本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# AWS IAM 身份中心的操作、资源和条件密钥
AWS IAM Identity Center(服务前缀:`sso`)提供以下特定于服务的资源、操作和条件上下文密钥,供在 IAM 权限策略中使用。
参考:
+ 了解如何[配置该服务](https://docs.aws.amazon.com/singlesignon/latest/userguide/)。
+ 查看[适用于该服务的 API 操作列表](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_Operations.html)。
+ 了解如何[使用 IAM](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access.html) 权限策略保护该服务及其资源。
**Topics**
+ [由 AWS IAM 身份中心定义的操作](#awsiamidentitycenter-actions-as-permissions)
+ [由 AWS IAM 身份中心定义的资源类型](#awsiamidentitycenter-resources-for-iam-policies)
+ [AWS IAM 身份中心的条件密钥](#awsiamidentitycenter-policy-keys)
## 由 AWS IAM 身份中心定义的操作
您可以在 IAM 策略语句的 `Action` 元素中指定以下操作。可以使用策略授予在 AWS中执行操作的权限。您在策略中使用一项操作时,通常使用相同的名称允许或拒绝对 API 操作或 CLI 命令的访问。但在某些情况下,单一动作可控制对多项操作的访问。还有某些操作需要多种不同的动作。
操作表的**访问级别**列描述如何对操作进行分类(列出、读取、权限管理或标记)。此分类可以帮助您了解当您在策略中使用操作时,相应操作授予的访问级别。有关访问级别的更多信息,请参阅[策略摘要中的访问级别](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html)。
操作表的**资源类型**列指示每项操作是否支持资源级权限。如果该列没有任何值,您必须在策略语句的 `Resource` 元素中指定策略应用的所有资源(“\*”)。通过在 IAM policy 中使用条件来筛选访问权限,以控制是否可以在资源或请求中使用特定标签键。如果操作具有一个或多个必需资源,则调用方必须具有使用这些资源来使用该操作的权限。必需资源在表中以星号 (\*) 表示。如果您在 IAM policy 中使用 `Resource` 元素限制资源访问权限,则必须为每种必需的资源类型添加 ARN 或模式。某些操作支持多种资源类型。如果资源类型是可选的(未指示为必需),则可以选择使用一种可选资源类型。
操作表的**条件键**列包括可以在策略语句的 `Condition` 元素中指定的键。有关与服务资源关联的条件键的更多信息,请参阅资源类型表的**条件键**列。
操作表的**依赖操作**列显示成功调用操作可能需要的其他权限。除了操作本身的权限以外,可能还需要这些权限。若某个操作指定依赖操作,则这些依赖关系可能适用于为该操作定义的其他资源,而不仅仅是表中列出的第一个资源。
**注意**
资源条件键在[资源类型](#awsiamidentitycenter-resources-for-iam-policies)表中列出。您可以在操作表的**资源类型(\* 为必需)**列中找到应用于某项操作的资源类型的链接。资源类型表中的资源类型包括**条件密钥**列,这是应用于操作表中操作的资源条件键。
有关下表中各列的详细信息,请参阅[操作表](reference_policies_actions-resources-contextkeys.html#actions_table)。
****
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_AddRegion.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_AddRegion.html) **
- **描述:** 授予向 IAM 身份中心实例添加区域的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** identitystore:AddRegion
kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予连接 AWS IAM 身份中心使用的目录的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** ds:AuthorizeApplication
identitystore:CreateIdentityStore
kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以在目录用户或组与配置文件之间创建关联
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_AttachCustomerManagedPolicyReferenceToPermissionSet.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_AttachCustomerManagedPolicyReferenceToPermissionSet.html) **
- **描述:** 授予权限以将客户管理型策略参考附加到权限集
- **访问级别:** 权限管理
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_AttachManagedPolicyToPermissionSet.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_AttachManagedPolicyToPermissionSet.html) **
- **描述:** 授予将 AWS 托管策略附加到权限集的权限
- **访问级别:** 权限管理
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateAccountAssignment.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateAccountAssignment.html) **
- **描述:** 授予 AWS 账户 使用指定权限集向指定委托人分配访问权限的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Account](#awsiamidentitycenter-Account) / **条件键:** / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateApplication.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateApplication.html) **
- **描述:** 授予创建应用程序的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-ApplicationProvider](#awsiamidentitycenter-ApplicationProvider) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-aws_RequestTag___TagKey_](#awsiamidentitycenter-aws_RequestTag___TagKey_)
[#awsiamidentitycenter-aws_TagKeys](#awsiamidentitycenter-aws_TagKeys) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateApplicationAssignment.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateApplicationAssignment.html) **
- **描述:** 授予创建应用程序分配的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予向 AWS IAM 身份中心添加应用程序实例的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以为应用程序实例添加新证书
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateInstance.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateInstance.html) **
- **描述:** 授予创建 Identity Center 实例的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** / **相关操作:** iam:CreateServiceLinkedRole
identitystore:CreateIdentityStore
organizations:DescribeOrganization
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-aws_RequestTag___TagKey_](#awsiamidentitycenter-aws_RequestTag___TagKey_)
[#awsiamidentitycenter-aws_TagKeys](#awsiamidentitycenter-aws_TagKeys) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateInstanceAccessControlAttributeConfiguration.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateInstanceAccessControlAttributeConfiguration.html) **
- **描述:** 授予为 ABAC 启用实例并指定属性的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** iam:AttachRolePolicy
iam:CreateRole
iam:DeleteRole
iam:DeleteRolePolicy
iam:DetachRolePolicy
iam:GetRole
iam:ListAttachedRolePolicies
iam:ListRolePolicies
iam:PutRolePolicy
iam:UpdateAssumeRolePolicy
kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予向 AWS IAM 身份中心添加托管应用程序实例的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreatePermissionSet.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreatePermissionSet.html) **
- **描述:** 授予权限以创建权限集
- **访问级别:** Write
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-aws_RequestTag___TagKey_](#awsiamidentitycenter-aws_RequestTag___TagKey_)
[#awsiamidentitycenter-aws_TagKeys](#awsiamidentitycenter-aws_TagKeys) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以为应用程序实例创建配置文件
- **访问级别:** Write
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以在目标账户中创建联合信任
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateTrustedTokenIssuer.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateTrustedTokenIssuer.html) **
- **描述:** 授予为实例创建可信令牌颁发机构的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-TrustedTokenIssuer](#awsiamidentitycenter-TrustedTokenIssuer) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-aws_RequestTag___TagKey_](#awsiamidentitycenter-aws_RequestTag___TagKey_)
[#awsiamidentitycenter-aws_TagKeys](#awsiamidentitycenter-aws_TagKeys) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteAccountAssignment.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteAccountAssignment.html) **
- **描述:** 授予 AWS 账户 使用指定权限集删除委托人访问权限的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Account](#awsiamidentitycenter-Account) / **条件键:** / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplication.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplication.html) **
- **描述:** 授予删除应用程序的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplicationAccessScope.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplicationAccessScope.html) **
- **描述:** 授予删除应用程序的访问范围的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplicationAssignment.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplicationAssignment.html) **
- **描述:** 授予删除应用程序分配的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplicationAuthenticationMethod.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplicationAuthenticationMethod.html) **
- **描述:** 授予删除应用程序的身份验证方法的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplicationGrant.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplicationGrant.html) **
- **描述:** 授予删除来自应用程序的授权的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以删除应用程序实例
- **访问级别:** Write
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以删除应用程序实例的停用或过期证书
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteInlinePolicyFromPermissionSet.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteInlinePolicyFromPermissionSet.html) **
- **描述:** 授予权限以从指定权限集中删除内联策略
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteInstance.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteInstance.html) **
- **描述:** 授予删除 Identity Center 实例的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** identitystore:DeleteIdentityStore
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteInstanceAccessControlAttributeConfiguration.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteInstanceAccessControlAttributeConfiguration.html) **
- **描述:** 授予禁用 ABAC 并删除实例属性列表的权限
- **访问级别:** Write
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以删除托管应用程序实例
- **访问级别:** Write
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeletePermissionSet.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeletePermissionSet.html) **
- **描述:** 授予权限以删除权限集
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeletePermissionsBoundaryFromPermissionSet.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeletePermissionsBoundaryFromPermissionSet.html) **
- **描述:** 授予权限以从权限集中删除权限边界
- **访问级别:** 权限管理
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以删除应用程序实例的配置文件
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteTrustedTokenIssuer.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteTrustedTokenIssuer.html) **
- **描述:** 授予删除实例的可信令牌颁发机构的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-TrustedTokenIssuer](#awsiamidentitycenter-TrustedTokenIssuer)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeAccountAssignmentCreationStatus.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeAccountAssignmentCreationStatus.html) **
- **描述:** 授予权限以描述分配创建请求的状态
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeAccountAssignmentDeletionStatus.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeAccountAssignmentDeletionStatus.html) **
- **描述:** 授予权限以描述分配删除请求的状态
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeApplication.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeApplication.html) **
- **描述:** 授予获取应用程序信息的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeApplicationAssignment.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeApplicationAssignment.html) **
- **描述:** 授予检索应用程序分配的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeApplicationProvider.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeApplicationProvider.html) **
- **描述:** 授予描述应用程序提供者的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awsiamidentitycenter-ApplicationProvider](#awsiamidentitycenter-ApplicationProvider)
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeInstance.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeInstance.html) **
- **描述:** 授予获取 Identity Center 实例信息的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeInstanceAccessControlAttributeConfiguration.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeInstanceAccessControlAttributeConfiguration.html) **
- **描述:** 授予获取用于 ABAC 实例的属性列表的权限
- **访问级别:** Read
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribePermissionSet.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribePermissionSet.html) **
- **描述:** 授予权限以描述权限集
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribePermissionSetProvisioningStatus.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribePermissionSetProvisioningStatus.html) **
- **描述:** 授予权限以描述给定权限集预置请求的状态
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeRegion.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeRegion.html) **
- **描述:** 授予检索特定 IAM 身份中心实例区域配置详细信息的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以获取您的组织已启用 AWS IAM 身份中心的区域
- **访问级别:** 读取
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeTrustedTokenIssuer.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeTrustedTokenIssuer.html) **
- **描述:** 授予描述实例的可信令牌颁发机构的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awsiamidentitycenter-TrustedTokenIssuer](#awsiamidentitycenter-TrustedTokenIssuer)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DetachCustomerManagedPolicyReferenceFromPermissionSet.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DetachCustomerManagedPolicyReferenceFromPermissionSet.html) **
- **描述:** 授予权限以将客户管理型策略参考从权限集分离
- **访问级别:** 权限管理
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DetachManagedPolicyFromPermissionSet.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DetachManagedPolicyFromPermissionSet.html) **
- **描述:** 授予将附加的 AWS 托管策略与指定权限集分开的权限
- **访问级别:** 权限管理
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予解除与 AWS IAM 身份中心使用的目录关联的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** ds:UnauthorizeApplication
identitystore:DeleteIdentityStore
kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以取消目录用户或组与配置文件的关联
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetApplicationAccessScope.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetApplicationAccessScope.html) **
- **描述:** 授予获取应用程序的访问范围的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetApplicationAssignmentConfiguration.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetApplicationAssignmentConfiguration.html) **
- **描述:** 授予读取应用程序的分配配置的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetApplicationAuthenticationMethod.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetApplicationAuthenticationMethod.html) **
- **描述:** 授予获取应用程序的身份验证方法的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetApplicationGrant.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetApplicationGrant.html) **
- **描述:** 授予获取属于应用程序的授权的详细信息的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以检索应用程序实例的详细信息
- **访问级别:** 读取
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetApplicationSessionConfiguration.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetApplicationSessionConfiguration.html) **
- **描述:** 授予权限以获取应用程序的会话配置
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以检索应用程序模板详细信息
- **访问级别:** 读取
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetInlinePolicyForPermissionSet.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetInlinePolicyForPermissionSet.html) **
- **描述:** 授予权限以获取分配给权限集的内联策略
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以检索应用程序实例的详细信息
- **访问级别:** Read
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以检索目录的 MFA 设备管理设置
- **访问级别:** Read
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以检索权限集的详细信息
- **访问级别:** 读取
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetPermissionsBoundaryForPermissionSet.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetPermissionsBoundaryForPermissionSet.html) **
- **描述:** 授予权限以获取权限集的权限边界
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以检索应用程序实例的配置文件
- **访问级别:** 读取
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予检查是否启用 AWS IAM 身份中心的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以检索当前 SSO 实例的共享配置
- **访问级别:** Read
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以检索当前 SSO 实例的配置
- **访问级别:** Read
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以检索目标账户中的联合信任
- **访问级别:** Read
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以上传服务提供商提供的应用程序 SAML 元数据文件,从而更新应用程序实例
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountAssignmentCreationStatus.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountAssignmentCreationStatus.html) **
- **描述:** 授予列出指定 SSO AWS 账户 实例的任务创建请求状态的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountAssignmentDeletionStatus.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountAssignmentDeletionStatus.html) **
- **描述:** 授予列出指定 SSO AWS 账户 实例的任务删除请求状态的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountAssignments.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountAssignments.html) **
- **描述:** 授予列出 AWS 账户 具有指定权限集的指定受让人的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Account](#awsiamidentitycenter-Account) / **条件键:** / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountAssignmentsForPrincipal.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountAssignmentsForPrincipal.html) **
- **描述:** 授予列出分配给用户或组的账户的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountsForProvisionedPermissionSet.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountsForProvisionedPermissionSet.html) **
- **描述:** 授予列出所有配置了指定权限集的 AWS 账户的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationAccessScopes.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationAccessScopes.html) **
- **描述:** 授予列出应用程序的访问范围的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationAssignments.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationAssignments.html) **
- **描述:** 授予列出应用程序分配的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationAssignmentsForPrincipal.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationAssignmentsForPrincipal.html) **
- **描述:** 授予列出分配给用户或组的应用程序的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationAuthenticationMethods.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationAuthenticationMethods.html) **
- **描述:** 授予列出应用程序的身份验证方法的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationGrants.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationGrants.html) **
- **描述:** 授予列出来自应用程序的授权的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以检索给定应用程序实例的所有证书
- **访问级别:** Read
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授权权限以检索所有应用程序实例
- **访问级别:** 列表
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
sso:GetApplicationInstance
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationProviders.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationProviders.html) **
- **描述:** 授予列出应用程序提供者的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awsiamidentitycenter-ApplicationProvider](#awsiamidentitycenter-ApplicationProvider)
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以检索所有支持的应用程序模板
- **访问级别:** 列表
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** sso:GetApplicationTemplate
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplications.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplications.html) **
- **描述:** 授予检索与 IAM Identity Center 实例关联的所有应用程序的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListCustomerManagedPolicyReferencesInPermissionSet.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListCustomerManagedPolicyReferencesInPermissionSet.html) **
- **描述:** 授予权限以列出附加到权限集的客户管理型策略参考
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以检索与 AWS IAM 身份中心连接的目录的详细信息
- **访问级别:** 读取
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListInstances.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListInstances.html) **
- **描述:** 授予权限以列出发起人有权访问的 SSO 实例
- **访问级别:** 列表
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListManagedPoliciesInPermissionSet.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListManagedPoliciesInPermissionSet.html) **
- **描述:** 授予列出附加到指定权限集的 AWS 托管策略的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListPermissionSetProvisioningStatus.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListPermissionSetProvisioningStatus.html) **
- **描述:** 授予权限以列出指定 SSO 实例的权限集预置请求的状态
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListPermissionSets.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListPermissionSets.html) **
- **描述:** 授予权限以检索所有权限集
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListPermissionSetsProvisionedToAccount.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListPermissionSetsProvisionedToAccount.html) **
- **描述:** 授予列出配置给指定的所有权限集的权限 AWS 账户
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Account](#awsiamidentitycenter-Account) / **条件键:** / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以检索与配置文件关联的目录用户或组
- **访问级别:** Read
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以检索应用程序实例的所有配置文件
- **访问级别:** 列表
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
sso:GetProfile
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListRegions.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListRegions.html) **
- **描述:** 授予列出为 IAM 身份中心实例配置的所有区域的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListTagsForResource.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListTagsForResource.html) **
- **描述:** 授予权限以列出附加到指定资源的标签
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awsiamidentitycenter-TrustedTokenIssuer](#awsiamidentitycenter-TrustedTokenIssuer) / **条件键:** / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListTrustedTokenIssuers.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListTrustedTokenIssuers.html) **
- **描述:** 授予列出实例的可信令牌颁发机构的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ProvisionPermissionSet.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ProvisionPermissionSet.html) **
- **描述:** 授予权限以将指定权限集预置到指定目标
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Account](#awsiamidentitycenter-Account) / **条件键:** / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutApplicationAccessScope.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutApplicationAccessScope.html) **
- **描述:** 向应用程序 create/update 的访问范围授予权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutApplicationAssignmentConfiguration.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutApplicationAssignmentConfiguration.html) **
- **描述:** 授予向应用程序添加分配配置的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutApplicationAuthenticationMethod.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutApplicationAuthenticationMethod.html) **
- **描述:** 向应用程序授予 create/update 身份验证方法的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutApplicationGrant.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutApplicationGrant.html) **
- **描述:** 授予对应用程序 create/update 的授予权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutApplicationSessionConfiguration.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutApplicationSessionConfiguration.html) **
- **描述:** 授予权限以放置应用程序的会话配置
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutInlinePolicyToPermissionSet.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutInlinePolicyToPermissionSet.html) **
- **描述:** 授予权限以将 IAM 内联策略附加到权限集
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以为目录附加 MFA 设备管理设置
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutPermissionsBoundaryToPermissionSet.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutPermissionsBoundaryToPermissionSet.html) **
- **描述:** 授予权限以将权限边界添加到权限集
- **访问级别:** 权限管理
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以将策略添加到权限集
- **访问级别:** 权限管理
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_RemoveRegion.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_RemoveRegion.html) **
- **描述:** 授予从 IAM 身份中心实例中移除区域的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** identitystore:RemoveRegion
kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以在关联的目录中搜索组
- **访问级别:** Read
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** ds:DescribeDirectories
kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以在关联的目录中搜索用户
- **访问级别:** 读取
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** ds:DescribeDirectories
kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予初始化 AWS IAM 身份中心的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
kms:DescribeKey
kms:Encrypt
kms:GenerateDataKeyWithoutPlaintext
organizations:DescribeOrganization
organizations:EnableAWSServiceAccess
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_TagResource.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_TagResource.html) **
- **描述:** 授予权限以将一组标签与指定资源关联
- **访问级别:** 标签
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awsiamidentitycenter-TrustedTokenIssuer](#awsiamidentitycenter-TrustedTokenIssuer) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-aws_RequestTag___TagKey_](#awsiamidentitycenter-aws_RequestTag___TagKey_)
[#awsiamidentitycenter-aws_TagKeys](#awsiamidentitycenter-aws_TagKeys) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UntagResource.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UntagResource.html) **
- **描述:** 授予权限以取消一组标签与指定资源的关联
- **访问级别:** 标签
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awsiamidentitycenter-TrustedTokenIssuer](#awsiamidentitycenter-TrustedTokenIssuer) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-aws_TagKeys](#awsiamidentitycenter-aws_TagKeys) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UpdateApplication.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UpdateApplication.html) **
- **描述:** 授予更新应用程序的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Application](#awsiamidentitycenter-Application) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** / **条件键:** [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以为此应用程序实例设置证书,作为活动证书
- **访问级别:** Write
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以更新应用程序实例的显示数据
- **访问级别:** Write
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以更新应用程序实例的联合响应配置
- **访问级别:** Write
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以更新应用程序实例的联合响应架构配置
- **访问级别:** Write
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以更新应用程序实例的安全详细信息
- **访问级别:** Write
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以更新应用程序实例的服务提供商关联配置
- **访问级别:** Write
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以更新应用程序实例的状态
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UpdateInstance.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UpdateInstance.html) **
- **描述:** 授予更新 Identity Center 实例的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** identitystore:UpdateIdentityStore
kms:Decrypt
kms:DescribeKey
kms:Encrypt
kms:GenerateDataKeyWithoutPlaintext
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UpdateInstanceAccessControlAttributeConfiguration.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UpdateInstanceAccessControlAttributeConfiguration.html) **
- **描述:** 授予更新用于 ABAC 实例的属性的权限
- **访问级别:** Write
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以更新托管应用程序的实例状态
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UpdatePermissionSet.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UpdatePermissionSet.html) **
- **描述:** 授予权限以更新权限集
- **访问级别:** 权限管理
- **资源类型(\* 为必需):** [#awsiamidentitycenter-Instance](#awsiamidentitycenter-Instance) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:** kms:Decrypt
- **资源类型(\* 为必需):** [#awsiamidentitycenter-PermissionSet](#awsiamidentitycenter-PermissionSet) / **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) / **相关操作:**
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以更新应用程序实例的配置文件
- **访问级别:** Write
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以更新当前 SSO 实例的配置
- **访问级别:** Write
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) **
- **描述:** 授予权限以更新目标账户中的联合信任
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:** kms:Decrypt
- ** [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UpdateTrustedTokenIssuer.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UpdateTrustedTokenIssuer.html) **
- **描述:** 授予更新实例的可信令牌颁发机构的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awsiamidentitycenter-TrustedTokenIssuer](#awsiamidentitycenter-TrustedTokenIssuer)
- **条件键:** [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)
- **相关操作:** kms:Decrypt
## 由 AWS IAM 身份中心定义的资源类型
以下资源类型是由该服务定义的,可以在 IAM 权限策略语句的 `Resource` 元素中使用这些资源类型。[操作表](#awsiamidentitycenter-actions-as-permissions)中的每个操作指定了可以使用该操作指定的资源类型。您也可以在策略中包含条件键,从而定义资源类型。这些键显示在资源类型表的最后一列。有关下表中各列的详细信息,请参阅[资源类型表](reference_policies_actions-resources-contextkeys.html#resources_table)。
****
| 资源类型 | ARN | 条件键 |
| --- | --- | --- |
| [https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html) | arn:${Partition}:sso:::permissionSet/${InstanceId}/${PermissionSetId} | [#awsiamidentitycenter-aws_ResourceTag___TagKey_](#awsiamidentitycenter-aws_ResourceTag___TagKey_)
[#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) |
| [https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-accounts.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-accounts.html) | arn:${Partition}:sso:::account/${AccountId} | |
| [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_InstanceMetadata.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_InstanceMetadata.html) | arn:${Partition}:sso:::instance/${InstanceId} | [#awsiamidentitycenter-aws_ResourceTag___TagKey_](#awsiamidentitycenter-aws_ResourceTag___TagKey_)
[#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) |
| [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_Application.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_Application.html) | arn:${Partition}:sso::${AccountId}:application/${InstanceId}/${ApplicationId} | [#awsiamidentitycenter-aws_ResourceTag___TagKey_](#awsiamidentitycenter-aws_ResourceTag___TagKey_)
[#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount)
[#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) |
| [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_TrustedTokenIssuerMetadata.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_TrustedTokenIssuerMetadata.html) | arn:${Partition}:sso::${AccountId}:trustedTokenIssuer/${InstanceId}/${TrustedTokenIssuerId} | [#awsiamidentitycenter-aws_ResourceTag___TagKey_](#awsiamidentitycenter-aws_ResourceTag___TagKey_)
[#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion) |
| [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ApplicationProvider.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ApplicationProvider.html) | arn:${Partition}:sso::aws:applicationProvider/${ApplicationProviderId} | |
## AWS IAM 身份中心的条件密钥
AWS IAM Identity Center 定义了以下可以在 IAM 策略`Condition`元素中使用的条件键。您可以使用这些键进一步细化应用策略语句的条件。有关下表中各列的详细信息,请参阅[条件键表](reference_policies_actions-resources-contextkeys.html#context_keys_table)。
要查看适用于所有服务的全局条件键,请参阅 [AWS 全局条件上下文键](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)。
****
| 条件键 | 描述 | 类型 |
| --- | --- | --- |
| [https://docs.aws.amazon.com/singlesignon/latest/userguide/tagging.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/tagging.html) | 按请求中传递的标签筛选访问权限 | 字符串 |
| [https://docs.aws.amazon.com/singlesignon/latest/userguide/tagging.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/tagging.html) | 按与资源关联的标签筛选访问权限 | 字符串 |
| [https://docs.aws.amazon.com/singlesignon/latest/userguide/tagging.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/tagging.html) | 按请求中传递的标签键筛选访问权限 | ArrayOfString |
| [https://docs.aws.amazon.com/singlesignon/latest/userguide/API_Application.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/API_Application.html) | 按 IAM Identity Center 应用程序的 ARN 筛选访问权限 | 进行筛选 |
| [https://docs.aws.amazon.com/singlesignon/latest/userguide/API_InstanceMetadata.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/API_InstanceMetadata.html) | 按 IAM Identity Center 实例的 ARN 筛选访问权限 | 进行筛选 |
| [https://docs.aws.amazon.com/singlesignon/latest/userguide/API_Application.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/API_Application.html) | 按创建应用程序的账户筛选访问权限。客户管理型 SAML 应用程序不支持此条件键 | 字符串 |
| [https://docs.aws.amazon.com/singlesignon/latest/userguide/API_InstanceMetadata.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/API_InstanceMetadata.html) | 按 IAM 身份中心实例的主区域筛选访问权限 | 字符串 |