- Navigation GuideYou are on a Command (operation) page with structural examples. Use the navigation breadcrumb if you would like to return to the Client landing page.
CreateAccountAssignmentCommand
Assigns access to a principal for a specified Amazon Web Services account using a specified permission set.
The term principal here refers to a user or group that is defined in IAM Identity Center.
As part of a successful CreateAccountAssignment
call, the specified permission set will automatically be provisioned to the account in the form of an IAM policy. That policy is attached to the IAM role created in IAM Identity Center. If the permission set is subsequently updated, the corresponding IAM policies attached to roles in your accounts will not be updated automatically. In this case, you must call ProvisionPermissionSet
to make these updates.
After a successful response, call DescribeAccountAssignmentCreationStatus
to describe the status of an assignment creation request.
Example Syntax
Use a bare-bones client and the command you need to make an API call.
import { SSOAdminClient, CreateAccountAssignmentCommand } from "@aws-sdk/client-sso-admin"; // ES Modules import
// const { SSOAdminClient, CreateAccountAssignmentCommand } = require("@aws-sdk/client-sso-admin"); // CommonJS import
const client = new SSOAdminClient(config);
const input = { // CreateAccountAssignmentRequest
InstanceArn: "STRING_VALUE", // required
TargetId: "STRING_VALUE", // required
TargetType: "AWS_ACCOUNT", // required
PermissionSetArn: "STRING_VALUE", // required
PrincipalType: "USER" || "GROUP", // required
PrincipalId: "STRING_VALUE", // required
};
const command = new CreateAccountAssignmentCommand(input);
const response = await client.send(command);
// { // CreateAccountAssignmentResponse
// AccountAssignmentCreationStatus: { // AccountAssignmentOperationStatus
// Status: "IN_PROGRESS" || "FAILED" || "SUCCEEDED",
// RequestId: "STRING_VALUE",
// FailureReason: "STRING_VALUE",
// TargetId: "STRING_VALUE",
// TargetType: "AWS_ACCOUNT",
// PermissionSetArn: "STRING_VALUE",
// PrincipalType: "USER" || "GROUP",
// PrincipalId: "STRING_VALUE",
// CreatedDate: new Date("TIMESTAMP"),
// },
// };
CreateAccountAssignmentCommand Input
Parameter | Type | Description |
---|
Parameter | Type | Description |
---|---|---|
InstanceArn Required | string | undefined | The ARN of the IAM Identity Center instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces in the Amazon Web Services General Reference. |
PermissionSetArn Required | string | undefined | The ARN of the permission set that the admin wants to grant the principal access to. |
PrincipalId Required | string | undefined | An identifier for an object in IAM Identity Center, such as a user or group. PrincipalIds are GUIDs (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6). For more information about PrincipalIds in IAM Identity Center, see the IAM Identity Center Identity Store API Reference . |
PrincipalType Required | PrincipalType | undefined | The entity type for which the assignment will be created. |
TargetId Required | string | undefined | TargetID is an Amazon Web Services account identifier, (For example, 123456789012). |
TargetType Required | TargetType | undefined | The entity type for which the assignment will be created. |
CreateAccountAssignmentCommand Output
Parameter | Type | Description |
---|
Parameter | Type | Description |
---|---|---|
$metadata Required | ResponseMetadata | Metadata pertaining to this request. |
AccountAssignmentCreationStatus | AccountAssignmentOperationStatus | undefined | The status object for the account assignment creation operation. |
Throws
Name | Fault | Details |
---|
Name | Fault | Details |
---|---|---|
AccessDeniedException | client | You do not have sufficient access to perform this action. |
ConflictException | client | Occurs when a conflict with a previous successful write is detected. This generally occurs when the previous write did not have time to propagate to the host serving the current request. A retry (with appropriate backoff logic) is the recommended response to this exception. |
InternalServerException | server | The request processing has failed because of an unknown error, exception, or failure with an internal server. |
ResourceNotFoundException | client | Indicates that a requested resource is not found. |
ServiceQuotaExceededException | client | Indicates that the principal has crossed the permitted number of resources that can be created. |
ThrottlingException | client | Indicates that the principal has crossed the throttling limits of the API operations. |
ValidationException | client | The request failed because it contains a syntax error. |
SSOAdminServiceException | Base exception class for all service exceptions from SSOAdmin service. |