AWS SSO Account Assignment
This page shows how to write Terraform and CloudFormation for AWS SSO Account Assignment and write them securely.
aws_ssoadmin_account_assignment (Terraform)
The Account Assignment in AWS SSO can be configured in Terraform with the resource name aws_ssoadmin_account_assignment
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_ssoadmin_account_assignment" "Admin_DevEnv" {
instance_arn = data.aws_ssoadmin_permission_set.AWSAdministratorAccess.instance_arn
permission_set_arn = data.aws_ssoadmin_permission_set.AWSAdministratorAccess.arn
principal_id = data.aws_identitystore_group.DevOps.group_id
principal_type = "GROUP"
resource "aws_ssoadmin_account_assignment" "dali_readonly" {
for_each = toset([local.accounts.preproduction, local.accounts.production, local.accounts.builder, local.accounts.sandbox])
instance_arn = data.aws_ssoadmin_permission_set.control_tower_readonly.instance_arn
permission_set_arn = data.aws_ssoadmin_permission_set.control_tower_readonly.arn
principal_id = data.aws_identitystore_group.dali.group_id
resource "aws_ssoadmin_account_assignment" "admin" {
for_each = var.admin_groups
instance_arn = aws_ssoadmin_permission_set.admin.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.admin.arn
principal_id = data.aws_identitystore_group.admin[each.key].id
principal_type = "GROUP"
resource "aws_ssoadmin_account_assignment" "dev_to_dev" {
instance_arn = local.sso_instance_arn
permission_set_arn = aws_ssoadmin_permission_set.dev.arn
principal_id = data.aws_identitystore_group.dev.group_id
principal_type = "GROUP"
resource "aws_ssoadmin_account_assignment" "creosAssignPowerUser" {
instance_arn = data.aws_ssoadmin_permission_set.ssoPowerUser.instance_arn
permission_set_arn = data.aws_ssoadmin_permission_set.ssoPowerUser.arn
principal_id = data.aws_identitystore_group.CREOS.group_id
principal_type = "GROUP"
Parameters
-
id
optional computed - string -
instance_arn
required - string -
permission_set_arn
required - string -
principal_id
required - string -
principal_type
required - string -
target_id
required - string -
target_type
optional - string
Explanation in Terraform Registry
Provides a Single Sign-On (SSO) Account Assignment resource
AWS::SSO::Assignment (CloudFormation)
The Assignment in SSO can be configured in CloudFormation with the resource name AWS::SSO::Assignment
. The following sections describe 7 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::SSO::Assignment
Condition: includeMaster
Properties:
InstanceArn: !Ref instanceArn
PermissionSetArn: !If [ includePermissionSet, !GetAtt PermissionSet.PermissionSetArn, !Ref permissionSetArn ]
PrincipalId: !Ref principalId
Type: AWS::SSO::Assignment
Condition: includeMaster
Properties:
InstanceArn: !Ref instanceArn
PermissionSetArn: !If [ includePermissionSet, !GetAtt PermissionSet.PermissionSetArn, !Ref permissionSetArn ]
PrincipalId: !Ref principalId
Type: AWS::SSO::Assignment
Properties:
InstanceArn: !Ref pAwsSsoInsanceArn
PermissionSetArn: !GetAtt rPermissionSetOrgAdministratorAccess.PermissionSetArn
PrincipalId: !FindInMap [ mGroups, AWSAllAdmin, Id ]
PrincipalType: 'GROUP'
Type: AWS::SSO::Assignment
Properties:
InstanceArn: !Ref SSOInstance
PermissionSetArn: !Ref PermissionSetArn
TargetId: !Ref TargetAccount
TargetType: 'AWS_ACCOUNT'
Type: AWS::SSO::Assignment
Properties:
InstanceArn: !Ref SSOInstanceArn
PermissionSetArn: !GetAtt AdministratorAccessPermissionSet.PermissionSetArn
PrincipalId: !Ref SSOAdministratorsGroupId
PrincipalType: GROUP
"resourceType": "AWS::SSO::Assignment",
"filePath": null
},
{
"resourceType": "AWS::SSO::PermissionSet",
"filePath": null
"AWS::SSO::Assignment": {
"Type": "AWS::SSO::Assignment",
"Properties": {}
},
"AWS::GameLift::Alias": {
"Type": "AWS::GameLift::Alias",
Parameters
-
InstanceArn
required - String -
TargetId
required - String -
TargetType
required - String -
PermissionSetArn
required - String -
PrincipalType
required - String -
PrincipalId
required - String
Explanation in CloudFormation Registry
Assigns access to a Principal for a specified AWS account using a specified permission set.
Note The term principal here refers to a user or group that is defined in AWS SSO.
Frequently asked questions
What is AWS SSO Account Assignment?
AWS SSO Account Assignment is a resource for SSO of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS SSO Account Assignment?
For Terraform, the glyhood/AWSSSO, tintulip/cla-organisation and and-digital-cloud/terraform-aws-sso source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the org-formation/org-formation-us-gov-cloud-reference, org-formation/org-formation-us-gov-cloud-reference and pozeus/aws-sso-management source code examples are useful. See the CloudFormation Example section for further details.