AWS::SSO::PermissionSet
Specifies a permission set within a specified IAM Identity Center instance.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::SSO::PermissionSet", "Properties" : { "CustomerManagedPolicyReferences" :[ CustomerManagedPolicyReference, ... ], "Description" :String, "InlinePolicy" :Json, "InstanceArn" :String, "ManagedPolicies" :[ String, ... ], "Name" :String, "PermissionsBoundary" :PermissionsBoundary, "RelayStateType" :String, "SessionDuration" :String, "Tags" :[ Tag, ... ]} }
YAML
Type: AWS::SSO::PermissionSet Properties: CustomerManagedPolicyReferences:- CustomerManagedPolicyReferenceDescription:StringInlinePolicy:JsonInstanceArn:StringManagedPolicies:- StringName:StringPermissionsBoundary:PermissionsBoundaryRelayStateType:StringSessionDuration:StringTags:- Tag
Properties
CustomerManagedPolicyReferences-
Specifies the names and paths of the customer managed policies that you have attached to your permission set.
Required: No
Type: List of CustomerManagedPolicyReference
Update requires: No interruption
Description-
The description of the AWS::SSO::PermissionSet.
Required: No
Type: String
Minimum:
1Maximum:
700Pattern:
[\u0009\u000A\u000D\u0020-\u007E\u00A0-\u00FF]*Update requires: No interruption
InlinePolicy-
The inline policy that is attached to the permission set.
Required: No
Type: Json
Minimum:
1Maximum:
10240Pattern:
[\u0009\u000A\u000D\u0020-\u00FF]+Update requires: No interruption
InstanceArn-
The ARN of the IAM Identity Center instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
Required: Yes
Type: String
Minimum:
10Maximum:
1224Pattern:
arn:(aws|aws-us-gov|aws-cn|aws-iso|aws-iso-b):sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}Update requires: Replacement
ManagedPolicies-
A structure that stores the details of the AWS managed policy.
Required: No
Type: List of String
Update requires: No interruption
Name-
The name of the permission set.
Required: Yes
Type: String
Minimum:
1Maximum:
32Pattern:
[\w+=,.@-]+Update requires: Replacement
PermissionsBoundary-
Specifies the configuration of the AWS managed or customer managed policy that you want to set as a permissions boundary. Specify either
CustomerManagedPolicyReferenceto use the name and path of a customer managed policy, orManagedPolicyArnto use the ARN of an AWS managed policy. A permissions boundary represents the maximum permissions that any policy can grant your role. For more information, see Permissions boundaries for IAM entities in the AWS Identity and Access Management User Guide.Important Policies used as permissions boundaries don't provide permissions. You must also attach an IAM policy to the role. To learn how the effective permissions for a role are evaluated, see IAM JSON policy evaluation logic in the AWS Identity and Access Management User Guide.
Required: No
Type: PermissionsBoundary
Update requires: No interruption
RelayStateType-
Used to redirect users within the application during the federation authentication process.
Required: No
Type: String
Minimum:
1Maximum:
240Pattern:
[a-zA-Z0-9&$@#\\\/%?=~\-_'"|!:,.;*+\[\]\ \(\)\{\}]+Update requires: No interruption
SessionDuration-
The length of time that the application user sessions are valid for in the ISO-8601 standard.
Required: No
Type: String
Minimum:
1Maximum:
100Pattern:
^(-?)P(?=\d|T\d)(?:(\d+)Y)?(?:(\d+)M)?(?:(\d+)([DW]))?(?:T(?:(\d+)H)?(?:(\d+)M)?(?:(\d+(?:\.\d+)?)S)?)?$Update requires: No interruption
Tags-
The tags to attach to the new AWS::SSO::PermissionSet.
Required: No
Type: List of Tag
Maximum:
50Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns a generated ID, such as
permission-arn|sso-instance-arn.
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
Examples
Creating a new custom permission set for IAM Identity Center
The following example creates a custom permission set, PermissionSet,
with a managed policies attachment and inline policy.
JSON
{ "PermissionSet": { "Type": "AWS::SSO::PermissionSet", "Properties": { "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId", "Name": "PermissionSet", "Description": "This is a sample permission set.", "SessionDuration": "PT8H", "ManagedPolicies": [ "arn:aws:iam::aws:policy/AdministratorAccess" ], "InlinePolicy": "Inline policy json string", "Tags": [ { "Key": "tagKey", "Value": "tagValue" } ] } } }
YAML
PermissionSet: Type: AWS::SSO::PermissionSet Properties: InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId' Name: 'PermissionSet' Description: 'This is a sample permission set.' SessionDuration: 'PT8H' ManagedPolicies: - 'arn:aws:iam::aws:policy/AdministratorAccess' InlinePolicy: 'Inline policy json string' Tags: - Key: tagKey Value: tagValue
Creating a new custom permission set for IAM Identity Center with a customer managed policy as a permissions boundary
The following example creates a custom permission set,
PermissionSetWithCmpPb, with policies attached and a customer managed
policy as a permissions boundary.
JSON
{ "PermissionSetWithCustomerManagedPolicyReferenceForPermissionsBoundary": { "Type": "AWS::SSO::PermissionSet", "Properties": { "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId", "Name": "PermissionSetWithCmpPb", "Description": "This is a sample permission set.", "SessionDuration": "PT8H", "ManagedPolicies": [ "arn:aws:iam::aws:policy/AdministratorAccess" ], "CustomerManagedPolicyReferences": [{ "Name": "MyCustomPolicyName", "Path": "/myCustomPath/" }, { "Name": "AnotherCustomPolicyName", }, { "Name": "YetAnotherCustomPolicyName", "Path": "/" } ], "PermissionsBoundary": { "CustomerManagedPolicyReference": { "Name": "PolicyName", "Path": "/myPolicyPath/" } } } } }
YAML
PermissionSetWithCustomerManagedPolicyReferenceForPermissionsBoundary: Type: AWS::SSO::PermissionSet Properties: InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId' Name: 'PermissionSetWithCmpPb' Description: 'This is a sample permission set.' SessionDuration: 'PT8H' ManagedPolicies: - 'arn:aws:iam::aws:policy/AdministratorAccess' CustomerManagedPolicyReferences: - Name: 'MyCustomPolicyName' Path: '/myCustomPath/' - Name: 'AnotherCustomPolicyName' - Name: 'YetAnotherCustomPolicyName' Path: '/' PermissionsBoundary: CustomerManagedPolicyReference: Name: PolicyName Path: /myPolicyPath/
Creating a new custom permission set for IAM Identity Center with an AWS managed policy as a permissions boundary
The following example creates a custom permission set,
PermissionSetWithAmpPb, with policies attached and an AWS managed policy as a permissions boundary.
JSON
{ "PermissionSetWithAWSManagedPolicyForPermissionsBoundary": { "Type": "AWS::SSO::PermissionSet", "Properties": { "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId", "Name": "PermissionSetWithAmpPb", "Description": "This is a sample permission set.", "SessionDuration": "PT8H", "ManagedPolicies": [ "arn:aws:iam::aws:policy/AdministratorAccess" ], "CustomerManagedPolicyReferences": [{ "Name": "MyCustomPolicyName", "Path": "/myCustomPath/" }, { "Name": "AnotherCustomPolicyName", }, { "Name": "YetAnotherCustomPolicyName", "Path": "/" } ], "PermissionsBoundary": { "ManagedPolicyArn": { "Fn::Sub": "arn:aws:iam::aws:policy/ReadOnlyAccess" } } } } }
YAML
PermissionSetWithAwsManagedPolicyForPermissionsBoundary: Type: AWS::SSO::PermissionSet Properties: InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId' Name: 'PermissionSetWithAmpPb' Description: 'This is a sample permission set.' SessionDuration: 'PT8H' ManagedPolicies: - 'arn:aws:iam::aws:policy/AdministratorAccess' CustomerManagedPolicyReferences: - Name: 'MyCustomPolicy' Path: '/myCustomPath/' - Name: 'AnotherCustomPolicy' - Name: YetAnotherCustomPolicyName Path: / PermissionsBoundary: ManagedPolicyArn: arn:aws:iam::aws:policy/ReadOnlyAccess'
