CreateAccountAssignmentCommand

Assigns access to a principal for a specified Amazon Web Services account using a specified permission set.

The term principal here refers to a user or group that is defined in IAM Identity Center.

As part of a successful CreateAccountAssignment call, the specified permission set will automatically be provisioned to the account in the form of an IAM policy. That policy is attached to the IAM role created in IAM Identity Center. If the permission set is subsequently updated, the corresponding IAM policies attached to roles in your accounts will not be updated automatically. In this case, you must call ProvisionPermissionSet to make these updates.

After a successful response, call DescribeAccountAssignmentCreationStatus to describe the status of an assignment creation request.

Example Syntax

Use a bare-bones client and the command you need to make an API call.

import { SSOAdminClient, CreateAccountAssignmentCommand } from "@aws-sdk/client-sso-admin"; // ES Modules import
// const { SSOAdminClient, CreateAccountAssignmentCommand } = require("@aws-sdk/client-sso-admin"); // CommonJS import
const client = new SSOAdminClient(config);
const input = { // CreateAccountAssignmentRequest
  InstanceArn: "STRING_VALUE", // required
  TargetId: "STRING_VALUE", // required
  TargetType: "AWS_ACCOUNT", // required
  PermissionSetArn: "STRING_VALUE", // required
  PrincipalType: "USER" || "GROUP", // required
  PrincipalId: "STRING_VALUE", // required
};
const command = new CreateAccountAssignmentCommand(input);
const response = await client.send(command);
// { // CreateAccountAssignmentResponse
//   AccountAssignmentCreationStatus: { // AccountAssignmentOperationStatus
//     Status: "IN_PROGRESS" || "FAILED" || "SUCCEEDED",
//     RequestId: "STRING_VALUE",
//     FailureReason: "STRING_VALUE",
//     TargetId: "STRING_VALUE",
//     TargetType: "AWS_ACCOUNT",
//     PermissionSetArn: "STRING_VALUE",
//     PrincipalType: "USER" || "GROUP",
//     PrincipalId: "STRING_VALUE",
//     CreatedDate: new Date("TIMESTAMP"),
//   },
// };

CreateAccountAssignmentCommand Input

Parameter
Type
Description
InstanceArn
Required
string | undefined

The ARN of the IAM Identity Center instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces  in the Amazon Web Services General Reference.

PermissionSetArn
Required
string | undefined

The ARN of the permission set that the admin wants to grant the principal access to.

PrincipalId
Required
string | undefined

An identifier for an object in IAM Identity Center, such as a user or group. PrincipalIds are GUIDs (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6). For more information about PrincipalIds in IAM Identity Center, see the IAM Identity Center Identity Store API Reference .

PrincipalType
Required
PrincipalType | undefined

The entity type for which the assignment will be created.

TargetId
Required
string | undefined

TargetID is an Amazon Web Services account identifier, (For example, 123456789012).

TargetType
Required
TargetType | undefined

The entity type for which the assignment will be created.

CreateAccountAssignmentCommand Output

Parameter
Type
Description
$metadata
Required
ResponseMetadata
Metadata pertaining to this request.
AccountAssignmentCreationStatus
AccountAssignmentOperationStatus | undefined

The status object for the account assignment creation operation.

Throws

Name
Fault
Details
AccessDeniedException
client

You do not have sufficient access to perform this action.

ConflictException
client

Occurs when a conflict with a previous successful write is detected. This generally occurs when the previous write did not have time to propagate to the host serving the current request. A retry (with appropriate backoff logic) is the recommended response to this exception.

InternalServerException
server

The request processing has failed because of an unknown error, exception, or failure with an internal server.

ResourceNotFoundException
client

Indicates that a requested resource is not found.

ServiceQuotaExceededException
client

Indicates that the principal has crossed the permitted number of resources that can be created.

ThrottlingException
client

Indicates that the principal has crossed the throttling limits of the API operations.

ValidationException
client

The request failed because it contains a syntax error.

SSOAdminServiceException
Base exception class for all service exceptions from SSOAdmin service.