AWS::SSO::PermissionSet - AWS CloudFormation

AWS::SSO::PermissionSet

Specifies a permission set within a specified IAM Identity Center instance.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::SSO::PermissionSet", "Properties" : { "CustomerManagedPolicyReferences" : [ CustomerManagedPolicyReference, ... ], "Description" : String, "InlinePolicy" : Json, "InstanceArn" : String, "ManagedPolicies" : [ String, ... ], "Name" : String, "PermissionsBoundary" : PermissionsBoundary, "RelayStateType" : String, "SessionDuration" : String, "Tags" : [ Tag, ... ] } }

Properties

CustomerManagedPolicyReferences

Specifies the names and paths of the customer managed policies that you have attached to your permission set.

Required: No

Type: List of CustomerManagedPolicyReference

Update requires: No interruption

Description

The description of the AWS::SSO::PermissionSet.

Required: No

Type: String

Minimum: 1

Maximum: 700

Pattern: [\u0009\u000A\u000D\u0020-\u007E\u00A0-\u00FF]*

Update requires: No interruption

InlinePolicy

The inline policy that is attached to the permission set.

Required: No

Type: Json

Minimum: 1

Maximum: 10240

Pattern: [\u0009\u000A\u000D\u0020-\u00FF]+

Update requires: No interruption

InstanceArn

The ARN of the IAM Identity Center instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.

Required: Yes

Type: String

Minimum: 10

Maximum: 1224

Pattern: arn:(aws|aws-us-gov|aws-cn|aws-iso|aws-iso-b):sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Update requires: Replacement

ManagedPolicies

A structure that stores the details of the AWS managed policy.

Required: No

Type: List of String

Update requires: No interruption

Name

The name of the permission set.

Required: Yes

Type: String

Minimum: 1

Maximum: 32

Pattern: [\w+=,.@-]+

Update requires: Replacement

PermissionsBoundary

Specifies the configuration of the AWS managed or customer managed policy that you want to set as a permissions boundary. Specify either CustomerManagedPolicyReference to use the name and path of a customer managed policy, or ManagedPolicyArn to use the ARN of an AWS managed policy. A permissions boundary represents the maximum permissions that any policy can grant your role. For more information, see Permissions boundaries for IAM entities in the AWS Identity and Access Management User Guide.

Important

Policies used as permissions boundaries don't provide permissions. You must also attach an IAM policy to the role. To learn how the effective permissions for a role are evaluated, see IAM JSON policy evaluation logic in the AWS Identity and Access Management User Guide.

Required: No

Type: PermissionsBoundary

Update requires: No interruption

RelayStateType

Used to redirect users within the application during the federation authentication process.

Required: No

Type: String

Minimum: 1

Maximum: 240

Pattern: [a-zA-Z0-9&$@#\\\/%?=~\-_'"|!:,.;*+\[\]\ \(\)\{\}]+

Update requires: No interruption

SessionDuration

The length of time that the application user sessions are valid for in the ISO-8601 standard.

Required: No

Type: String

Minimum: 1

Maximum: 100

Pattern: ^(-?)P(?=\d|T\d)(?:(\d+)Y)?(?:(\d+)M)?(?:(\d+)([DW]))?(?:T(?:(\d+)H)?(?:(\d+)M)?(?:(\d+(?:\.\d+)?)S)?)?$

Update requires: No interruption

Tags

The tags to attach to the new AWS::SSO::PermissionSet.

Required: No

Type: List of Tag

Maximum: 50

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns a generated ID, such as permission-arn|sso-instance-arn.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

PermissionSetArn

The permission set ARN of the permission set, such as arn:aws:sso:::permissionSet/ins-instanceid/ps-permissionsetid.

Examples

Creating a new custom permission set for IAM Identity Center

The following example creates a custom permission set, PermissionSet, with a managed policies attachment and inline policy.

JSON

{ "PermissionSet": { "Type": "AWS::SSO::PermissionSet", "Properties": { "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId", "Name": "PermissionSet", "Description": "This is a sample permission set.", "SessionDuration": "PT8H", "ManagedPolicies": [ "arn:aws:iam::aws:policy/AdministratorAccess" ], "InlinePolicy": "Inline policy json string", "Tags": [ { "Key": "tagKey", "Value": "tagValue" } ] } } }

YAML

PermissionSet: Type: AWS::SSO::PermissionSet Properties: InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId' Name: 'PermissionSet' Description: 'This is a sample permission set.' SessionDuration: 'PT8H' ManagedPolicies: - 'arn:aws:iam::aws:policy/AdministratorAccess' InlinePolicy: 'Inline policy json string' Tags: - Key: tagKey Value: tagValue

Creating a new custom permission set for IAM Identity Center with a customer managed policy as a permissions boundary

The following example creates a custom permission set, PermissionSetWithCmpPb, with policies attached and a customer managed policy as a permissions boundary.

JSON

{ "PermissionSetWithCustomerManagedPolicyReferenceForPermissionsBoundary": { "Type": "AWS::SSO::PermissionSet", "Properties": { "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId", "Name": "PermissionSetWithCmpPb", "Description": "This is a sample permission set.", "SessionDuration": "PT8H", "ManagedPolicies": [ "arn:aws:iam::aws:policy/AdministratorAccess" ], "CustomerManagedPolicyReferences": [{ "Name": "MyCustomPolicyName", "Path": "/myCustomPath/" }, { "Name": "AnotherCustomPolicyName", }, { "Name": "YetAnotherCustomPolicyName", "Path": "/" } ], "PermissionsBoundary": { "CustomerManagedPolicyReference": { "Name": "PolicyName", "Path": "/myPolicyPath/" } } } } }

YAML

PermissionSetWithCustomerManagedPolicyReferenceForPermissionsBoundary: Type: AWS::SSO::PermissionSet Properties: InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId' Name: 'PermissionSetWithCmpPb' Description: 'This is a sample permission set.' SessionDuration: 'PT8H' ManagedPolicies: - 'arn:aws:iam::aws:policy/AdministratorAccess' CustomerManagedPolicyReferences: - Name: 'MyCustomPolicyName' Path: '/myCustomPath/' - Name: 'AnotherCustomPolicyName' - Name: 'YetAnotherCustomPolicyName' Path: '/' PermissionsBoundary: CustomerManagedPolicyReference: Name: PolicyName Path: /myPolicyPath/

Creating a new custom permission set for IAM Identity Center with an AWS managed policy as a permissions boundary

The following example creates a custom permission set, PermissionSetWithAmpPb, with policies attached and an AWS managed policy as a permissions boundary.

JSON

{ "PermissionSetWithAWSManagedPolicyForPermissionsBoundary": { "Type": "AWS::SSO::PermissionSet", "Properties": { "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId", "Name": "PermissionSetWithAmpPb", "Description": "This is a sample permission set.", "SessionDuration": "PT8H", "ManagedPolicies": [ "arn:aws:iam::aws:policy/AdministratorAccess" ], "CustomerManagedPolicyReferences": [{ "Name": "MyCustomPolicyName", "Path": "/myCustomPath/" }, { "Name": "AnotherCustomPolicyName", }, { "Name": "YetAnotherCustomPolicyName", "Path": "/" } ], "PermissionsBoundary": { "ManagedPolicyArn": { "Fn::Sub": "arn:aws:iam::aws:policy/ReadOnlyAccess" } } } } }

YAML

PermissionSetWithAwsManagedPolicyForPermissionsBoundary: Type: AWS::SSO::PermissionSet Properties: InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId' Name: 'PermissionSetWithAmpPb' Description: 'This is a sample permission set.' SessionDuration: 'PT8H' ManagedPolicies: - 'arn:aws:iam::aws:policy/AdministratorAccess' CustomerManagedPolicyReferences: - Name: 'MyCustomPolicy' Path: '/myCustomPath/' - Name: 'AnotherCustomPolicy' - Name: YetAnotherCustomPolicyName Path: / PermissionsBoundary: ManagedPolicyArn: arn:aws:iam::aws:policy/ReadOnlyAccess'