This is the new AWS CloudFormation Template Reference Guide. Please update your bookmarks and links. For help getting started with CloudFormation, see the AWS CloudFormation User Guide.
AWS::SSO::PermissionSet
Specifies a permission set within a specified IAM Identity Center instance.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::SSO::PermissionSet", "Properties" : { "CustomerManagedPolicyReferences" :[ CustomerManagedPolicyReference, ... ], "Description" :String, "InlinePolicy" :Json, "InstanceArn" :String, "ManagedPolicies" :[ String, ... ], "Name" :String, "PermissionsBoundary" :PermissionsBoundary, "RelayStateType" :String, "SessionDuration" :String, "Tags" :[ Tag, ... ]} }
YAML
Type: AWS::SSO::PermissionSet Properties: CustomerManagedPolicyReferences:- CustomerManagedPolicyReferenceDescription:StringInlinePolicy:JsonInstanceArn:StringManagedPolicies:- StringName:StringPermissionsBoundary:PermissionsBoundaryRelayStateType:StringSessionDuration:StringTags:- Tag
Properties
- CustomerManagedPolicyReferences
- 
                    Specifies the names and paths of the customer managed policies that you have attached to your permission set. Required: No Type: Array of CustomerManagedPolicyReference Maximum: 20Update requires: No interruption 
- Description
- 
                    The description of the AWS::SSO::PermissionSet. Required: No Type: String Pattern: [\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]*Minimum: 1Maximum: 700Update requires: No interruption 
- InlinePolicy
- 
                    The inline policy that is attached to the permission set. NoteFor Length Constraints, if a valid ARN is provided for a permission set, it is possible for an empty inline policy to be returned.Required: No Type: Json Pattern: [\u0009\u000A\u000D\u0020-\u00FF]+Minimum: 1Maximum: 32768Update requires: No interruption 
- InstanceArn
- 
                    The ARN of the IAM Identity Center instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference. Required: Yes Type: String Pattern: arn:(aws|aws-us-gov|aws-cn|aws-iso|aws-iso-b):sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}Minimum: 10Maximum: 1224Update requires: Replacement 
- ManagedPolicies
- 
                    A structure that stores a list of managed policy ARNs that describe the associated AWS managed policy. Required: No Type: Array of String Maximum: 20Update requires: No interruption 
- Name
- 
                    The name of the permission set. Required: Yes Type: String Pattern: [\w+=,.@-]+Minimum: 1Maximum: 32Update requires: Replacement 
- PermissionsBoundary
- 
                    Specifies the configuration of the AWS managed or customer managed policy that you want to set as a permissions boundary. Specify either CustomerManagedPolicyReferenceto use the name and path of a customer managed policy, orManagedPolicyArnto use the ARN of an AWS managed policy. A permissions boundary represents the maximum permissions that any policy can grant your role. For more information, see Permissions boundaries for IAM entities in the IAM User Guide.ImportantPolicies used as permissions boundaries don't provide permissions. You must also attach an IAM policy to the role. To learn how the effective permissions for a role are evaluated, see IAM JSON policy evaluation logic in the IAM User Guide. Required: No Type: PermissionsBoundary Update requires: No interruption 
- RelayStateType
- 
                    Used to redirect users within the application during the federation authentication process. Required: No Type: String Pattern: [a-zA-Z0-9&$@#\/%?=~\-_'"|!:,.;*+\[\]\ \(\)\{\}]+Minimum: 1Maximum: 240Update requires: No interruption 
- SessionDuration
- 
                    The length of time that the application user sessions are valid for in the ISO-8601 standard. Required: No Type: String Pattern: ^(-?)P(?=\d|T\d)(?:(\d+)Y)?(?:(\d+)M)?(?:(\d+)([DW]))?(?:T(?:(\d+)H)?(?:(\d+)M)?(?:(\d+(?:\.\d+)?)S)?)?$Minimum: 1Maximum: 100Update requires: No interruption 
- 
                    The tags to attach to the new AWS::SSO::PermissionSet. Required: No Type: Array of Tag Maximum: 50Update requires: No interruption 
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns a generated ID, such as
            permission-arn|sso-instance-arn.
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
- PermissionSetArn
- 
                            The permission set ARN of the permission set, such as arn:aws:sso:::permissionSet/ins-instanceid/ps-permissionsetid.
Examples
Creating a new custom permission set for IAM Identity Center
The following example creates a custom permission set, PermissionSet,
               with a managed policies attachment and inline policy.
JSON
{ "PermissionSet": { "Type": "AWS::SSO::PermissionSet", "Properties": { "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId", "Name": "PermissionSet", "Description": "This is a sample permission set.", "SessionDuration": "PT8H", "ManagedPolicies": [ "arn:aws:iam::aws:policy/AdministratorAccess" ], "InlinePolicy": "Inline policy json string", "Tags": [ { "Key": "tagKey", "Value": "tagValue" } ] } } }
YAML
PermissionSet: Type: AWS::SSO::PermissionSet Properties: InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId' Name: 'PermissionSet' Description: 'This is a sample permission set.' SessionDuration: 'PT8H' ManagedPolicies: - 'arn:aws:iam::aws:policy/AdministratorAccess' InlinePolicy: 'Inline policy json string' Tags: - Key: tagKey Value: tagValue
Creating a new custom permission set for IAM Identity Center with a customer managed policy as a permissions boundary
The following example creates a custom permission set,
                  PermissionSetWithCmpPb, with policies attached and a customer managed
               policy as a permissions boundary.
JSON
{ "PermissionSetWithCustomerManagedPolicyReferenceForPermissionsBoundary": { "Type": "AWS::SSO::PermissionSet", "Properties": { "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId", "Name": "PermissionSetWithCmpPb", "Description": "This is a sample permission set.", "SessionDuration": "PT8H", "ManagedPolicies": [ "arn:aws:iam::aws:policy/AdministratorAccess" ], "CustomerManagedPolicyReferences": [{ "Name": "MyCustomPolicyName", "Path": "/myCustomPath/" }, { "Name": "AnotherCustomPolicyName", }, { "Name": "YetAnotherCustomPolicyName", "Path": "/" } ], "PermissionsBoundary": { "CustomerManagedPolicyReference": { "Name": "PolicyName", "Path": "/myPolicyPath/" } } } } }
YAML
PermissionSetWithCustomerManagedPolicyReferenceForPermissionsBoundary: Type: AWS::SSO::PermissionSet Properties: InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId' Name: 'PermissionSetWithCmpPb' Description: 'This is a sample permission set.' SessionDuration: 'PT8H' ManagedPolicies: - 'arn:aws:iam::aws:policy/AdministratorAccess' CustomerManagedPolicyReferences: - Name: 'MyCustomPolicyName' Path: '/myCustomPath/' - Name: 'AnotherCustomPolicyName' - Name: 'YetAnotherCustomPolicyName' Path: '/' PermissionsBoundary: CustomerManagedPolicyReference: Name: PolicyName Path: /myPolicyPath/
Creating a new custom permission set for IAM Identity Center with an AWS managed policy as a permissions boundary
The following example creates a custom permission set,
                  PermissionSetWithAmpPb, with policies attached and an AWS managed policy as a permissions boundary.
JSON
{ "PermissionSetWithAWSManagedPolicyForPermissionsBoundary": { "Type": "AWS::SSO::PermissionSet", "Properties": { "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId", "Name": "PermissionSetWithAmpPb", "Description": "This is a sample permission set.", "SessionDuration": "PT8H", "ManagedPolicies": [ "arn:aws:iam::aws:policy/AdministratorAccess" ], "CustomerManagedPolicyReferences": [{ "Name": "MyCustomPolicyName", "Path": "/myCustomPath/" }, { "Name": "AnotherCustomPolicyName", }, { "Name": "YetAnotherCustomPolicyName", "Path": "/" } ], "PermissionsBoundary": { "ManagedPolicyArn": { "Fn::Sub": "arn:aws:iam::aws:policy/ReadOnlyAccess" } } } } }
YAML
PermissionSetWithAwsManagedPolicyForPermissionsBoundary: Type: AWS::SSO::PermissionSet Properties: InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId' Name: 'PermissionSetWithAmpPb' Description: 'This is a sample permission set.' SessionDuration: 'PT8H' ManagedPolicies: - 'arn:aws:iam::aws:policy/AdministratorAccess' CustomerManagedPolicyReferences: - Name: 'MyCustomPolicy' Path: '/myCustomPath/' - Name: 'AnotherCustomPolicy' - Name: YetAnotherCustomPolicyName Path: / PermissionsBoundary: ManagedPolicyArn: arn:aws:iam::aws:policy/ReadOnlyAccess'