Using Identity-Based Policies (IAM Policies) for AWS SSO
This topic provides examples of permissions policies that an account administrator can attach to IAM identities (that is, users, groups, and roles).
Important
We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your AWS SSO resources. For more information, see Overview of Managing Access Permissions to Your AWS SSO Resources.
The sections in this topic cover the following:
The following shows an example of a permissions policy.
{ "Version" : "2012-10-17", "Statement" : [ { "Action" : [ "sso:CreateApplicationInstance", "sso:UpdateResponseConfig", "sso:UpdateResponseSchemaConfig", "sso:UpdateSecurityConfig", "sso:UpdateServiceProviderConfig", "sso:UpdateApplicationInstanceStatus", "sso:UpdateApplicationInstanceDisplay", "sso:CreateProfile", "sso:SetupTrust" ], "Effect" : "Allow", "Resource" : "*" }, { "Action" : [ "organizations:xxx", "organizations:yyy" ], "Effect" : "Allow", "Resource" : "*" }, { "Action" : [ "ds:AuthorizeApplication" ], "Effect" : "Allow", "Resource" : "*" } ] }
The policy includes the following:
-
The first statement grants permission to manage profile associations to users and groups within your directory. It also grants permission to read all of the AWS SSO resources.
-
The second statement grants permissions to search the directory for users and groups. This is required before you can create profile associations.
The policy doesn't specify the Principal element because in an identity-based
policy you don't specify the principal who gets the permission. When you attach a
policy to a
user, the user is the implicit principal. When you attach a permission policy to an
IAM role,
the principal identified in the role's trust policy gets the permissions.
Permissions Required to Use the AWS SSO Console
For a user to work with the AWS SSO console, that user must have permissions listed in the preceding policy.
If you create an IAM policy that is more restrictive than the minimum required permissions, the console won't function as intended for users with that IAM policy.
AWS Managed (Predefined) Policies for AWS SSO
AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. Managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information, see AWS Managed Policies in the IAM User Guide.
Customer Managed Policy Examples
In this section, you can find example user policies that grant permissions for various AWS SSO actions.
Examples
- Example 1: Allow a User to Set Up and Enable AWS SSO
- Example 2: Allow a User to Manage Your AWS SSO Connected Directory
- Example 3: Allow a User to Manage Applications in AWS SSO
- Example 4: Allow a User to Manage Permissions for Your AWS Accounts in AWS SSO
- Example 5: Allow a User to Manage Access for Your Applications in AWS SSO
- Example 6: Allow a User to Find Which Cloud Applications Are Preintegrated with AWS SSO
Example 1: Allow a User to Set Up and Enable AWS SSO
The following permissions policy grants permissions to allow a user to open the AWS SSO console and enable the service. In order to do so, permissions such as those granted to the AWS Organizations master account are also required.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action": [ sso:StartSSO, sso:GetSSOStatus ], "Resource":"*" }, { "Effect":"Allow", "Action": [ organizations:DescribeAccount, organizations:EnableAWSServiceAccess ], "Resource":"*" } ] }
Example 2: Allow a User to Manage Your AWS SSO Connected Directory
The following permissions policy grants permissions to a user to manage your connected directory.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action": [ sso:AssociateDirectory, sso:DisassociateDirectory, sso:ListDirectoryAssociations, sso:UpdateDirectoryAssociation ], "Resource":"*" }, { "Effect":"Allow", "Action": [ ds:DescribeDirectories ], "Resource":"*" } ] }
Example 3: Allow a User to Manage Applications in AWS SSO
The following permissions policy grants permissions to allow a user to create and manage application instances, profiles, and certificates in the AWS SSO console.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action": [ sso:ListApplicationTemplates, sso:GetApplicationTemplate sso:ListApplicationInstances, sso:GetApplicationInstance, sso:CreateApplicationInstance, sso:UpdateApplicationInstanceStatus, sso:UpdateApplicationInstanceDisplayData, sso:UpdateApplicationInstanceServiceProviderConfiguration, sso:UpdateApplicationInstanceResponseConfiguration, sso:UpdateApplicationInstanceResponseSchemaConfiguration, sso:UpdateApplicationInstanceSecurityConfiguration, sso:DeleteApplicationInstance, sso:ImportApplicationInstanceServiceProviderMetadata, sso:CreateProfile, sso:UpdateProfile, sso:DeleteProfile, sso:GetProfile, sso:ListProfiles, sso:ListApplicationInstanceCertificates, sso:CreateApplicationInstanceCertificate, sso:UpdateApplicationInstanceActiveCertificate, sso:DeleteApplicationInstanceCertificate ], "Resource":"*" } ] }
Example 4: Allow a User to Manage Permissions for Your AWS Accounts in AWS SSO
The following permissions policy grants permissions to allow a user to create and manage permission sets for your AWS accounts in the AWS SSO console.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action": [ sso:ListApplicationInstances, sso:GetApplicationInstance, sso:CreateApplicationInstance, sso:UpdateApplicationInstanceStatus, sso:UpdateApplicationInstanceDisplayData, sso:UpdateApplicationInstanceServiceProviderConfiguration, sso:UpdateApplicationInstanceResponseConfiguration, sso:UpdateApplicationInstanceResponseSchemaConfiguration, sso:UpdateApplicationInstanceSecurityConfiguration, sso:DeleteApplicationInstance, sso:ImportApplicationInstanceServiceProviderMetadata, sso:CreateProfile, sso:UpdateProfile, sso:DeleteProfile, sso:GetProfile, sso:ListProfiles, sso:ListApplicationInstanceCertificates, sso:CreateApplicationInstanceCertificate, sso:UpdateApplicationInstanceActiveCertificate, sso:DeleteApplicationInstanceCertificate, sso:CreatePermissionSet, sso:GetPermissionSet, sso:ListPermissionSets, sso:DeletePermissionSet, sso:PutPermissionsPolicy, sso:DeletePermissionsPolicy, sso:DescribePermissionsPolicies, sso:GetTrust, sso:CreateTrust, sso:UpdateTrust, sso:DeleteTrust ], "Resource":"*" }, { "Effect":"Allow", "Action": [ organizations:DescribeOrganization ], "Resource":"*" } ] }
Example 5: Allow a User to Manage Access for Your Applications in AWS SSO
The following permissions policy grants permissions to allow a user to manage who can access your applications in the AWS SSO console.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action": [ sso:ListApplicationInstances, sso:ListProfileAssociations, sso:AssociateProfile, sso:DisassociateProfile ], "Resource":"*" }, { "Effect":"Allow", "Action": [ ds:DescribeDirectories ], "Resource":"*" } ] }
Example 6: Allow a User to Find Which Cloud Applications Are Preintegrated with AWS SSO
The following permissions policy grants permissions to allow a user to locate what cloud applications are preintegrated with AWS SSO using the Add Application wizard.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action": [ sso:ListApplicationTemplates, sso:GetApplicationTemplate ], "Resource":"*" } ] }
