Top / Amazon Web Service / AWS SSO / Account Assignment

AWS SSO Account Assignment

This page shows how to write Terraform and CloudFormation for AWS SSO Account Assignment and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_ssoadmin_account_assignment (Terraform)

The Account Assignment in AWS SSO can be configured in Terraform with the resource name aws_ssoadmin_account_assignment. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

sso_DevOps.tf#L17
resource "aws_ssoadmin_account_assignment" "Admin_DevEnv" {
  instance_arn       = data.aws_ssoadmin_permission_set.AWSAdministratorAccess.instance_arn
  permission_set_arn = data.aws_ssoadmin_permission_set.AWSAdministratorAccess.arn

  principal_id   = data.aws_identitystore_group.DevOps.group_id
  principal_type = "GROUP"
main.tf#L60
resource "aws_ssoadmin_account_assignment" "dali_readonly" {
  for_each           = toset([local.accounts.preproduction, local.accounts.production, local.accounts.builder, local.accounts.sandbox])
  instance_arn       = data.aws_ssoadmin_permission_set.control_tower_readonly.instance_arn
  permission_set_arn = data.aws_ssoadmin_permission_set.control_tower_readonly.arn

  principal_id   = data.aws_identitystore_group.dali.group_id
sso-account-assignment.tf#L1
resource "aws_ssoadmin_account_assignment" "admin" {
  for_each           = var.admin_groups
  instance_arn       = aws_ssoadmin_permission_set.admin.instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.admin.arn
  principal_id       = data.aws_identitystore_group.admin[each.key].id
  principal_type     = "GROUP"
account_assignment_dev.tf#L10
resource "aws_ssoadmin_account_assignment" "dev_to_dev" {
  instance_arn       = local.sso_instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.dev.arn

  principal_id   = data.aws_identitystore_group.dev.group_id
  principal_type = "GROUP"
sso-creos.tf#L17
resource "aws_ssoadmin_account_assignment" "creosAssignPowerUser" {
  instance_arn       = data.aws_ssoadmin_permission_set.ssoPowerUser.instance_arn
  permission_set_arn = data.aws_ssoadmin_permission_set.ssoPowerUser.arn

  principal_id   = data.aws_identitystore_group.CREOS.group_id
  principal_type = "GROUP"

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Provides a Single Sign-On (SSO) Account Assignment resource

>> from Terraform Registry

AWS::SSO::Assignment (CloudFormation)

The Assignment in SSO can be configured in CloudFormation with the resource name AWS::SSO::Assignment. The following sections describe 7 examples of how to use the resource and its parameters.

Example Usage from GitHub

aws-sso.yml#L49
    Type: AWS::SSO::Assignment
    Condition: includeMaster
    Properties:
      InstanceArn: !Ref instanceArn
      PermissionSetArn: !If [ includePermissionSet, !GetAtt PermissionSet.PermissionSetArn, !Ref permissionSetArn ]
      PrincipalId: !Ref principalId
aws-sso.yml#L49
    Type: AWS::SSO::Assignment
    Condition: includeMaster
    Properties:
      InstanceArn: !Ref instanceArn
      PermissionSetArn: !If [ includePermissionSet, !GetAtt PermissionSet.PermissionSetArn, !Ref permissionSetArn ]
      PrincipalId: !Ref principalId
template.yml#L169
    Type: AWS::SSO::Assignment
    Properties:
      InstanceArn: !Ref pAwsSsoInsanceArn
      PermissionSetArn: !GetAtt rPermissionSetOrgAdministratorAccess.PermissionSetArn
      PrincipalId: !FindInMap [ mGroups, AWSAllAdmin, Id ]
      PrincipalType: 'GROUP'
example-assignment.yml#L15
    Type: AWS::SSO::Assignment
    Properties:
      InstanceArn: !Ref SSOInstance
      PermissionSetArn: !Ref PermissionSetArn
      TargetId: !Ref TargetAccount
      TargetType: 'AWS_ACCOUNT'
sso-stack.yml#L138
    Type: AWS::SSO::Assignment
    Properties:
      InstanceArn: !Ref SSOInstanceArn
      PermissionSetArn: !GetAtt AdministratorAccessPermissionSet.PermissionSetArn
      PrincipalId: !Ref SSOAdministratorsGroupId
      PrincipalType: GROUP
awsResouceIconMatches.json#L3088
        "resourceType": "AWS::SSO::Assignment",
        "filePath": null
      },
      {
        "resourceType": "AWS::SSO::PermissionSet",
        "filePath": null
template.json#L1759
    "AWS::SSO::Assignment": {
      "Type": "AWS::SSO::Assignment",
      "Properties": {}
    },
    "AWS::GameLift::Alias": {
      "Type": "AWS::GameLift::Alias",

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

Assigns access to a Principal for a specified AWS account using a specified permission set.

Note The term principal here refers to a user or group that is defined in AWS SSO.

>> from AWS CloudFormation Documentation

The Other Related AWS SSO Resources

Frequently asked questions

What is AWS SSO Account Assignment?

AWS SSO Account Assignment is a resource for SSO of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS SSO Account Assignment?

For Terraform, the glyhood/AWSSSO, tintulip/cla-organisation and and-digital-cloud/terraform-aws-sso source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the org-formation/org-formation-us-gov-cloud-reference, org-formation/org-formation-us-gov-cloud-reference and pozeus/aws-sso-management source code examples are useful. See the CloudFormation Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents