View a markdown version of this page

Actions, resources, and condition keys for Amazon IAM Identity Center - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon IAM Identity Center

Amazon IAM Identity Center (service prefix: sso) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon IAM Identity Center

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation SDK client IAM action Condition key Possible value(s) Access level

AddRegion

sso-admin

sso:AddRegion

Write

AttachCustomerManagedPolicyReferenceToPermissionSet

sso-admin

sso:AttachCustomerManagedPolicyReferenceToPermissionSet

Permissions management, Write

AttachManagedPolicyToPermissionSet

sso-admin

sso:AttachManagedPolicyToPermissionSet

Permissions management, Write

sso:PutPermissionsPolicy

Permissions management, Write

CreateAccountAssignment

sso-admin

sso:AssociateProfile

Write

sso:CreateAccountAssignment

Write

sso:CreateApplicationInstance

Write

sso:CreateProfile

Write

sso:CreateTrust

Write

sso:GetApplicationInstance

Read

sso:GetProfile

Read

sso:GetTrust

Read

sso:UpdateProfile

Write

sso:UpdateTrust

Write

CreateApplication

sso-admin

sso:CreateApplication

Write

sso:CreateApplicationInstance

Write

sso:CreateManagedApplicationInstance

Write

sso:PutApplicationAssignmentConfiguration

Write

sso:TagResource

Tagging, Write

CreateApplicationAssignment

sso-admin

sso:AssociateProfile

Write

sso:CreateApplicationAssignment

Write

CreateInstance

sso-admin

sso:CreateInstance

Write

sso:TagResource

Tagging, Write

CreateInstanceAccessControlAttributeConfiguration

sso-admin

sso:CreateInstanceAccessControlAttributeConfiguration

Write

CreatePermissionSet

sso-admin

sso:CreatePermissionSet

Write

sso:TagResource

Tagging, Write

CreateTrustedTokenIssuer

sso-admin

sso:CreateTrustedTokenIssuer

Write

sso:TagResource

Tagging, Write

DeleteAccountAssignment

sso-admin

sso:DeleteAccountAssignment

Write

sso:DeleteProfile

Write

DeleteApplication

sso-admin

sso:DeleteApplication

Write

sso:DeleteApplicationInstance

Write

sso:DeleteManagedApplicationInstance

Write

DeleteApplicationAccessScope

sso-admin

sso:DeleteApplicationAccessScope

Write

DeleteApplicationAssignment

sso-admin

sso:DeleteApplicationAssignment

Write

sso:DisassociateProfile

Write

DeleteApplicationAuthenticationMethod

sso-admin

sso:DeleteApplicationAuthenticationMethod

Write

DeleteApplicationGrant

sso-admin

sso:DeleteApplicationGrant

Write

DeleteInlinePolicyFromPermissionSet

sso-admin

sso:DeleteInlinePolicyFromPermissionSet

Write

DeleteInstance

sso-admin

sso:DeleteInstance

Write

sso:StartSSO

Write

DeleteInstanceAccessControlAttributeConfiguration

sso-admin

sso:DeleteInstanceAccessControlAttributeConfiguration

Write

DeletePermissionSet

sso-admin

sso:DeletePermissionSet

Write

DeletePermissionsBoundaryFromPermissionSet

sso-admin

sso:DeletePermissionsBoundaryFromPermissionSet

Permissions management, Write

DeleteTrustedTokenIssuer

sso-admin

sso:DeleteTrustedTokenIssuer

Write

DescribeAccountAssignmentCreationStatus

sso-admin

sso:DescribeAccountAssignmentCreationStatus

Read

DescribeAccountAssignmentDeletionStatus

sso-admin

sso:DescribeAccountAssignmentDeletionStatus

Read

DescribeApplication

sso-admin

sso:DescribeApplication

Read

sso:GetApplicationInstance

Read

sso:GetManagedApplicationInstance

Read

DescribeApplicationAssignment

sso-admin

sso:DescribeApplicationAssignment

Read

DescribeApplicationProvider

sso-admin

sso:DescribeApplicationProvider

Read

sso:GetApplicationTemplate

Read

DescribeInstance

sso-admin

sso:DescribeInstance

Read

sso:GetSharedSsoConfiguration

Read

sso:ListDirectoryAssociations

Read

DescribeInstanceAccessControlAttributeConfiguration

sso-admin

sso:DescribeInstanceAccessControlAttributeConfiguration

Read

DescribePermissionSet

sso-admin

sso:DescribePermissionSet

Read

sso:GetPermissionSet

Read

DescribePermissionSetProvisioningStatus

sso-admin

sso:DescribePermissionSetProvisioningStatus

Read

DescribeRegion

sso-admin

sso:DescribeRegion

Read

DescribeTrustedTokenIssuer

sso-admin

sso:DescribeTrustedTokenIssuer

Read

DetachCustomerManagedPolicyReferenceFromPermissionSet

sso-admin

sso:DetachCustomerManagedPolicyReferenceFromPermissionSet

Permissions management, Write

DetachManagedPolicyFromPermissionSet

sso-admin

sso:DetachManagedPolicyFromPermissionSet

Permissions management, Write

GetApplicationAccessScope

sso-admin

sso:GetApplicationAccessScope

Read

GetApplicationAssignmentConfiguration

sso-admin

sso:GetApplicationAssignmentConfiguration

Read

GetApplicationAuthenticationMethod

sso-admin

sso:GetApplicationAuthenticationMethod

Read

GetApplicationGrant

sso-admin

sso:GetApplicationGrant

Read

GetApplicationSessionConfiguration

sso-admin

sso:GetApplicationSessionConfiguration

Read

GetInlinePolicyForPermissionSet

sso-admin

sso:GetInlinePolicyForPermissionSet

Read

GetPermissionsBoundaryForPermissionSet

sso-admin

sso:GetPermissionsBoundaryForPermissionSet

Read

ListAccountAssignmentCreationStatus

sso-admin

sso:ListAccountAssignmentCreationStatus

List

ListAccountAssignmentDeletionStatus

sso-admin

sso:ListAccountAssignmentDeletionStatus

List

ListAccountAssignments

sso-admin

sso:ListAccountAssignments

List

sso:ListProfileAssociations

Read

ListAccountAssignmentsForPrincipal

sso-admin

sso:ListAccountAssignmentsForPrincipal

List

ListAccountsForProvisionedPermissionSet

sso-admin

sso:GetApplicationInstance

Read

sso:ListAccountsForProvisionedPermissionSet

List

sso:ListApplicationInstances

List

ListApplicationAccessScopes

sso-admin

sso:ListApplicationAccessScopes

List

ListApplicationAssignments

sso-admin

sso:ListApplicationAssignments

List

sso:ListProfileAssociations

Read

ListApplicationAssignmentsForPrincipal

sso-admin

sso:ListApplicationAssignmentsForPrincipal

List

ListApplicationAuthenticationMethods

sso-admin

sso:ListApplicationAuthenticationMethods

List

ListApplicationGrants

sso-admin

sso:ListApplicationGrants

List

ListApplicationProviders

sso-admin

sso:GetApplicationTemplate

Read

sso:ListApplicationProviders

List

sso:ListApplicationTemplates

List

ListApplications

sso-admin

sso:GetApplicationInstance

Read

sso:ListApplicationInstances

List

sso:ListApplicationProviders

List

sso:ListApplications

List

ListCustomerManagedPolicyReferencesInPermissionSet

sso-admin

sso:ListCustomerManagedPolicyReferencesInPermissionSet

List

ListInstances

sso-admin

sso:ListInstances

List

ListManagedPoliciesInPermissionSet

sso-admin

sso:ListManagedPoliciesInPermissionSet

List

ListPermissionSetProvisioningStatus

sso-admin

sso:ListPermissionSetProvisioningStatus

List

ListPermissionSets

sso-admin

sso:ListPermissionSets

List

ListPermissionSetsProvisionedToAccount

sso-admin

sso:GetProfile

Read

sso:ListPermissionSetsProvisionedToAccount

List

sso:ListProfiles

List

ListRegions

sso-admin

sso:ListRegions

List

ListTagsForResource

sso-admin

sso:ListTagsForResource

Read

ListTrustedTokenIssuers

sso-admin

sso:ListTrustedTokenIssuers

List

ProvisionPermissionSet

sso-admin

sso:ProvisionPermissionSet

Write

PutApplicationAccessScope

sso-admin

sso:PutApplicationAccessScope

Write

PutApplicationAssignmentConfiguration

sso-admin

sso:PutApplicationAssignmentConfiguration

Write

PutApplicationAuthenticationMethod

sso-admin

sso:CreateManagedApplicationInstance

Write

sso:PutApplicationAuthenticationMethod

Write

PutApplicationGrant

sso-admin

sso:CreateManagedApplicationInstance

Write

sso:PutApplicationGrant

Write

PutApplicationSessionConfiguration

sso-admin

sso:PutApplicationSessionConfiguration

Write

PutInlinePolicyToPermissionSet

sso-admin

sso:PutInlinePolicyToPermissionSet

Write

sso:PutPermissionsPolicy

Permissions management, Write

PutPermissionsBoundaryToPermissionSet

sso-admin

sso:PutPermissionsBoundaryToPermissionSet

Permissions management, Write

RemoveRegion

sso-admin

sso:RemoveRegion

Write

TagResource

sso-admin

sso:TagResource

Tagging, Write

UntagResource

sso-admin

sso:UntagResource

Tagging, Write

UpdateApplication

sso-admin

sso:PutApplicationAssignmentConfiguration

Write

sso:UpdateApplication

Write

sso:UpdateApplicationInstanceDisplayData

Write

sso:UpdateApplicationInstanceStatus

Write

sso:UpdateManagedApplicationInstanceStatus

Write

UpdateInstance

sso-admin

sso:UpdateInstance

Write

UpdateInstanceAccessControlAttributeConfiguration

sso-admin

sso:UpdateInstanceAccessControlAttributeConfiguration

Write

UpdatePermissionSet

sso-admin

sso:UpdatePermissionSet

Permissions management, Write

UpdateTrustedTokenIssuer

sso-admin

sso:UpdateTrustedTokenIssuer

Write

Actions defined by Amazon IAM Identity Center

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

AddRegion

Grants permission to add a region to an IAM Identity Center instance

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Write

AssociateDirectory

Grants permission to connect a directory to be used by Amazon IAM Identity Center

Write

AssociateProfile

Grants permission to create an association between a directory user or group and a profile

Write

AttachCustomerManagedPolicyReferenceToPermissionSet

Grants permission to attach a customer managed policy reference to a permission set

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Permissions management, Write

PermissionSet*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

AttachManagedPolicyToPermissionSet

Grants permission to attach an Amazon managed policy to a permission set

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Permissions management, Write

PermissionSet*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

CreateAccountAssignment

Grants permission to assign access to a Principal for a specified Amazon Web Services account using a specified permission set

Account*

Write

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

PermissionSet*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

CreateApplication

Grants permission to create an application

Application*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

sso:ApplicationAccount

sso:PrimaryRegion

Write

ApplicationProvider*

aws:RequestTag/${TagKey}

aws:TagKeys

Instance*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

sso:PrimaryRegion

CreateApplicationAssignment

Grants permission to create an application assignment

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

Write

CreateApplicationInstance

Grants permission to add an application instance to Amazon IAM Identity Center

Write

CreateApplicationInstanceCertificate

Grants permission to add a new certificate for an application instance

Write

CreateInstance

Grants permission to create an identity center instance

Instance*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

sso:PrimaryRegion

Write

CreateInstanceAccessControlAttributeConfiguration

Grants permission to enable the instance for ABAC and specify the attributes

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Write

CreateManagedApplicationInstance

Grants permission to add a managed application instance to Amazon IAM Identity Center

Write

CreatePermissionSet

Grants permission to create a permission set

Instance*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

sso:PrimaryRegion

Write

PermissionSet*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

sso:PrimaryRegion

CreateProfile

Grants permission to create a profile for an application instance

Write

CreateTrust

Grants permission to create a federation trust in a target account

Write

CreateTrustedTokenIssuer

Grants permission to create a trusted token issuer for an instance

Instance*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

sso:PrimaryRegion

Write

TrustedTokenIssuer*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

sso:PrimaryRegion

DeleteAccountAssignment

Grants permission to delete a Principal's access from a specified Amazon Web Services account using a specified permission set

Account*

Write

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

PermissionSet*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

DeleteApplication

Grants permission to delete an application

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

Write

DeleteApplicationAccessScope

Grants permission to delete an access scope to an application

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

Write

DeleteApplicationAssignment

Grants permission to delete an application assignment

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

Write

DeleteApplicationAuthenticationMethod

Grants permission to delete an authentication method to an application

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

Write

DeleteApplicationGrant

Grants permission to delete a grant from an application

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

Write

DeleteApplicationInstance

Grants permission to delete the application instance

Write

DeleteApplicationInstanceCertificate

Grants permission to delete an inactive or expired certificate from the application instance

Write

DeleteInlinePolicyFromPermissionSet

Grants permission to delete the inline policy from a specified permission set

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Write

PermissionSet*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

DeleteInstance

Grants permission to delete an identity center instance

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Write

DeleteInstanceAccessControlAttributeConfiguration

Grants permission to disable ABAC and remove the attributes list for the instance

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Write

DeleteManagedApplicationInstance

Grants permission to delete the managed application instance

Write

DeletePermissionSet

Grants permission to delete a permission set

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Write

PermissionSet*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

DeletePermissionsBoundaryFromPermissionSet

Grants permission to remove permissions boundary from a permission set

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Permissions management, Write

PermissionSet*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

DeleteProfile

Grants permission to delete the profile for an application instance

Write

DeleteTrustedTokenIssuer

Grants permission to delete a trusted token issuer for an instance

TrustedTokenIssuer*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Write

DescribeAccountAssignmentCreationStatus

Grants permission to describe the status of the assignment creation request

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Read

DescribeAccountAssignmentDeletionStatus

Grants permission to describe the status of an assignment deletion request

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Read

DescribeApplication

Grants permission to obtain information about an application

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

Read

DescribeApplicationAssignment

Grants permission to retrieve an application assignment

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

Read

DescribeApplicationProvider

Grants permission to describe an application provider

ApplicationProvider*

Read

DescribeInstance

Grants permission to obtain information about an identity center instance

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Read

DescribeInstanceAccessControlAttributeConfiguration

Grants permission to get the list of attributes used by the instance for ABAC

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Read

DescribePermissionSet

Grants permission to describe a permission set

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Read

PermissionSet*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

DescribePermissionSetProvisioningStatus

Grants permission to describe the status for the given Permission Set Provisioning request

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Read

DescribeRegion

Grants permission to retrieve configuration details for a specific IAM Identity Center instance region

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Read

DescribeRegisteredRegions

Grants permission to obtain the regions where your organization has enabled Amazon IAM Identity Center

Read

DescribeTrustedTokenIssuer

Grants permission to describe a trusted token issuer for an instance

TrustedTokenIssuer*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Read

DetachCustomerManagedPolicyReferenceFromPermissionSet

Grants permission to detach a customer managed policy reference from a permission set

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Permissions management, Write

PermissionSet*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

DetachManagedPolicyFromPermissionSet

Grants permission to detach the attached Amazon managed policy from the specified permission set

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Permissions management, Write

PermissionSet*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

DisassociateDirectory

Grants permission to disassociate a directory to be used by Amazon IAM Identity Center

Write

DisassociateProfile

Grants permission to disassociate a directory user or group from a profile

Write

GetApplicationAccessScope

Grants permission to get an access scope to an application

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

Read

GetApplicationAssignmentConfiguration

Grants permission to read assignment configurations for an application

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

Read

GetApplicationAuthenticationMethod

Grants permission to get an authentication method to an application

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

Read

GetApplicationGrant

Grants permission to obtain details about a grant belonging to an application

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

Read

GetApplicationInstance

Grants permission to retrieve details for an application instance

Read

GetApplicationSessionConfiguration

Grants permission to get session configuration for an application

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

Read

GetApplicationTemplate

Grants permission to retrieve application template details

Read

GetInlinePolicyForPermissionSet

Grants permission to obtain the inline policy assigned to the permission set

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Read

PermissionSet*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

GetManagedApplicationInstance

Grants permission to retrieve details for an application instance

Read

GetMfaDeviceManagementForDirectory

Grants permission to retrieve Mfa Device Management settings for the directory

Read

GetPermissionSet

Grants permission to retrieve details of a permission set

Read

GetPermissionsBoundaryForPermissionSet

Grants permission to get permissions boundary for a permission set

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Read

PermissionSet*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

GetProfile

Grants permission to retrieve a profile for an application instance

Read

GetSSOStatus

Grants permission to check if Amazon IAM Identity Center is enabled

Read

GetSharedSsoConfiguration

Grants permission to retrieve shared configuration for the current SSO instance

Read

GetSsoConfiguration

Grants permission to retrieve configuration for the current SSO instance

Read

GetTrust

Grants permission to retrieve the federation trust in a target account

Read

ImportApplicationInstanceServiceProviderMetadata

Grants permission to update the application instance by uploading an application SAML metadata file provided by the service provider

Write

ListAccountAssignmentCreationStatus

Grants permission to list the status of the Amazon Web Services account assignment creation requests for a specified SSO instance

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

List

ListAccountAssignmentDeletionStatus

Grants permission to list the status of the Amazon Web Services account assignment deletion requests for a specified SSO instance

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

List

ListAccountAssignments

Grants permission to list the assignee of the specified Amazon Web Services account with the specified permission set

Account*

List

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

PermissionSet*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

ListAccountAssignmentsForPrincipal

Grants permission to list accounts assigned to user or group

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

List

ListAccountsForProvisionedPermissionSet

Grants permission to list all the Amazon accounts where the specified permission set is provisioned

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

List

PermissionSet*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

ListApplicationAccessScopes

Grants permission to list access scopes to an application

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

List

ListApplicationAssignments

Grants permission to list application assignments

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

List

ListApplicationAssignmentsForPrincipal

Grants permission to list applications assigned to user or group

Instance*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

List

ListApplicationAuthenticationMethods

Grants permission to list authentication methods to an application

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

List

ListApplicationGrants

Grants permission to list grants from an application

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

List

ListApplicationInstanceCertificates

Grants permission to retrieve all of the certificates for a given application instance

Read

ListApplicationInstances

Grants permission to retrieve all application instances

List

ListApplicationProviders

Grants permission to list application providers

ApplicationProvider*

List

ListApplicationTemplates

Grants permission to retrieve all supported application templates

List

ListApplications

Grants permission to retrieve all applications associated with the instance of IAM Identity Center

List

ListCustomerManagedPolicyReferencesInPermissionSet

Grants permission to list the customer managed policy references that are attached to a permission set

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

List

PermissionSet*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

ListDirectoryAssociations

Grants permission to retrieve details about the directory connected to Amazon IAM Identity Center

Read

ListInstances

Grants permission to list the SSO Instances that the caller has access to

List

ListManagedPoliciesInPermissionSet

Grants permission to list the Amazon managed policies that are attached to a specified permission set

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

List

PermissionSet*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

ListPermissionSetProvisioningStatus

Grants permission to list the status of the Permission Set Provisioning requests for a specified SSO instance

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

List

ListPermissionSets

Grants permission to retrieve all permission sets

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

List

ListPermissionSetsProvisionedToAccount

Grants permission to list all the permission sets that are provisioned to a specified Amazon Web Services account

Account*

List

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

ListProfileAssociations

Grants permission to retrieve the directory user or group associated with the profile

Read

ListProfiles

Grants permission to retrieve all profiles for an application instance

List

ListRegions

Grants permission to list all regions configured for an IAM Identity Center instance

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

List

ListTagsForResource

Grants permission to list the tags that are attached to a specified resource

Application

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

Read

Instance

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

PermissionSet

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

TrustedTokenIssuer

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

ListTrustedTokenIssuers

Grants permission to list trusted token issuers for an instance

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

List

ProvisionPermissionSet

Grants permission to provision a specified permission set to the specified target

Account*

Write

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

PermissionSet*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

PutApplicationAccessScope

Grants permission to create/update an access scope to an application

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

Write

PutApplicationAssignmentConfiguration

Grants permission to add assignment configurations to an application

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

Write

PutApplicationAuthenticationMethod

Grants permission to create/update an authentication method to an application

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

Write

PutApplicationGrant

Grants permission to create/update a grant to an application

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

Write

PutApplicationSessionConfiguration

Grants permission to put session configuration for an application

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

Write

PutInlinePolicyToPermissionSet

Grants permission to attach an IAM inline policy to a permission set

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Write

PermissionSet*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

PutMfaDeviceManagementForDirectory

Grants permission to put Mfa Device Management settings for the directory

Write

PutPermissionsBoundaryToPermissionSet

Grants permission to add permissions boundary to a permission set

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Permissions management, Write

PermissionSet*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

PutPermissionsPolicy

Grants permission to add a policy to a permission set

Permissions management, Write

RemoveRegion

Grants permission to remove a region from an IAM Identity Center instance

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Write

SearchGroups

Grants permission to search for groups within the associated directory

Read

SearchUsers

Grants permission to search for users within the associated directory

Read

StartSSO

Grants permission to initialize Amazon IAM Identity Center

Write

TagResource

Grants permission to associate a set of tags with a specified resource

Application

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

sso:ApplicationAccount

sso:PrimaryRegion

Tagging, Write

Instance

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

sso:PrimaryRegion

PermissionSet

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

sso:PrimaryRegion

TrustedTokenIssuer

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

sso:PrimaryRegion

UntagResource

Grants permission to disassociate a set of tags from a specified resource

Application

aws:ResourceTag/${TagKey}

aws:TagKeys

sso:ApplicationAccount

sso:PrimaryRegion

Tagging, Write

Instance

aws:ResourceTag/${TagKey}

aws:TagKeys

sso:PrimaryRegion

PermissionSet

aws:ResourceTag/${TagKey}

aws:TagKeys

sso:PrimaryRegion

TrustedTokenIssuer

aws:ResourceTag/${TagKey}

aws:TagKeys

sso:PrimaryRegion

UpdateApplication

Grants permission to update an application

Application*

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

Write

UpdateApplicationInstanceActiveCertificate

Grants permission to set a certificate as the active one for this application instance

Write

UpdateApplicationInstanceDisplayData

Grants permission to update display data of an application instance

Write

UpdateApplicationInstanceResponseConfiguration

Grants permission to update federation response configuration for the application instance

Write

UpdateApplicationInstanceResponseSchemaConfiguration

Grants permission to update federation response schema configuration for the application instance

Write

UpdateApplicationInstanceSecurityConfiguration

Grants permission to update security details for the application instance

Write

UpdateApplicationInstanceServiceProviderConfiguration

Grants permission to update service provider related configuration for the application instance

Write

UpdateApplicationInstanceStatus

Grants permission to update the status of an application instance

Write

UpdateInstance

Grants permission to update an identity center instance

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Write

UpdateInstanceAccessControlAttributeConfiguration

Grants permission to update the attributes to use with the instance for ABAC

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Write

UpdateManagedApplicationInstanceStatus

Grants permission to update the status of a managed application instance

Write

UpdatePermissionSet

Grants permission to update the permission set

Instance*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Permissions management, Write

PermissionSet*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

UpdateProfile

Grants permission to update the profile for an application instance

Write

UpdateSSOConfiguration

Grants permission to update the configuration for the current SSO instance

Write

UpdateTrust

Grants permission to update the federation trust in a target account

Write

UpdateTrustedTokenIssuer

Grants permission to update a trusted token issuer for an instance

TrustedTokenIssuer*

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Write

Resource types defined by Amazon IAM Identity Center

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

Account

arn:${Partition}:sso:::account/${AccountId}

Application

arn:${Partition}:sso::${AccountId}:application/${InstanceId}/${ApplicationId}

aws:ResourceTag/${TagKey}

sso:ApplicationAccount

sso:PrimaryRegion

ApplicationProvider

arn:${Partition}:sso::aws:applicationProvider/${ApplicationProviderId}

Instance

arn:${Partition}:sso:::instance/${InstanceId}

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

PermissionSet

arn:${Partition}:sso:::permissionSet/${InstanceId}/${PermissionSetId}

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

TrustedTokenIssuer

arn:${Partition}:sso::${AccountId}:trustedTokenIssuer/${InstanceId}/${TrustedTokenIssuerId}

aws:ResourceTag/${TagKey}

sso:PrimaryRegion

Condition keys for Amazon IAM Identity Center

Amazon IAM Identity Center defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by the tags that are passed in the request

String

aws:ResourceTag/${TagKey}

Filters access by the tags associated with the resource

String

aws:TagKeys

Filters access by the tag keys that are passed in the request

ArrayOfString

identitycenter:ApplicationArn

Filters access by the ARN of the IAM Identity Center application

ARN

identitycenter:InstanceArn

Filters access by the ARN of the IAM Identity Center instance

ARN

sso:ApplicationAccount

Filters access by the account which creates the application. This condition key is not supported for customer managed SAML applications

String

sso:PrimaryRegion

Filters access by the primary region of the IAM Identity Center instance

String