicies": [ "arn:aws:iam::aws:policy/AdministratorAccess" ], "InlinePolicy": "Inline policy json string", "Tags": [ { "Key": "tagKey", "Value": "tagValue" } ] } } }
YAML
PermissionSet: Type: AWS::SSO::PermissionSet Properties: InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId' Name: 'PermissionSet' Description: 'This is a sample permission set.' SessionDuration: 'PT8H' ManagedPolicies: - 'arn:aws:iam::aws:policy/AdministratorAccess' InlinePolicy: 'Inline policy json string' Tags: - Key: tagKey Value: tagValue
