Create a permission set - AWS Single Sign-On

Create a permission set

Use this procedure to create a predefined permission set that uses a single AWS managed policy, or a custom permission set that uses up to 10 AWS managed policies and an inline policy.

To create a permission set

  1. Open the AWS SSO console.

  2. Choose Permission sets.

  3. Choose Create permission set.

  4. On the Select permission set type page, under Permission set type, select a permission set type.

  5. Specify one or more policies as required for the permission set, based on the permission set type:

    • Predefined permission set

      1. Choose Predefined permission set.

      2. Under Policy for predefined permission set, select an AWS managed policy.

        For more information, see AWS managed policies.

      3. Choose Next.

    • Custom permission set

      1. Choose Custom permission set, and then choose Next.

      2. On the Specify policies page, do either or both of the following:

        • To specify one or more AWS managed policies, expand AWS managed policies, and then select up to 10 policies from the list.

        • To specify an inline policy, expand Inline policy, and then create or paste a policy document that specifies custom permissions. For a list of example policies to use for delegating AWS SSO tasks, see Custom policy examples.

          When you create a JSON policy or edit an existing policy, the policy is validated automatically. If the policy syntax is not valid, you receive a notification and must fix the problem before you can continue. The findings from the policy validation are automatically returned if you have permissions for access-analyzer:ValidatePolicy.

      3. Choose Next.

  6. On the Specify permission set details page, do the following:

    1. Under Permission set name, type a name to identify this permission set in AWS SSO. The name that you specify for this permission set appears in the AWS SSO user portal as an available role. Users sign into the user portal, choose an AWS account, and then choose the role.

    2. (Optional) You can also type a description. The description appears in the AWS SSO console only, not the user portal.

    3. (Optional) Specify the value for Session duration. This value determines the length of time that a user can be logged on before the console logs them out of their session. For more information, see Set session duration.

    4. (Optional) Specify the value for Relay state. This value is used in the federation process to redirect users within the account. For more information, see Set relay state.

    5. Expand Tags (optional), choose Add tag, and then specify values for Key and Value (optional).

      For information about tags, see Tagging AWS Single Sign-On resources.

    6. Choose Next.

  7. On the Review and create page, review the selections that you made, and then choose Create.

  8. By default, when you create a permission set, the permission set isn't provisioned (used in any AWS accounts). To provision a permission set in an AWS account, you must assign AWS SSO access to users and groups in the account, and then apply the permission set to those users and groups. For more information, see Single sign-on access.