Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Single Sign-On

Single Sign-On (service prefix: sso) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Single Sign-On

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AssociateDirectory Connect a directory to be used by AWS Single Sign-On

Write

AssociateProfile Create an association between a directory user or group and a profile

Write

AttachManagedPolicy Attach a managed policy to a permission set

Write

CreateApplicationInstance Add an application instance to AWS Single Sign-On

Write

CreateApplicationInstanceCertificate Add a new certificate for an application instance

Write

CreatePermissionSet Create a permission set

Write

CreateProfile Create a profile for an application instance

Write

CreateTrust Create a federation trust in a target account

Write

DeleteApplicationInstance Delete the application instance

Write

DeleteApplicationInstanceCertificate Delete an inactive or expired certificate from the application instance

Write

DeleteApplicationInstanceForAWsAccount Deletes an application instance for an AWS account

Write

DeleteApplicationProfileForAwsAccount Delete the role in the target account and remove the profile associated with the role

Write

DeleteAssignmentsForAccessor Deletes all the profile associations for a given directory user or group

Write

DeletePermissionSet Delete a permission set

Write

DeletePermissionsPolicy Delete the permission policy associated with a permission set

Write

DeleteProfile Delete the profile for an application instance

Write

DescribePermissionsPolicies Retrieve all the permissions policies associated with a permission set

Read

DetachManagedPolicy Detach a managed policy from a permission set

Write

DisassociateDirectory Disassociate a directory to be used by AWS Single Sign-On

Write

DisassociateProfile Disassociate a directory user or group from a profile

Write

GetAWSAccountProfileStatus Check if the role permission in the target account is in sync with the permission set

Read

GetAccessorsForDirectoryAssociation Retrieve all the directory user or group with profile associations for a given directory

Read

GetApplicationInstance Retrieve details for an application instance

Read

GetApplicationInstanceForAWSAccount Retrieves details of an application instance for an AWS account

Read

GetApplicationTemplate Retrieve application template details

Read

GetPermissionSet Retrieve details of a permission set

Read

GetPermissionsPolicy Retrieve all permission policies associated with a permission set

Read

GetProfile Retrieve a profile for an application instance

Read

GetSSOStatus Check if AWS Single Sign-On is enabled

Read

GetTrust Retrieve the federation trust in a target account

Read

ImportApplicationInstanceServiceProviderMetadata Update the application instance by uploading an application SAML metadata file provided by the service provider

Write

ListAWSAccountProfiles Retrieve all the profiles associated with this AWS Account application instance

Read

ListAccountsWithProvisionedPermissionSet List all the AWS Accounts that has this permission set provisioned

Read

ListApplicationInstanceCertificates Retrieve all of the certificates for a given application instance

Read

ListApplicationInstances Retrieve all application instances

List

ListApplicationTemplates Retrieve all supported application templates

Read

ListDirectoryAssociations Retrieve details about the directory connected to AWS Single Sign-On

Read

ListPermissionSets Retrieve all permission sets

Read

ListProfileAssociations Retrieve the directory user or group associated with the profile

Read

ListProfiles Retrieve all profiles for an application instance

Read

LockServiceLinkedRole Lock AWS Single Sign-On's service linked role so it cannot be deleted

Write

ProvisionApplicationInstanceForAWSAccount Create an application instance for an AWS account

Write

ProvisionApplicationProfileForAWSAccountInstance Creates a role in the target account with the permissions defined within the permission set

Write

ProvisionSAMLProvider Create a SAML Provider in a target account

Write

PutPermissionsPolicy Add a policy to a permission set

Write

SearchDirectoryGroups Search for a group within a directory

Read

SearchDirectoryUsers Search for a user within a directory

Read

StartSSO Initialize AWS Single Sign-On

Write

UnlockServiceLinkedRole Unlock AWS Single Sign-On's service linked role

Write

UpdateApplicationInstanceActiveCertificate Set a certificate as the active one for this application instance

Write

UpdateApplicationInstanceDisplayData Update display data of an application instance

Write

UpdateApplicationInstanceResponseConfiguration Update federation response configuration for the application instance

Write

UpdateApplicationInstanceResponseSchemaConfiguration Update federation response schema configuration for the application instance

Write

UpdateApplicationInstanceSecurityConfiguration Update security details for the application instance

Write

UpdateApplicationInstanceServiceProviderConfiguration Update service provider related configuration for the application instance

Write

UpdateApplicationInstanceStatus Update the status of an application instance

Write

UpdateDirectoryAssociation Update the user attribute mappings for your connected directory

Write

UpdateProfile Update the profile for an application instance

Write

UpdateTrust Update the federation trust in a target account

Write

Resources Defined by SSO

SSO has no service-defined resources that can be used as the Resource element of an IAM policy statement.

Condition Keys for Single Sign-On

SSO has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.