AWS::SSO::PermissionSet
Specifies a permission set within a specified SSO instance.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::SSO::PermissionSet", "Properties" : { "Description" :
String
, "InlinePolicy" :Json
, "InstanceArn" :String
, "ManagedPolicies" :[ String, ... ]
, "Name" :String
, "RelayStateType" :String
, "SessionDuration" :String
, "Tags" :[ Tag, ... ]
} }
YAML
Type: AWS::SSO::PermissionSet Properties: Description:
String
InlinePolicy:Json
InstanceArn:String
ManagedPolicies:- String
Name:String
RelayStateType:String
SessionDuration:String
Tags:- Tag
Properties
Description
-
The description of the AWS::SSO::PermissionSet.
Required: No
Type: String
Minimum:
1
Maximum:
700
Pattern:
[\u0009\u000A\u000D\u0020-\u007E\u00A0-\u00FF]*
Update requires: No interruption
InlinePolicy
-
The IAM inline policy that is attached to the permission set.
Required: No
Type: Json
Minimum:
1
Maximum:
10240
Pattern:
[\u0009\u000A\u000D\u0020-\u00FF]+
Update requires: No interruption
InstanceArn
-
The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
Required: Yes
Type: String
Minimum:
10
Maximum:
1224
Pattern:
arn:(aws|aws-us-gov|aws-cn|aws-iso|aws-iso-b):sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}
Update requires: Replacement
ManagedPolicies
-
A structure that stores the details of the IAM managed policy.
Required: No
Type: List of String
Update requires: No interruption
Name
-
The name of the permission set.
Required: Yes
Type: String
Minimum:
1
Maximum:
32
Pattern:
[\w+=,.@-]+
Update requires: Replacement
RelayStateType
-
Used to redirect users within the application during the federation authentication process.
Required: No
Type: String
Minimum:
1
Maximum:
240
Pattern:
[a-zA-Z0-9&$@#\\\/%?=~\-_'"|!:,.;*+\[\]\ \(\)\{\}]+
Update requires: No interruption
SessionDuration
-
The length of time that the application user sessions are valid for in the ISO-8601 standard.
Required: No
Type: String
Minimum:
1
Maximum:
100
Pattern:
^(-?)P(?=\d|T\d)(?:(\d+)Y)?(?:(\d+)M)?(?:(\d+)([DW]))?(?:T(?:(\d+)H)?(?:(\d+)M)?(?:(\d+(?:\.\d+)?)S)?)?$
Update requires: No interruption
Tags
-
The tags to attach to the new AWS::SSO::PermissionSet.
Required: No
Type: List of Tag
Maximum:
50
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns a generated ID, such as
permission-arn|sso-instance-arn
.
For more information about using the Ref
function, see Ref.
Fn::GetAtt
The Fn::GetAtt
intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt
intrinsic function, see Fn::GetAtt.
Examples
Creating a new custom permission set for AWS SSO
The following example creates a custom permission set PermissionSet
with a managed policies attachment and inline policy.
JSON
{ "PermissionSet": { "Type": "AWS::SSO::PermissionSet", "Properties": { "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId", "Name": "PermissionSet", "Description": "This is a sample permission set.", "SessionDuration": "PT8H", "ManagedPolicies": [ "arn:aws:iam::aws:policy/AdministratorAccess" ], "InlinePolicy": "Inline policy json string", "Tags": [ { "Key": "tagKey", "Value": "tagValue" } ] } } }
YAML
PermissionSet: Type: AWS::SSO::PermissionSet Properties: InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId' Name: 'PermissionSet' Description: 'This is a sample permission set.' SessionDuration: 'PT8H' ManagedPolicies: - 'arn:aws:iam::aws:policy/AdministratorAccess' InlinePolicy: 'Inline policy json string' Tags: - Key: tagKey Value: tagValue