AWS::SSO::Assignment - AWS CloudFormation

AWS::SSO::Assignment

Assigns access to a Principal for a specified AWS account using a specified permission set.

Note

The term principal here refers to a user or group that is defined in IAM Identity Center.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::SSO::Assignment", "Properties" : { "InstanceArn" : String, "PermissionSetArn" : String, "PrincipalId" : String, "PrincipalType" : String, "TargetId" : String, "TargetType" : String } }

YAML

Type: AWS::SSO::Assignment Properties: InstanceArn: String PermissionSetArn: String PrincipalId: String PrincipalType: String TargetId: String TargetType: String

Properties

InstanceArn

The ARN of the IAM Identity Center instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.

Required: Yes

Type: String

Pattern: arn:(aws|aws-us-gov|aws-cn|aws-iso|aws-iso-b):sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Minimum: 10

Maximum: 1224

Update requires: Replacement

PermissionSetArn

The ARN of the permission set.

Required: Yes

Type: String

Pattern: arn:(aws|aws-us-gov|aws-cn|aws-iso|aws-iso-b):sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

Minimum: 10

Maximum: 1224

Update requires: Replacement

PrincipalId

An identifier for an object in IAM Identity Center, such as a user or group. PrincipalIds are GUIDs (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6). For more information about PrincipalIds in IAM Identity Center, see the IAM Identity Center Identity Store API Reference.

Required: Yes

Type: String

Pattern: ^([0-9a-f]{10}-|)[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}$

Minimum: 1

Maximum: 47

Update requires: Replacement

PrincipalType

The entity type for which the assignment will be created.

Required: Yes

Type: String

Allowed values: USER | GROUP

Update requires: Replacement

TargetId

TargetID is an AWS account identifier, (For example, 123456789012).

Required: Yes

Type: String

Pattern: \d{12}

Update requires: Replacement

TargetType

The entity type for which the assignment will be created.

Required: Yes

Type: String

Allowed values: AWS_ACCOUNT

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns a generated ID, combined by all fields with the delimiter |.

For more information about using the Ref function, see Ref.

Examples

Creating a new assignment for IAM Identity Center

The following example creates a custom assignment, assigning the user "user_id" access to account "arn:aws:organizations::org_master_id:account/org_id/accountId" with the permissions "PermissionSet".

JSON

{ "Assignment": { "Type": "AWS::SSO::Assignment", "Properties": { "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId", "PermissionSetArn": { "Fn::GetAtt": [ "PermissionSet", "PermissionSetArn" ] }, "TargetId": "accountId", "TargetType": "AWS_ACCOUNT", "PrincipalType": "USER", "PrincipalId": "user_id" } } }

YAML

Assignment: Type: AWS::SSO::Assignment Properties: InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId' PermissionSetArn: !GetAtt PermissionSet.PermissionSetArn TargetId: 'accountId' TargetType: 'AWS_ACCOUNT' PrincipalType: 'USER' PrincipalId: 'user_id'