This is the new Amazon CloudFormation Template Reference Guide. Please update your bookmarks and links. For help getting started with CloudFormation, see the Amazon CloudFormation User Guide.
AWS::SSO::Assignment
Assigns access to a Principal for a specified Amazon Web Services account using a specified permission set.
Note
The term principal here refers to a user or group that is defined in IAM Identity Center.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::SSO::Assignment", "Properties" : { "InstanceArn" :String, "PermissionSetArn" :String, "PrincipalId" :String, "PrincipalType" :String, "TargetId" :String, "TargetType" :String} }
YAML
Type: AWS::SSO::Assignment Properties: InstanceArn:StringPermissionSetArn:StringPrincipalId:StringPrincipalType:StringTargetId:StringTargetType:String
Properties
InstanceArn-
The ARN of the IAM Identity Center instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Service Namespaces in the Amazon General Reference.
Required: Yes
Type: String
Pattern:
arn:(aws|aws-us-gov|aws-cn|aws-iso|aws-iso-b):sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}Minimum:
10Maximum:
1224Update requires: Replacement
PermissionSetArn-
The ARN of the permission set.
Required: Yes
Type: String
Pattern:
arn:(aws|aws-us-gov|aws-cn|aws-iso|aws-iso-b):sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}Minimum:
10Maximum:
1224Update requires: Replacement
PrincipalId-
An identifier for an object in IAM Identity Center, such as a user or group. PrincipalIds are GUIDs (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6). For more information about PrincipalIds in IAM Identity Center, see the IAM Identity Center Identity Store API Reference.
Required: Yes
Type: String
Pattern:
^([0-9a-f]{10}-|)[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}$Minimum:
1Maximum:
47Update requires: Replacement
PrincipalType-
The entity type for which the assignment will be created.
Required: Yes
Type: String
Allowed values:
USER | GROUPUpdate requires: Replacement
TargetId-
TargetID is an Amazon Web Services account identifier, (For example, 123456789012).
Required: Yes
Type: String
Pattern:
\d{12}Update requires: Replacement
TargetType-
The entity type for which the assignment will be created.
Required: Yes
Type: String
Allowed values:
AWS_ACCOUNTUpdate requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns a generated ID, combined by all fields with the delimiter
|.
For more information about using the Ref function, see Ref.
Examples
Creating a new assignment for IAM Identity Center
The following example creates a custom assignment, assigning the user
"user_id" access to account
"arn:aws:organizations::org_master_id:account/org_id/accountId" with
the permissions "PermissionSet".
JSON
{ "Assignment": { "Type": "Amazon::SSO::Assignment", "Properties": { "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId", "PermissionSetArn": { "Fn::GetAtt": [ "PermissionSet", "PermissionSetArn" ] }, "TargetId": "accountId", "TargetType": "Amazon_ACCOUNT", "PrincipalType": "USER", "PrincipalId": "user_id" } } }
YAML
Assignment: Type: AWS::SSO::Assignment Properties: InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId' PermissionSetArn: !GetAtt PermissionSet.PermissionSetArn TargetId: 'accountId' TargetType: 'AWS_ACCOUNT' PrincipalType: 'USER' PrincipalId: 'user_id'