AWS::SSO::PermissionSet - AWS CloudFormation

AWS::SSO::PermissionSet

Specifies a permission set within a specified SSO instance.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::SSO::PermissionSet", "Properties" : { "Description" : String, "InlinePolicy" : Json, "InstanceArn" : String, "ManagedPolicies" : [ String, ... ], "Name" : String, "RelayStateType" : String, "SessionDuration" : String, "Tags" : [ Tag, ... ] } }

YAML

Type: AWS::SSO::PermissionSet Properties: Description: String InlinePolicy: Json InstanceArn: String ManagedPolicies: - String Name: String RelayStateType: String SessionDuration: String Tags: - Tag

Properties

Description

The description of the AWS::SSO::PermissionSet.

Required: No

Type: String

Minimum: 1

Maximum: 700

Pattern: [\u0009\u000A\u000D\u0020-\u007E\u00A0-\u00FF]*

Update requires: No interruption

InlinePolicy

The IAM inline policy that is attached to the permission set.

Required: No

Type: Json

Minimum: 1

Maximum: 10240

Pattern: [\u0009\u000A\u000D\u0020-\u00FF]+

Update requires: No interruption

InstanceArn

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.

Required: Yes

Type: String

Minimum: 10

Maximum: 1224

Pattern: arn:(aws|aws-us-gov|aws-cn|aws-iso|aws-iso-b):sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Update requires: Replacement

ManagedPolicies

A structure that stores the details of the IAM managed policy.

Required: No

Type: List of String

Update requires: No interruption

Name

The name of the permission set.

Required: Yes

Type: String

Minimum: 1

Maximum: 32

Pattern: [\w+=,.@-]+

Update requires: Replacement

RelayStateType

Used to redirect users within the application during the federation authentication process.

Required: No

Type: String

Minimum: 1

Maximum: 240

Pattern: [a-zA-Z0-9&$@#\\\/%?=~\-_'"|!:,.;*+\[\]\ \(\)\{\}]+

Update requires: No interruption

SessionDuration

The length of time that the application user sessions are valid for in the ISO-8601 standard.

Required: No

Type: String

Minimum: 1

Maximum: 100

Pattern: ^(-?)P(?=\d|T\d)(?:(\d+)Y)?(?:(\d+)M)?(?:(\d+)([DW]))?(?:T(?:(\d+)H)?(?:(\d+)M)?(?:(\d+(?:\.\d+)?)S)?)?$

Update requires: No interruption

Tags

The tags to attach to the new AWS::SSO::PermissionSet.

Required: No

Type: List of Tag

Maximum: 50

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns a generated ID, such as permission-arn|sso-instance-arn.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

PermissionSetArn

The permission set ARN of the permission set, such as arn:aws:sso:::permissionSet/ins-instanceid/ps-permissionsetid.

Examples

Creating a new custom permission set for AWS SSO

The following example creates a custom permission set PermissionSet with a managed policies attachment and inline policy.

JSON

{ "PermissionSet": { "Type": "AWS::SSO::PermissionSet", "Properties": { "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId", "Name": "PermissionSet", "Description": "This is a sample permission set.", "SessionDuration": "PT8H", "ManagedPolicies": [ "arn:aws:iam::aws:policy/AdministratorAccess" ], "InlinePolicy": "Inline policy json string", "Tags": [ { "Key": "tagKey", "Value": "tagValue" } ] } } }

YAML

PermissionSet: Type: AWS::SSO::PermissionSet Properties: InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId' Name: 'PermissionSet' Description: 'This is a sample permission set.' SessionDuration: 'PT8H' ManagedPolicies: - 'arn:aws:iam::aws:policy/AdministratorAccess' InlinePolicy: 'Inline policy json string' Tags: - Key: tagKey Value: tagValue