AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Single Sign-On

Single Sign-On (service prefix: sso) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Single Sign-On

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AssociateDirectory Connect a directory to be used by AWS Single Sign-On Write
AssociateProfile Create an association between a directory user or group and a profile Write
CreateApplicationInstance Add an application instance to AWS Single Sign-On Write
CreateApplicationInstanceCertificate Add a new certificate for an application instance Write
CreatePermissionSet Create a permission set Write
CreateProfile Create a profile for an application instance Write
CreateTrust Create a federation trust in a target account Write
DeleteApplicationInstance Delete the application instance Write
DeleteApplicationInstanceCertificate Delete an inactive or expired certificate from the application instance Write
DeletePermissionSet Delete a permission set Write
DeletePermissionsPolicy Delete the permission policy associated with a permission set Write
DeleteProfile Delete the profile for an application instance Write
DescribePermissionsPolicies Retrieve all the permissions policies associated with a permission set Read
DisassociateDirectory Disassociate a directory to be used by AWS Single Sign-On Write
DisassociateProfile Disassociate a directory user or group from a profile Write
GetApplicationInstance Retrieve details for an application instance Read
GetApplicationTemplate Retrieve application template details Read
GetPermissionSet Retrieve details of a permission set Read
GetPermissionsPolicy Retrieve all permission policies associated with a permission set Read

sso:DescribePermissionsPolicies

GetProfile Retrieve a profile for an application instance Read
GetSSOStatus Check if AWS Single Sign-On is enabled Read
GetTrust Retrieve the federation trust in a target account Read
ImportApplicationInstanceServiceProviderMetadata Update the application instance by uploading an application SAML metadata file provided by the service provider Write
ListApplicationInstanceCertificates Retrieve all of the certificates for a given application instance Read
ListApplicationInstances Retrieve all application instances List

sso:GetApplicationInstance

ListApplicationTemplates Retrieve all supported application templates Read

sso:GetApplicationTemplate

ListApplications Retrieve all supported applications Read
ListDirectoryAssociations Retrieve details about the directory connected to AWS Single Sign-On Read
ListPermissionSets Retrieve all permission sets Read
ListProfileAssociations Retrieve the directory user or group associated with the profile Read
ListProfiles Retrieve all profiles for an application instance Read

sso:GetProfile

PutPermissionsPolicy Add a policy to a permission set Write
SearchGroups Search for groups within the associated directory Read
SearchUsers Search for users within the associated directory Read
StartSSO Initialize AWS Single Sign-On Write
UpdateApplicationInstanceActiveCertificate Set a certificate as the active one for this application instance Write
UpdateApplicationInstanceDisplayData Update display data of an application instance Write
UpdateApplicationInstanceResponseConfiguration Update federation response configuration for the application instance Write
UpdateApplicationInstanceResponseSchemaConfiguration Update federation response schema configuration for the application instance Write
UpdateApplicationInstanceSecurityConfiguration Update security details for the application instance Write
UpdateApplicationInstanceServiceProviderConfiguration Update service provider related configuration for the application instance Write
UpdateApplicationInstanceStatus Update the status of an application instance Write
UpdateDirectoryAssociation Update the user attribute mappings for your connected directory Write
UpdateProfile Update the profile for an application instance Write
UpdateTrust Update the federation trust in a target account Write

Resources Defined by SSO

Single Sign-On has no service-defined resources that can be used as the Resource element of an IAM policy statement.

Condition Keys for Single Sign-On

SSO has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.