AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS SSO

AWS SSO (service prefix: sso) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS SSO

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AddMemberToGroup Adds member to the group Write
AssociateDirectory Connect a directory to be used by AWS Single Sign-On Write
AssociateProfile Create an association between a directory user or group and a profile Write
CreateAlias Creates an alias for User Pool Write
CreateApplicationInstance Add an application instance to AWS Single Sign-On Write
CreateApplicationInstanceCertificate Add a new certificate for an application instance Write
CreateGroup Creats a group Write
CreatePermissionSet Create a permission set Write
CreateProfile Create a profile for an application instance Write
CreateTrust Create a federation trust in a target account Write
CreateUser Creates a user Write
DeleteApplicationInstance Delete the application instance Write
DeleteApplicationInstanceCertificate Delete an inactive or expired certificate from the application instance Write
DeleteGroup Deletes a group Write
DeletePermissionSet Delete a permission set Write
DeletePermissionsPolicy Delete the permission policy associated with a permission set Write
DeleteProfile Delete the profile for an application instance Write
DeleteUser Deletes a user Write
DescribeGroups Retrieve groups' information List
DescribePermissionsPolicies Retrieve all the permissions policies associated with a permission set Read
DescribeUsers Retrieves users' information List
DisableUser Deactivates user Write
DisassociateDirectory Disassociate a directory to be used by AWS Single Sign-On Write
DisassociateProfile Disassociate a directory user or group from a profile Write
EnableUser Activates user Write
GetApplicationInstance Retrieve details for an application instance Read
GetApplicationTemplate Retrieve application template details Read
GetPermissionSet Retrieve details of a permission set Read
GetPermissionsPolicy Retrieve all permission policies associated with a permission set Read

sso:DescribePermissionsPolicies

GetProfile Retrieve a profile for an application instance Read
GetSSOConfiguration Retrieve configuration for the current SSO instance Read
GetSSOStatus Check if AWS Single Sign-On is enabled Read
GetTrust Retrieve the federation trust in a target account Read
GetUserPoolInfo Retrieve User Pool information Read
ImportApplicationInstanceServiceProviderMetadata Update the application instance by uploading an application SAML metadata file provided by the service provider Write
ListApplicationInstanceCertificates Retrieve all of the certificates for a given application instance Read
ListApplicationInstances Retrieve all application instances List

sso:GetApplicationInstance

ListApplicationTemplates Retrieve all supported application templates Read

sso:GetApplicationTemplate

ListApplications Retrieve all supported applications Read
ListDirectoryAssociations Retrieve details about the directory connected to AWS Single Sign-On Read
ListGroupsForUser Lists groups for a user List
ListMembersInGroup Retrives all members that are part of the group List
ListPermissionSets Retrieve all permission sets Read
ListProfileAssociations Retrieve the directory user or group associated with the profile Read
ListProfiles Retrieve all profiles for an application instance Read

sso:GetProfile

PutPermissionsPolicy Add a policy to a permission set Write
RemoveMemberFromGroup Removes member that are part of the group Write
SearchGroups Search for groups within the associated directory Read
SearchUsers Search for users within the associated directory Read
SetTemporaryPassword Sets a temporary password for a user Write
StartSSO Initialize AWS Single Sign-On Write
UpdateApplicationInstanceActiveCertificate Set a certificate as the active one for this application instance Write
UpdateApplicationInstanceDisplayData Update display data of an application instance Write
UpdateApplicationInstanceResponseConfiguration Update federation response configuration for the application instance Write
UpdateApplicationInstanceResponseSchemaConfiguration Update federation response schema configuration for the application instance Write
UpdateApplicationInstanceSecurityConfiguration Update security details for the application instance Write
UpdateApplicationInstanceServiceProviderConfiguration Update service provider related configuration for the application instance Write
UpdateApplicationInstanceStatus Update the status of an application instance Write
UpdateDirectoryAssociation Update the user attribute mappings for your connected directory Write
UpdateGroup Updates group information Write
UpdateProfile Update the profile for an application instance Write
UpdateSSOConfiguration Update the configuration for the current SSO instance Write
UpdateTrust Update the federation trust in a target account Write
UpdateUser Updates user information Write

Resources Defined by SSO

AWS SSO has no service-defined resources that can be used as the Resource element of an IAM policy statement.

Condition Keys for AWS SSO

SSO has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.