Delegate permission set administration - AWS IAM Identity Center (successor to AWS Single Sign-On)

Delegate permission set administration

IAM Identity Center enables you to delegate management of permission sets and assignments in accounts by creating IAM policies that reference the Amazon Resource Names (ARNs) of IAM Identity Center resources. For example, you can create policies that enable different administrators to manage assignments in specified accounts for permission sets with specific tags.

You can use either of the following methods to create these types of policies.

  • (Recommended) Create permission sets in IAM Identity Center, each with a different policy, and assign the permission sets to different users or groups. This enables you to manage administrative permissions for users who sign in using your chosen IAM Identity Center identity source.

  • Create custom policies in IAM, and then attach them to IAM roles that your administrators assume. For information about roles, see IAM roles to get their assigned IAM Identity Center administrative permissions.


IAM Identity Center resource ARNs are case sensitive.

The following shows the proper case for referencing the IAM Identity Center permission set and account resource types.

Resource Types ARN Context Keys
PermissionSet arn:${Partition}:sso:::permissionSet/${InstanceId}/${PermissionSetId} aws:ResourceTag/${TagKey}
Account arn:${Partition}:sso:::account/${AccountId} Not Applicable