This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::SSO::Assignment Assigns access to a Principal for a specified AWS account using a specified permission set. **Note** The term *principal* here refers to a user or group that is defined in IAM Identity Center. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::SSO::Assignment", "Properties" : { "[InstanceArn](#cfn-sso-assignment-instancearn)" : String, "[PermissionSetArn](#cfn-sso-assignment-permissionsetarn)" : String, "[PrincipalId](#cfn-sso-assignment-principalid)" : String, "[PrincipalType](#cfn-sso-assignment-principaltype)" : String, "[TargetId](#cfn-sso-assignment-targetid)" : String, "[TargetType](#cfn-sso-assignment-targettype)" : String } } ``` ### YAML ``` Type: AWS::SSO::Assignment Properties: [InstanceArn](#cfn-sso-assignment-instancearn): String [PermissionSetArn](#cfn-sso-assignment-permissionsetarn): String [PrincipalId](#cfn-sso-assignment-principalid): String [PrincipalType](#cfn-sso-assignment-principaltype): String [TargetId](#cfn-sso-assignment-targetid): String [TargetType](#cfn-sso-assignment-targettype): String ``` ## Properties `InstanceArn` The ARN of the IAM Identity Center instance under which the operation will be executed. For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference*. *Required*: Yes *Type*: String *Pattern*: `arn:aws(-[a-z]{1,5}){0,3}:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}` *Minimum*: `10` *Maximum*: `1224` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `PermissionSetArn` The ARN of the permission set. *Required*: Yes *Type*: String *Pattern*: `arn:aws(-[a-z]{1,5}){0,3}:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}` *Minimum*: `10` *Maximum*: `1224` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `PrincipalId` An identifier for an object in IAM Identity Center, such as a user or group. PrincipalIds are GUIDs (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6). For more information about PrincipalIds in IAM Identity Center, see the [IAM Identity Center Identity Store API Reference](/singlesignon/latest/IdentityStoreAPIReference/welcome.html). *Required*: Yes *Type*: String *Pattern*: `^([0-9a-f]{10}-|)[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}$` *Minimum*: `1` *Maximum*: `47` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `PrincipalType` The entity type for which the assignment will be created. *Required*: Yes *Type*: String *Allowed values*: `USER | GROUP` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `TargetId` TargetID is an AWS account identifier, (For example, 123456789012). *Required*: Yes *Type*: String *Pattern*: `\d{12}` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `TargetType` The entity type for which the assignment will be created. *Required*: Yes *Type*: String *Allowed values*: `AWS_ACCOUNT` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns a generated ID, combined by all fields with the delimiter `|`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ## Examples ### Creating a new assignment for IAM Identity Center The following example creates a custom assignment, assigning the user `"user_id"` access to account `"arn:aws:organizations::org_master_id:account/org_id/accountId"` with the permissions `"PermissionSet"`. #### JSON ``` { "Assignment": { "Type": "AWS::SSO::Assignment", "Properties": { "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId", "PermissionSetArn": { "Fn::GetAtt": [ "PermissionSet", "PermissionSetArn" ] }, "TargetId": "accountId", "TargetType": "AWS_ACCOUNT", "PrincipalType": "USER", "PrincipalId": "user_id" } } } ``` #### YAML ``` Assignment: Type: AWS::SSO::Assignment Properties: InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId' PermissionSetArn: !GetAtt PermissionSet.PermissionSetArn TargetId: 'accountId' TargetType: 'AWS_ACCOUNT' PrincipalType: 'USER' PrincipalId: 'user_id' ```