This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html).

# AWS IAM Identity Center
<a name="AWS_SSO"></a>

**Resource types**
+ [AWS::SSO::Application](aws-resource-sso-application.md)
+ [AWS::SSO::ApplicationAssignment](aws-resource-sso-applicationassignment.md)
+ [AWS::SSO::Assignment](aws-resource-sso-assignment.md)
+ [AWS::SSO::Instance](aws-resource-sso-instance.md)
+ [AWS::SSO::InstanceAccessControlAttributeConfiguration](aws-resource-sso-instanceaccesscontrolattributeconfiguration.md)
+ [AWS::SSO::PermissionSet](aws-resource-sso-permissionset.md)

# AWS::SSO::Application
<a name="aws-resource-sso-application"></a>

Creates an OAuth 2.0 customer managed application in IAM Identity Center for the given application provider.

**Note**  
This API does not support creating SAML 2.0 customer managed applications or AWS managed applications. To learn how to create an AWS managed application, see the application user guide. You can create a SAML 2.0 customer managed application in the AWS Management Console only. See [Setting up customer managed SAML 2.0 applications](https://docs.aws.amazon.com/singlesignon/latest/userguide/customermanagedapps-saml2-setup.html). For more information on these application types, see [AWS managed applications](https://docs.aws.amazon.com/singlesignon/latest/userguide/awsapps.html).

## Syntax
<a name="aws-resource-sso-application-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-resource-sso-application-syntax.json"></a>

```
{
  "Type" : "AWS::SSO::Application",
  "Properties" : {
      "[ApplicationProviderArn](#cfn-sso-application-applicationproviderarn)" : String,
      "[Description](#cfn-sso-application-description)" : String,
      "[InstanceArn](#cfn-sso-application-instancearn)" : String,
      "[Name](#cfn-sso-application-name)" : String,
      "[PortalOptions](#cfn-sso-application-portaloptions)" : PortalOptionsConfiguration,
      "[Status](#cfn-sso-application-status)" : String,
      "[Tags](#cfn-sso-application-tags)" : [ Tag, ... ]
    }
}
```

### YAML
<a name="aws-resource-sso-application-syntax.yaml"></a>

```
Type: AWS::SSO::Application
Properties:
  [ApplicationProviderArn](#cfn-sso-application-applicationproviderarn): String
  [Description](#cfn-sso-application-description): String
  [InstanceArn](#cfn-sso-application-instancearn): String
  [Name](#cfn-sso-application-name): String
  [PortalOptions](#cfn-sso-application-portaloptions): 
    PortalOptionsConfiguration
  [Status](#cfn-sso-application-status): String
  [Tags](#cfn-sso-application-tags): 
    - Tag
```

## Properties
<a name="aws-resource-sso-application-properties"></a>

`ApplicationProviderArn`  <a name="cfn-sso-application-applicationproviderarn"></a>
The ARN of the application provider for this application.  
*Required*: Yes  
*Type*: String  
*Pattern*: `^arn:aws(-[a-z]{1,5}){0,3}:sso::aws:applicationProvider/[a-zA-Z0-9-/]+$`  
*Minimum*: `10`  
*Maximum*: `1224`  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

`Description`  <a name="cfn-sso-application-description"></a>
The description of the application.  
*Required*: No  
*Type*: String  
*Minimum*: `1`  
*Maximum*: `128`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`InstanceArn`  <a name="cfn-sso-application-instancearn"></a>
The ARN of the instance of IAM Identity Center that is configured with this application.  
*Required*: Yes  
*Type*: String  
*Pattern*: `^arn:aws(-[a-z]{1,5}){0,3}:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}$`  
*Minimum*: `10`  
*Maximum*: `1224`  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

`Name`  <a name="cfn-sso-application-name"></a>
The name of the application.  
*Required*: Yes  
*Type*: String  
*Pattern*: `^[\w+=,.@-]+$`  
*Minimum*: `0`  
*Maximum*: `255`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`PortalOptions`  <a name="cfn-sso-application-portaloptions"></a>
A structure that describes the options for the access portal associated with this application.  
*Required*: No  
*Type*: [PortalOptionsConfiguration](aws-properties-sso-application-portaloptionsconfiguration.md)  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Status`  <a name="cfn-sso-application-status"></a>
The current status of the application in this instance of IAM Identity Center.  
*Required*: No  
*Type*: String  
*Allowed values*: `ENABLED | DISABLED`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Tags`  <a name="cfn-sso-application-tags"></a>
Specifies tags to be attached to the application.  
*Required*: No  
*Type*: Array of [Tag](aws-properties-sso-application-tag.md)  
*Maximum*: `75`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

## Return values
<a name="aws-resource-sso-application-return-values"></a>

### Ref
<a name="aws-resource-sso-application-return-values-ref"></a>

When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns a generated ID, combined by all fields with the delimiter `|`.

For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html).

### Fn::GetAtt
<a name="aws-resource-sso-application-return-values-fn--getatt"></a>

#### 
<a name="aws-resource-sso-application-return-values-fn--getatt-fn--getatt"></a>

`ApplicationArn`  <a name="ApplicationArn-fn::getatt"></a>
The ARN of the application.

## Examples
<a name="aws-resource-sso-application--examples"></a>



### Creating an application in IAM Identity Center
<a name="aws-resource-sso-application--examples--Creating_an_application_in"></a>

The following example creates a new custom application with an Application URL sign-in option.

#### JSON
<a name="aws-resource-sso-application--examples--Creating_an_application_in--json"></a>

```
{
  "Type" : "AWS::SSO::Application",
  "Properties" : {
    "ApplicationProviderArn" : "arn:sso::aws:applicationProvider/example",
    "Description" : "This is a sample application",
    "InstanceArn" : "arn:aws:sso:::instance/ssoins-instanceId",
    "Name" : "Application",
    "PortalOptions" : {
      "SignInOptions" : {
        "ApplicationUrl" : "http://www.example.com",
        "Origin" : "APPLICATION"
      },
      "Visibility" : "ENABLED"
    },
    "Status" : "ENABLED",
    "Tags": [
      {
        "Key": "tagKey",
        "Value": "tagValue"
      }
    ]
  }
}
```

#### YAML
<a name="aws-resource-sso-application--examples--Creating_an_application_in--yaml"></a>

```
Type: AWS::SSO::Application
Properties:
  ApplicationProviderArn: arn:sso::aws:applicationProvider/example
  Description: This is a sample application
  InstanceArn: arn:aws:sso:::instance/ssoins-instanceId
  Name: Application
  PortalOptions:
    SignInOptions:
      ApplicationUrl: http://www.example.com
      Origin: APPLICATION
    Visibility: ENABLED
  Status: ENABLED
  Tags:
  - Key: tagKey
    Value: tagValue
```

# AWS::SSO::Application PortalOptionsConfiguration
<a name="aws-properties-sso-application-portaloptionsconfiguration"></a>

A structure that describes the options for the portal associated with an application.

## Syntax
<a name="aws-properties-sso-application-portaloptionsconfiguration-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-properties-sso-application-portaloptionsconfiguration-syntax.json"></a>

```
{
  "[SignInOptions](#cfn-sso-application-portaloptionsconfiguration-signinoptions)" : SignInOptions,
  "[Visibility](#cfn-sso-application-portaloptionsconfiguration-visibility)" : String
}
```

### YAML
<a name="aws-properties-sso-application-portaloptionsconfiguration-syntax.yaml"></a>

```
  [SignInOptions](#cfn-sso-application-portaloptionsconfiguration-signinoptions): 
    SignInOptions
  [Visibility](#cfn-sso-application-portaloptionsconfiguration-visibility): String
```

## Properties
<a name="aws-properties-sso-application-portaloptionsconfiguration-properties"></a>

`SignInOptions`  <a name="cfn-sso-application-portaloptionsconfiguration-signinoptions"></a>
A structure that describes the sign-in options for the access portal.  
*Required*: No  
*Type*: [SignInOptions](aws-properties-sso-application-signinoptions.md)  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Visibility`  <a name="cfn-sso-application-portaloptionsconfiguration-visibility"></a>
Indicates whether this application is visible in the access portal.  
*Required*: No  
*Type*: String  
*Allowed values*: `ENABLED | DISABLED`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

# AWS::SSO::Application SignInOptions
<a name="aws-properties-sso-application-signinoptions"></a>

A structure that describes the sign-in options for an application portal.

## Syntax
<a name="aws-properties-sso-application-signinoptions-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-properties-sso-application-signinoptions-syntax.json"></a>

```
{
  "[ApplicationUrl](#cfn-sso-application-signinoptions-applicationurl)" : String,
  "[Origin](#cfn-sso-application-signinoptions-origin)" : String
}
```

### YAML
<a name="aws-properties-sso-application-signinoptions-syntax.yaml"></a>

```
  [ApplicationUrl](#cfn-sso-application-signinoptions-applicationurl): String
  [Origin](#cfn-sso-application-signinoptions-origin): String
```

## Properties
<a name="aws-properties-sso-application-signinoptions-properties"></a>

`ApplicationUrl`  <a name="cfn-sso-application-signinoptions-applicationurl"></a>
The URL that accepts authentication requests for an application. This is a required parameter if the `Origin` parameter is `APPLICATION`.  
*Required*: No  
*Type*: String  
*Pattern*: `^http(s)?:\/\/[-a-zA-Z0-9+&@#\/%?=~_|!:,.;]*[-a-zA-Z0-9+&bb@#\/%?=~_|]$`  
*Minimum*: `1`  
*Maximum*: `512`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Origin`  <a name="cfn-sso-application-signinoptions-origin"></a>
This determines how IAM Identity Center navigates the user to the target application. It can be one of the following values:  
+ `APPLICATION`: IAM Identity Center redirects the customer to the configured `ApplicationUrl`.
+ `IDENTITY_CENTER`: IAM Identity Center uses SAML identity-provider initiated authentication to sign the customer directly into a SAML-based application.
*Required*: Yes  
*Type*: String  
*Allowed values*: `IDENTITY_CENTER | APPLICATION`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

# AWS::SSO::Application Tag
<a name="aws-properties-sso-application-tag"></a>

A set of key-value pairs that are used to manage the resource. Tags can only be applied to permission sets and cannot be applied to corresponding roles that IAM Identity Center creates in AWS accounts.

## Syntax
<a name="aws-properties-sso-application-tag-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-properties-sso-application-tag-syntax.json"></a>

```
{
  "[Key](#cfn-sso-application-tag-key)" : String,
  "[Value](#cfn-sso-application-tag-value)" : String
}
```

### YAML
<a name="aws-properties-sso-application-tag-syntax.yaml"></a>

```
  [Key](#cfn-sso-application-tag-key): String
  [Value](#cfn-sso-application-tag-value): String
```

## Properties
<a name="aws-properties-sso-application-tag-properties"></a>

`Key`  <a name="cfn-sso-application-tag-key"></a>
The key for the tag.  
*Required*: Yes  
*Type*: String  
*Pattern*: `^[\w+=,.@-]+$`  
*Minimum*: `1`  
*Maximum*: `128`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Value`  <a name="cfn-sso-application-tag-value"></a>
The value of the tag.  
*Required*: Yes  
*Type*: String  
*Pattern*: `^[\w+=,.@-]+$`  
*Minimum*: `0`  
*Maximum*: `256`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

# AWS::SSO::ApplicationAssignment
<a name="aws-resource-sso-applicationassignment"></a>

A structure that describes an assignment of a principal to an application.

## Syntax
<a name="aws-resource-sso-applicationassignment-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-resource-sso-applicationassignment-syntax.json"></a>

```
{
  "Type" : "AWS::SSO::ApplicationAssignment",
  "Properties" : {
      "[ApplicationArn](#cfn-sso-applicationassignment-applicationarn)" : String,
      "[PrincipalId](#cfn-sso-applicationassignment-principalid)" : String,
      "[PrincipalType](#cfn-sso-applicationassignment-principaltype)" : String
    }
}
```

### YAML
<a name="aws-resource-sso-applicationassignment-syntax.yaml"></a>

```
Type: AWS::SSO::ApplicationAssignment
Properties:
  [ApplicationArn](#cfn-sso-applicationassignment-applicationarn): String
  [PrincipalId](#cfn-sso-applicationassignment-principalid): String
  [PrincipalType](#cfn-sso-applicationassignment-principaltype): String
```

## Properties
<a name="aws-resource-sso-applicationassignment-properties"></a>

`ApplicationArn`  <a name="cfn-sso-applicationassignment-applicationarn"></a>
The ARN of the application that has principals assigned.  
*Required*: Yes  
*Type*: String  
*Pattern*: `arn:aws(-[a-z]{1,5}){0,3}:sso::\d{12}:application/(sso)?ins-[a-zA-Z0-9-.]{16}/apl-[a-zA-Z0-9]{16}`  
*Minimum*: `10`  
*Maximum*: `1224`  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

`PrincipalId`  <a name="cfn-sso-applicationassignment-principalid"></a>
The unique identifier of the principal assigned to the application.  
*Required*: Yes  
*Type*: String  
*Pattern*: `^([0-9a-f]{10}-|)[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}$`  
*Minimum*: `1`  
*Maximum*: `47`  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

`PrincipalType`  <a name="cfn-sso-applicationassignment-principaltype"></a>
The type of the principal assigned to the application.  
*Required*: Yes  
*Type*: String  
*Allowed values*: `USER | GROUP`  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

## Return values
<a name="aws-resource-sso-applicationassignment-return-values"></a>

### Ref
<a name="aws-resource-sso-applicationassignment-return-values-ref"></a>

When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns a generated ID, combined by all fields with the delimiter `|`.

For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html).

## Examples
<a name="aws-resource-sso-applicationassignment--examples"></a>



### Creating a new application assignment for IAM Identity Center
<a name="aws-resource-sso-applicationassignment--examples--Creating_a_new_application_assignment_for"></a>

The following example grants the user permission to access the example application.

#### JSON
<a name="aws-resource-sso-applicationassignment--examples--Creating_a_new_application_assignment_for--json"></a>

```
"ApplicationAssignment": {
    "Type": "AWS::SSO::ApplicationAssignment",
    "Properties": {
        "ApplicationArn": "arn:aws:sso:::application/ssoins-exampleapplicationid",
        "PrincipalID": "user_id",
        "PrincipalType": "USER"
    }
}
```

#### YAML
<a name="aws-resource-sso-applicationassignment--examples--Creating_a_new_application_assignment_for--yaml"></a>

```
ApplicationAssignment:
    Type: AWS::SSO::ApplicationAssignment
    Properties:
        ApplicationArn: 'arn:aws:sso:::application/ssoins-exampleapplicationid'
        PrincipalID: 'user_id'
        PrincipalType: 'USER'
```

# AWS::SSO::Assignment
<a name="aws-resource-sso-assignment"></a>

Assigns access to a Principal for a specified AWS account using a specified permission set.

**Note**  
The term *principal* here refers to a user or group that is defined in IAM Identity Center.

## Syntax
<a name="aws-resource-sso-assignment-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-resource-sso-assignment-syntax.json"></a>

```
{
  "Type" : "AWS::SSO::Assignment",
  "Properties" : {
      "[InstanceArn](#cfn-sso-assignment-instancearn)" : String,
      "[PermissionSetArn](#cfn-sso-assignment-permissionsetarn)" : String,
      "[PrincipalId](#cfn-sso-assignment-principalid)" : String,
      "[PrincipalType](#cfn-sso-assignment-principaltype)" : String,
      "[TargetId](#cfn-sso-assignment-targetid)" : String,
      "[TargetType](#cfn-sso-assignment-targettype)" : String
    }
}
```

### YAML
<a name="aws-resource-sso-assignment-syntax.yaml"></a>

```
Type: AWS::SSO::Assignment
Properties:
  [InstanceArn](#cfn-sso-assignment-instancearn): String
  [PermissionSetArn](#cfn-sso-assignment-permissionsetarn): String
  [PrincipalId](#cfn-sso-assignment-principalid): String
  [PrincipalType](#cfn-sso-assignment-principaltype): String
  [TargetId](#cfn-sso-assignment-targetid): String
  [TargetType](#cfn-sso-assignment-targettype): String
```

## Properties
<a name="aws-resource-sso-assignment-properties"></a>

`InstanceArn`  <a name="cfn-sso-assignment-instancearn"></a>
The ARN of the IAM Identity Center instance under which the operation will be executed. For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference*.  
*Required*: Yes  
*Type*: String  
*Pattern*: `arn:aws(-[a-z]{1,5}){0,3}:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}`  
*Minimum*: `10`  
*Maximum*: `1224`  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

`PermissionSetArn`  <a name="cfn-sso-assignment-permissionsetarn"></a>
The ARN of the permission set.  
*Required*: Yes  
*Type*: String  
*Pattern*: `arn:aws(-[a-z]{1,5}){0,3}:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}`  
*Minimum*: `10`  
*Maximum*: `1224`  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

`PrincipalId`  <a name="cfn-sso-assignment-principalid"></a>
An identifier for an object in IAM Identity Center, such as a user or group. PrincipalIds are GUIDs (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6). For more information about PrincipalIds in IAM Identity Center, see the [IAM Identity Center Identity Store API Reference](/singlesignon/latest/IdentityStoreAPIReference/welcome.html).  
*Required*: Yes  
*Type*: String  
*Pattern*: `^([0-9a-f]{10}-|)[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}$`  
*Minimum*: `1`  
*Maximum*: `47`  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

`PrincipalType`  <a name="cfn-sso-assignment-principaltype"></a>
The entity type for which the assignment will be created.  
*Required*: Yes  
*Type*: String  
*Allowed values*: `USER | GROUP`  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

`TargetId`  <a name="cfn-sso-assignment-targetid"></a>
TargetID is an AWS account identifier, (For example, 123456789012).  
*Required*: Yes  
*Type*: String  
*Pattern*: `\d{12}`  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

`TargetType`  <a name="cfn-sso-assignment-targettype"></a>
The entity type for which the assignment will be created.  
*Required*: Yes  
*Type*: String  
*Allowed values*: `AWS_ACCOUNT`  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

## Return values
<a name="aws-resource-sso-assignment-return-values"></a>

### Ref
<a name="aws-resource-sso-assignment-return-values-ref"></a>

When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns a generated ID, combined by all fields with the delimiter `|`.

For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html).

## Examples
<a name="aws-resource-sso-assignment--examples"></a>



### Creating a new assignment for IAM Identity Center
<a name="aws-resource-sso-assignment--examples--Creating_a_new_assignment_for"></a>

The following example creates a custom assignment, assigning the user `"user_id"` access to account `"arn:aws:organizations::org_master_id:account/org_id/accountId"` with the permissions `"PermissionSet"`. 

#### JSON
<a name="aws-resource-sso-assignment--examples--Creating_a_new_assignment_for--json"></a>

```
{
   "Assignment": {
      "Type": "AWS::SSO::Assignment",
      "Properties": {
         "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId",
         "PermissionSetArn": {
            "Fn::GetAtt": [
               "PermissionSet",
               "PermissionSetArn"
            ]
         },
         "TargetId": "accountId",
         "TargetType": "AWS_ACCOUNT",
         "PrincipalType": "USER",
         "PrincipalId": "user_id"
      }
   }
}
```

#### YAML
<a name="aws-resource-sso-assignment--examples--Creating_a_new_assignment_for--yaml"></a>

```
Assignment:
    Type: AWS::SSO::Assignment
    Properties:
      InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId'
      PermissionSetArn: !GetAtt PermissionSet.PermissionSetArn
      TargetId: 'accountId'
      TargetType: 'AWS_ACCOUNT'
      PrincipalType: 'USER'
      PrincipalId: 'user_id'
```

# AWS::SSO::Instance
<a name="aws-resource-sso-instance"></a>

Creates an instance of IAM Identity Center for a standalone AWS account that is not managed by AWS Organizations or a member AWS account in an organization. You can create only one instance per account and across all AWS Regions.

The CreateInstance request is rejected if the following apply: 
+ The instance is created within the organization management account.
+ An instance already exists in the same account.

## Syntax
<a name="aws-resource-sso-instance-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-resource-sso-instance-syntax.json"></a>

```
{
  "Type" : "AWS::SSO::Instance",
  "Properties" : {
      "[Name](#cfn-sso-instance-name)" : String,
      "[Tags](#cfn-sso-instance-tags)" : [ Tag, ... ]
    }
}
```

### YAML
<a name="aws-resource-sso-instance-syntax.yaml"></a>

```
Type: AWS::SSO::Instance
Properties:
  [Name](#cfn-sso-instance-name): String
  [Tags](#cfn-sso-instance-tags): 
    - Tag
```

## Properties
<a name="aws-resource-sso-instance-properties"></a>

`Name`  <a name="cfn-sso-instance-name"></a>
The name of the Identity Center instance.  
*Required*: No  
*Type*: String  
*Pattern*: `^[\w+=,.@-]+$`  
*Minimum*: `1`  
*Maximum*: `32`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Tags`  <a name="cfn-sso-instance-tags"></a>
Specifies tags to be attached to the instance of IAM Identity Center.  
*Required*: No  
*Type*: Array of [Tag](aws-properties-sso-instance-tag.md)  
*Maximum*: `75`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

## Return values
<a name="aws-resource-sso-instance-return-values"></a>

### Ref
<a name="aws-resource-sso-instance-return-values-ref"></a>

When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns a generated ID, combined by all fields with the delimiter `|`.

For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html).

### Fn::GetAtt
<a name="aws-resource-sso-instance-return-values-fn--getatt"></a>

#### 
<a name="aws-resource-sso-instance-return-values-fn--getatt-fn--getatt"></a>

`IdentityStoreId`  <a name="IdentityStoreId-fn::getatt"></a>
The identifier of the identity store that is connected to the Identity Center instance.

`InstanceArn`  <a name="InstanceArn-fn::getatt"></a>
The ARN of the Identity Center instance under which the operation will be executed. For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference*.

`OwnerAccountId`  <a name="OwnerAccountId-fn::getatt"></a>
The AWS account ID number of the owner of the Identity Center instance.

`Status`  <a name="Status-fn::getatt"></a>
The current status of this Identity Center instance.

## Examples
<a name="aws-resource-sso-instance--examples"></a>



### Creating a new instance of IAM Identity Center
<a name="aws-resource-sso-instance--examples--Creating_a_new_instance_of"></a>

The following example creates an instance of IAM Identity Center for a specific AWS account.

#### JSON
<a name="aws-resource-sso-instance--examples--Creating_a_new_instance_of--json"></a>

```
"Instance": {
    "Type": "AWS::SSO::Instance",
    "Properties": {
        "Name": "InstanceExample",
        "Tags": {
            "InstanceTagKey1": "InstanceTagValue1"
        }
    }
}
```

#### YAML
<a name="aws-resource-sso-instance--examples--Creating_a_new_instance_of--yaml"></a>

```
 Instance:
    Type: AWS::SSO::Instance
    Properties:
        Name: InstanceExample
        Tags: 
            InstanceTagKey1: 'InstanceTagValue1'
```

# AWS::SSO::Instance Tag
<a name="aws-properties-sso-instance-tag"></a>

A set of key-value pairs that are used to manage the resource. Tags can only be applied to permission sets and cannot be applied to corresponding roles that IAM Identity Center creates in AWS accounts.

## Syntax
<a name="aws-properties-sso-instance-tag-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-properties-sso-instance-tag-syntax.json"></a>

```
{
  "[Key](#cfn-sso-instance-tag-key)" : String,
  "[Value](#cfn-sso-instance-tag-value)" : String
}
```

### YAML
<a name="aws-properties-sso-instance-tag-syntax.yaml"></a>

```
  [Key](#cfn-sso-instance-tag-key): String
  [Value](#cfn-sso-instance-tag-value): String
```

## Properties
<a name="aws-properties-sso-instance-tag-properties"></a>

`Key`  <a name="cfn-sso-instance-tag-key"></a>
The key for the tag.  
*Required*: Yes  
*Type*: String  
*Pattern*: `[\w+=,.@-]+`  
*Minimum*: `1`  
*Maximum*: `128`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Value`  <a name="cfn-sso-instance-tag-value"></a>
The value of the tag.  
*Required*: Yes  
*Type*: String  
*Pattern*: `[\w+=,.@-]+`  
*Minimum*: `0`  
*Maximum*: `256`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

# AWS::SSO::InstanceAccessControlAttributeConfiguration
<a name="aws-resource-sso-instanceaccesscontrolattributeconfiguration"></a>

Enables the attribute-based access control (ABAC) feature for the specified IAM Identity Center instance. You can also specify new attributes to add to your ABAC configuration during the enabling process. For more information about ABAC, see [Attribute-Based Access Control](https://docs.aws.amazon.com//singlesignon/latest/userguide/abac.html) in the *IAM Identity Center User Guide*.

**Note**  
The `InstanceAccessControlAttributeConfiguration` property has been deprecated but is still supported for backwards compatibility purposes. We recommend that you use the `AccessControlAttributes` property instead.

## Syntax
<a name="aws-resource-sso-instanceaccesscontrolattributeconfiguration-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-resource-sso-instanceaccesscontrolattributeconfiguration-syntax.json"></a>

```
{
  "Type" : "AWS::SSO::InstanceAccessControlAttributeConfiguration",
  "Properties" : {
      "[AccessControlAttributes](#cfn-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattributes)" : [ AccessControlAttribute, ... ],
      "[InstanceArn](#cfn-sso-instanceaccesscontrolattributeconfiguration-instancearn)" : String
    }
}
```

### YAML
<a name="aws-resource-sso-instanceaccesscontrolattributeconfiguration-syntax.yaml"></a>

```
Type: AWS::SSO::InstanceAccessControlAttributeConfiguration
Properties:
  [AccessControlAttributes](#cfn-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattributes): 
    - AccessControlAttribute
  [InstanceArn](#cfn-sso-instanceaccesscontrolattributeconfiguration-instancearn): String
```

## Properties
<a name="aws-resource-sso-instanceaccesscontrolattributeconfiguration-properties"></a>

`AccessControlAttributes`  <a name="cfn-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattributes"></a>
Lists the attributes that are configured for ABAC in the specified IAM Identity Center instance.  
*Required*: No  
*Type*: Array of [AccessControlAttribute](aws-properties-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattribute.md)  
*Maximum*: `50`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`InstanceArn`  <a name="cfn-sso-instanceaccesscontrolattributeconfiguration-instancearn"></a>
The ARN of the IAM Identity Center instance under which the operation will be executed.  
*Required*: Yes  
*Type*: String  
*Pattern*: `arn:aws(-[a-z]{1,5}){0,3}:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}`  
*Minimum*: `10`  
*Maximum*: `1224`  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

## Return values
<a name="aws-resource-sso-instanceaccesscontrolattributeconfiguration-return-values"></a>

### Ref
<a name="aws-resource-sso-instanceaccesscontrolattributeconfiguration-return-values-ref"></a>

Specifies the IAM Identity Center identity store attributes to add to your ABAC configuration. When using an external identity provider as an identity source, you can pass attributes through the SAML assertion. Doing so provides an alternative to configuring attributes from the IAM Identity Center identity store. If a SAML assertion passes any of these attributes, IAM Identity Center will replace the attribute value with the value from the IAM Identity Center identity store.

## Examples
<a name="aws-resource-sso-instanceaccesscontrolattributeconfiguration--examples"></a>



### Enabling and configuring attributes used for access control in IAM Identity Center
<a name="aws-resource-sso-instanceaccesscontrolattributeconfiguration--examples--Enabling_and_configuring_attributes_used_for_access_control_in"></a>

The following example enables ABAC in IAM Identity Center and creates a new attribute key `CostCenter` that is mapped to the Value `“${path:enterprise.costCenter}”` which is coming from your identity source.

#### JSON
<a name="aws-resource-sso-instanceaccesscontrolattributeconfiguration--examples--Enabling_and_configuring_attributes_used_for_access_control_in--json"></a>

```
{
    "Resources": {
        "ABAC": {
            "Type": "AWS::SSO::InstanceAccessControlAttributeConfiguration",
            "Properties": {
                "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId",
                "AccessControlAttributes": [
                    {
                        "Key": "CostCenter",
                        "Value": {
                            "Source": [
                                "${path:enterprise.costCenter}"
                            ]
                        }
                    }
                ]
            }
        }
    }
}
```

#### YAML
<a name="aws-resource-sso-instanceaccesscontrolattributeconfiguration--examples--Enabling_and_configuring_attributes_used_for_access_control_in--yaml"></a>

```
Resources:
  ABAC:
    Type: 'AWS::SSO::InstanceAccessControlAttributeConfiguration'
    Properties:
      InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId'
      AccessControlAttributes:
        - Key: CostCenter
          Value:
            Source:
              - '${path:enterprise.costCenter}'
```

# AWS::SSO::InstanceAccessControlAttributeConfiguration AccessControlAttribute
<a name="aws-properties-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattribute"></a>

These are IAM Identity Center identity store attributes that you can configure for use in attributes-based access control (ABAC). You can create permissions policies that determine who can access your AWS resources based upon the configured attribute values. When you enable ABAC and specify `AccessControlAttributes`, IAM Identity Center passes the attribute values of the authenticated user into IAM for use in policy evaluation.

## Syntax
<a name="aws-properties-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattribute-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-properties-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattribute-syntax.json"></a>

```
{
  "[Key](#cfn-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattribute-key)" : String,
  "[Value](#cfn-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattribute-value)" : AccessControlAttributeValue
}
```

### YAML
<a name="aws-properties-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattribute-syntax.yaml"></a>

```
  [Key](#cfn-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattribute-key): String
  [Value](#cfn-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattribute-value): 
    AccessControlAttributeValue
```

## Properties
<a name="aws-properties-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattribute-properties"></a>

`Key`  <a name="cfn-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattribute-key"></a>
The name of the attribute associated with your identities in your identity source. This is used to map a specified attribute in your identity source with an attribute in IAM Identity Center.  
*Required*: Yes  
*Type*: String  
*Pattern*: `[\p{L}\p{Z}\p{N}_.:\/=+\-@]+`  
*Minimum*: `1`  
*Maximum*: `128`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Value`  <a name="cfn-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattribute-value"></a>
The value used for mapping a specified attribute to an identity source.  
*Required*: Yes  
*Type*: [AccessControlAttributeValue](aws-properties-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattributevalue.md)  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

# AWS::SSO::InstanceAccessControlAttributeConfiguration AccessControlAttributeValue
<a name="aws-properties-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattributevalue"></a>

The value used for mapping a specified attribute to an identity source.

## Syntax
<a name="aws-properties-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattributevalue-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-properties-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattributevalue-syntax.json"></a>

```
{
  "[Source](#cfn-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattributevalue-source)" : [ String, ... ]
}
```

### YAML
<a name="aws-properties-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattributevalue-syntax.yaml"></a>

```
  [Source](#cfn-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattributevalue-source): 
    - String
```

## Properties
<a name="aws-properties-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattributevalue-properties"></a>

`Source`  <a name="cfn-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattributevalue-source"></a>
The identity source to use when mapping a specified attribute to IAM Identity Center.  
*Required*: Yes  
*Type*: Array of String  
*Maximum*: `1`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

# AWS::SSO::PermissionSet
<a name="aws-resource-sso-permissionset"></a>

Specifies a permission set within a specified IAM Identity Center instance.

## Syntax
<a name="aws-resource-sso-permissionset-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-resource-sso-permissionset-syntax.json"></a>

```
{
  "Type" : "AWS::SSO::PermissionSet",
  "Properties" : {
      "[CustomerManagedPolicyReferences](#cfn-sso-permissionset-customermanagedpolicyreferences)" : [ CustomerManagedPolicyReference, ... ],
      "[Description](#cfn-sso-permissionset-description)" : String,
      "[InlinePolicy](#cfn-sso-permissionset-inlinepolicy)" : Json,
      "[InstanceArn](#cfn-sso-permissionset-instancearn)" : String,
      "[ManagedPolicies](#cfn-sso-permissionset-managedpolicies)" : [ String, ... ],
      "[Name](#cfn-sso-permissionset-name)" : String,
      "[PermissionsBoundary](#cfn-sso-permissionset-permissionsboundary)" : PermissionsBoundary,
      "[RelayStateType](#cfn-sso-permissionset-relaystatetype)" : String,
      "[SessionDuration](#cfn-sso-permissionset-sessionduration)" : String,
      "[Tags](#cfn-sso-permissionset-tags)" : [ Tag, ... ]
    }
}
```

### YAML
<a name="aws-resource-sso-permissionset-syntax.yaml"></a>

```
Type: AWS::SSO::PermissionSet
Properties:
  [CustomerManagedPolicyReferences](#cfn-sso-permissionset-customermanagedpolicyreferences): 
    - CustomerManagedPolicyReference
  [Description](#cfn-sso-permissionset-description): String
  [InlinePolicy](#cfn-sso-permissionset-inlinepolicy): Json
  [InstanceArn](#cfn-sso-permissionset-instancearn): String
  [ManagedPolicies](#cfn-sso-permissionset-managedpolicies): 
    - String
  [Name](#cfn-sso-permissionset-name): String
  [PermissionsBoundary](#cfn-sso-permissionset-permissionsboundary): 
    PermissionsBoundary
  [RelayStateType](#cfn-sso-permissionset-relaystatetype): String
  [SessionDuration](#cfn-sso-permissionset-sessionduration): String
  [Tags](#cfn-sso-permissionset-tags): 
    - Tag
```

## Properties
<a name="aws-resource-sso-permissionset-properties"></a>

`CustomerManagedPolicyReferences`  <a name="cfn-sso-permissionset-customermanagedpolicyreferences"></a>
Specifies the names and paths of the customer managed policies that you have attached to your permission set.  
*Required*: No  
*Type*: Array of [CustomerManagedPolicyReference](aws-properties-sso-permissionset-customermanagedpolicyreference.md)  
*Maximum*: `20`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Description`  <a name="cfn-sso-permissionset-description"></a>
The description of the [AWS::SSO::PermissionSet](#aws-resource-sso-permissionset).  
*Required*: No  
*Type*: String  
*Pattern*: `[\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]*`  
*Minimum*: `1`  
*Maximum*: `700`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`InlinePolicy`  <a name="cfn-sso-permissionset-inlinepolicy"></a>
The inline policy that is attached to the permission set.  
For `Length Constraints`, if a valid ARN is provided for a permission set, it is possible for an empty inline policy to be returned.
*Required*: No  
*Type*: Json  
*Pattern*: `[\u0009\u000A\u000D\u0020-\u00FF]+`  
*Minimum*: `1`  
*Maximum*: `32768`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`InstanceArn`  <a name="cfn-sso-permissionset-instancearn"></a>
The ARN of the IAM Identity Center instance under which the operation will be executed. For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference*.  
*Required*: Yes  
*Type*: String  
*Pattern*: `arn:aws(-[a-z]{1,5}){0,3}:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}`  
*Minimum*: `10`  
*Maximum*: `1224`  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

`ManagedPolicies`  <a name="cfn-sso-permissionset-managedpolicies"></a>
A structure that stores a list of managed policy ARNs that describe the associated AWS managed policy.  
*Required*: No  
*Type*: Array of String  
*Maximum*: `20`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Name`  <a name="cfn-sso-permissionset-name"></a>
The name of the permission set.  
*Required*: Yes  
*Type*: String  
*Pattern*: `[\w+=,.@-]+`  
*Minimum*: `1`  
*Maximum*: `32`  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

`PermissionsBoundary`  <a name="cfn-sso-permissionset-permissionsboundary"></a>
Specifies the configuration of the AWS managed or customer managed policy that you want to set as a permissions boundary. Specify either `CustomerManagedPolicyReference` to use the name and path of a customer managed policy, or `ManagedPolicyArn` to use the ARN of an AWS managed policy. A permissions boundary represents the maximum permissions that any policy can grant your role. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.  
Policies used as permissions boundaries don't provide permissions. You must also attach an IAM policy to the role. To learn how the effective permissions for a role are evaluated, see [IAM JSON policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*.
*Required*: No  
*Type*: [PermissionsBoundary](aws-properties-sso-permissionset-permissionsboundary.md)  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`RelayStateType`  <a name="cfn-sso-permissionset-relaystatetype"></a>
Used to redirect users within the application during the federation authentication process.  
*Required*: No  
*Type*: String  
*Pattern*: `[a-zA-Z0-9&amp;$@#\/%?=~\-_'&quot;|!:,.;*+\[\]\ \(\)\{\}]+`  
*Minimum*: `1`  
*Maximum*: `240`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`SessionDuration`  <a name="cfn-sso-permissionset-sessionduration"></a>
The length of time that the application user sessions are valid for in the ISO-8601 standard.  
*Required*: No  
*Type*: String  
*Pattern*: `^(-?)P(?=\d|T\d)(?:(\d+)Y)?(?:(\d+)M)?(?:(\d+)([DW]))?(?:T(?:(\d+)H)?(?:(\d+)M)?(?:(\d+(?:\.\d+)?)S)?)?$`  
*Minimum*: `1`  
*Maximum*: `100`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Tags`  <a name="cfn-sso-permissionset-tags"></a>
The tags to attach to the new [AWS::SSO::PermissionSet](#aws-resource-sso-permissionset).  
*Required*: No  
*Type*: Array of [Tag](aws-properties-sso-permissionset-tag.md)  
*Maximum*: `50`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

## Return values
<a name="aws-resource-sso-permissionset-return-values"></a>

### Ref
<a name="aws-resource-sso-permissionset-return-values-ref"></a>

When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns a generated ID, such as `permission-arn|sso-instance-arn`.

For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html).

### Fn::GetAtt
<a name="aws-resource-sso-permissionset-return-values-fn--getatt"></a>

The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html).

#### 
<a name="aws-resource-sso-permissionset-return-values-fn--getatt-fn--getatt"></a>

`PermissionSetArn`  <a name="PermissionSetArn-fn::getatt"></a>
The permission set ARN of the permission set, such as `arn:aws:sso:::permissionSet/ins-instanceid/ps-permissionsetid`.

## Examples
<a name="aws-resource-sso-permissionset--examples"></a>



**Topics**
+ [Creating a new custom permission set for IAM Identity Center](#aws-resource-sso-permissionset--examples--Creating_a_new_custom_permission_set_for)
+ [Creating a new custom permission set for IAM Identity Center with a customer managed policy as a permissions boundary](#aws-resource-sso-permissionset--examples--Creating_a_new_custom_permission_set_for_with_a_customer_managed_policy_as_a_permissions_boundary)
+ [Creating a new custom permission set for IAM Identity Center with an AWS managed policy as a permissions boundary](#aws-resource-sso-permissionset--examples--Creating_a_new_custom_permission_set_for_with_an_managed_policy_as_a_permissions_boundary)

### Creating a new custom permission set for IAM Identity Center
<a name="aws-resource-sso-permissionset--examples--Creating_a_new_custom_permission_set_for"></a>

The following example creates a custom permission set, `PermissionSet`, with a managed policies attachment and inline policy.

#### JSON
<a name="aws-resource-sso-permissionset--examples--Creating_a_new_custom_permission_set_for--json"></a>

```
{
  "PermissionSet": {
    "Type": "AWS::SSO::PermissionSet",
    "Properties": {
      "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId",
      "Name": "PermissionSet",
      "Description": "This is a sample permission set.",
      "SessionDuration": "PT8H",
      "ManagedPolicies": [
         "arn:aws:iam::aws:policy/AdministratorAccess"
      ],
      "InlinePolicy": "Inline policy json string",
      "Tags": [
        {
          "Key": "tagKey",
          "Value": "tagValue"
        }
      ]
    }
  }
}
```

#### YAML
<a name="aws-resource-sso-permissionset--examples--Creating_a_new_custom_permission_set_for--yaml"></a>

```
PermissionSet:
  Type: AWS::SSO::PermissionSet
    Properties:
    InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId'
    Name: 'PermissionSet'
    Description: 'This is a sample permission set.'
    SessionDuration: 'PT8H'
    ManagedPolicies:
      - 'arn:aws:iam::aws:policy/AdministratorAccess'  
    InlinePolicy: 'Inline policy json string'
    Tags:
      - Key: tagKey
        Value: tagValue
```

### Creating a new custom permission set for IAM Identity Center with a customer managed policy as a permissions boundary
<a name="aws-resource-sso-permissionset--examples--Creating_a_new_custom_permission_set_for_with_a_customer_managed_policy_as_a_permissions_boundary"></a>

The following example creates a custom permission set, `PermissionSetWithCmpPb`, with policies attached and a customer managed policy as a permissions boundary.

#### JSON
<a name="aws-resource-sso-permissionset--examples--Creating_a_new_custom_permission_set_for_with_a_customer_managed_policy_as_a_permissions_boundary--json"></a>

```
{
  "PermissionSetWithCustomerManagedPolicyReferenceForPermissionsBoundary": {
    "Type": "AWS::SSO::PermissionSet",
    "Properties": {
      "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId",
      "Name": "PermissionSetWithCmpPb",
      "Description": "This is a sample permission set.",
      "SessionDuration": "PT8H",
      "ManagedPolicies": [
        "arn:aws:iam::aws:policy/AdministratorAccess"
      ],
      "CustomerManagedPolicyReferences": [{
          "Name": "MyCustomPolicyName",
          "Path": "/myCustomPath/"
        },
        {
          "Name": "AnotherCustomPolicyName",
        },
        {
          "Name": "YetAnotherCustomPolicyName",
          "Path": "/"
        }
      ],
      "PermissionsBoundary": {
        "CustomerManagedPolicyReference": {
          "Name": "PolicyName",
          "Path": "/myPolicyPath/"
        }
      }
    }
  }
}
```

#### YAML
<a name="aws-resource-sso-permissionset--examples--Creating_a_new_custom_permission_set_for_with_a_customer_managed_policy_as_a_permissions_boundary--yaml"></a>

```
PermissionSetWithCustomerManagedPolicyReferenceForPermissionsBoundary:
  Type: AWS::SSO::PermissionSet
   Properties:
     InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId'
     Name: 'PermissionSetWithCmpPb'
     Description: 'This is a sample permission set.'
     SessionDuration: 'PT8H'
     ManagedPolicies:
     - 'arn:aws:iam::aws:policy/AdministratorAccess'
     CustomerManagedPolicyReferences:
     - Name: 'MyCustomPolicyName'
       Path: '/myCustomPath/'
     - Name: 'AnotherCustomPolicyName'
     - Name: 'YetAnotherCustomPolicyName'
       Path: '/'
     PermissionsBoundary:
       CustomerManagedPolicyReference:
         Name: PolicyName
         Path: /myPolicyPath/
```

### Creating a new custom permission set for IAM Identity Center with an AWS managed policy as a permissions boundary
<a name="aws-resource-sso-permissionset--examples--Creating_a_new_custom_permission_set_for_with_an_managed_policy_as_a_permissions_boundary"></a>

The following example creates a custom permission set, `PermissionSetWithAmpPb`, with policies attached and an AWS managed policy as a permissions boundary.

#### JSON
<a name="aws-resource-sso-permissionset--examples--Creating_a_new_custom_permission_set_for_with_an_managed_policy_as_a_permissions_boundary--json"></a>

```
{
  "PermissionSetWithAWSManagedPolicyForPermissionsBoundary": {
    "Type": "AWS::SSO::PermissionSet",
    "Properties": {
      "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId",
      "Name": "PermissionSetWithAmpPb",
      "Description": "This is a sample permission set.",
      "SessionDuration": "PT8H",
      "ManagedPolicies": [
        "arn:aws:iam::aws:policy/AdministratorAccess"
      ],
      "CustomerManagedPolicyReferences": [{
          "Name": "MyCustomPolicyName",
          "Path": "/myCustomPath/"
        },
        {
          "Name": "AnotherCustomPolicyName",
        },
        {
          "Name": "YetAnotherCustomPolicyName",
          "Path": "/"
        }
      ],
      "PermissionsBoundary": {
        "ManagedPolicyArn": {
          "Fn::Sub": "arn:aws:iam::aws:policy/ReadOnlyAccess"
        }
      }
    }
  }
}
```

#### YAML
<a name="aws-resource-sso-permissionset--examples--Creating_a_new_custom_permission_set_for_with_an_managed_policy_as_a_permissions_boundary--yaml"></a>

```
PermissionSetWithAwsManagedPolicyForPermissionsBoundary:
  Type: AWS::SSO::PermissionSet
    Properties:
      InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId'
      Name: 'PermissionSetWithAmpPb'
      Description: 'This is a sample permission set.'
      SessionDuration: 'PT8H'
      ManagedPolicies:
         - 'arn:aws:iam::aws:policy/AdministratorAccess'
      CustomerManagedPolicyReferences:
        - Name: 'MyCustomPolicy'
          Path: '/myCustomPath/'
        - Name: 'AnotherCustomPolicy'
        - Name: YetAnotherCustomPolicyName
          Path: /
      PermissionsBoundary:
        ManagedPolicyArn: arn:aws:iam::aws:policy/ReadOnlyAccess'
```

# AWS::SSO::PermissionSet CustomerManagedPolicyReference
<a name="aws-properties-sso-permissionset-customermanagedpolicyreference"></a>

Specifies the name and path of a customer managed policy. You must have an IAM policy that matches the name and path in each AWS account where you want to deploy your permission set.

## Syntax
<a name="aws-properties-sso-permissionset-customermanagedpolicyreference-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-properties-sso-permissionset-customermanagedpolicyreference-syntax.json"></a>

```
{
  "[Name](#cfn-sso-permissionset-customermanagedpolicyreference-name)" : String,
  "[Path](#cfn-sso-permissionset-customermanagedpolicyreference-path)" : String
}
```

### YAML
<a name="aws-properties-sso-permissionset-customermanagedpolicyreference-syntax.yaml"></a>

```
  [Name](#cfn-sso-permissionset-customermanagedpolicyreference-name): String
  [Path](#cfn-sso-permissionset-customermanagedpolicyreference-path): String
```

## Properties
<a name="aws-properties-sso-permissionset-customermanagedpolicyreference-properties"></a>

`Name`  <a name="cfn-sso-permissionset-customermanagedpolicyreference-name"></a>
The name of the IAM policy that you have configured in each account where you want to deploy your permission set.  
*Required*: Yes  
*Type*: String  
*Pattern*: `[\w+=,.@-]+`  
*Minimum*: `1`  
*Maximum*: `128`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Path`  <a name="cfn-sso-permissionset-customermanagedpolicyreference-path"></a>
The path to the IAM policy that you have configured in each account where you want to deploy your permission set. The default is `/`. For more information, see [Friendly names and paths](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names) in the *IAM User Guide*.  
*Required*: No  
*Type*: String  
*Pattern*: `((/[A-Za-z0-9\.,\+@=_-]+)*)/`  
*Minimum*: `1`  
*Maximum*: `512`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

# AWS::SSO::PermissionSet PermissionsBoundary
<a name="aws-properties-sso-permissionset-permissionsboundary"></a>

Specifies the configuration of the AWS managed or customer managed policy that you want to set as a permissions boundary. Specify either `CustomerManagedPolicyReference` to use the name and path of a customer managed policy, or `ManagedPolicyArn` to use the ARN of an AWS managed policy. A permissions boundary represents the maximum permissions that any policy can grant your role. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.

**Important**  
Policies used as permissions boundaries don't provide permissions. You must also attach an IAM policy to the role. To learn how the effective permissions for a role are evaluated, see [IAM JSON policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*.

## Syntax
<a name="aws-properties-sso-permissionset-permissionsboundary-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-properties-sso-permissionset-permissionsboundary-syntax.json"></a>

```
{
  "[CustomerManagedPolicyReference](#cfn-sso-permissionset-permissionsboundary-customermanagedpolicyreference)" : CustomerManagedPolicyReference,
  "[ManagedPolicyArn](#cfn-sso-permissionset-permissionsboundary-managedpolicyarn)" : String
}
```

### YAML
<a name="aws-properties-sso-permissionset-permissionsboundary-syntax.yaml"></a>

```
  [CustomerManagedPolicyReference](#cfn-sso-permissionset-permissionsboundary-customermanagedpolicyreference): 
    CustomerManagedPolicyReference
  [ManagedPolicyArn](#cfn-sso-permissionset-permissionsboundary-managedpolicyarn): String
```

## Properties
<a name="aws-properties-sso-permissionset-permissionsboundary-properties"></a>

`CustomerManagedPolicyReference`  <a name="cfn-sso-permissionset-permissionsboundary-customermanagedpolicyreference"></a>
Specifies the name and path of a customer managed policy. You must have an IAM policy that matches the name and path in each AWS account where you want to deploy your permission set.  
*Required*: No  
*Type*: [CustomerManagedPolicyReference](aws-properties-sso-permissionset-customermanagedpolicyreference.md)  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`ManagedPolicyArn`  <a name="cfn-sso-permissionset-permissionsboundary-managedpolicyarn"></a>
The AWS managed policy ARN that you want to attach to a permission set as a permissions boundary.  
*Required*: No  
*Type*: String  
*Minimum*: `20`  
*Maximum*: `2048`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

# AWS::SSO::PermissionSet Tag
<a name="aws-properties-sso-permissionset-tag"></a>

A set of key-value pairs that are used to manage the resource. Tags can only be applied to permission sets and cannot be applied to corresponding roles that IAM Identity Center creates in AWS accounts.

## Syntax
<a name="aws-properties-sso-permissionset-tag-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-properties-sso-permissionset-tag-syntax.json"></a>

```
{
  "[Key](#cfn-sso-permissionset-tag-key)" : String,
  "[Value](#cfn-sso-permissionset-tag-value)" : String
}
```

### YAML
<a name="aws-properties-sso-permissionset-tag-syntax.yaml"></a>

```
  [Key](#cfn-sso-permissionset-tag-key): String
  [Value](#cfn-sso-permissionset-tag-value): String
```

## Properties
<a name="aws-properties-sso-permissionset-tag-properties"></a>

`Key`  <a name="cfn-sso-permissionset-tag-key"></a>
The key for the tag.  
*Required*: Yes  
*Type*: String  
*Pattern*: `[\w+=,.@-]+`  
*Minimum*: `1`  
*Maximum*: `128`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Value`  <a name="cfn-sso-permissionset-tag-value"></a>
The value of the tag.  
*Required*: Yes  
*Type*: String  
*Pattern*: `[\w+=,.@-]+`  
*Minimum*: `0`  
*Maximum*: `256`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)