AWS SSO Permission Set Inline Policy
This page shows how to write Terraform and CloudFormation for AWS SSO Permission Set Inline Policy and write them securely.
aws_ssoadmin_permission_set_inline_policy (Terraform)
The Permission Set Inline Policy in AWS SSO can be configured in Terraform with the resource name aws_ssoadmin_permission_set_inline_policy
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_ssoadmin_permission_set_inline_policy" "DevOps_DevEnv_Custom_Policy" {
inline_policy = data.aws_iam_policy_document.DevOps_DevEnv_Custom_Policy.json
instance_arn = aws_ssoadmin_permission_set.DevOps_DevEnv.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.DevOps_DevEnv.arn
}
resource "aws_ssoadmin_permission_set_inline_policy" "this" {
for_each = length(var.inline_policy_documents) > 0 ? toset(var.inline_policy_documents) : []
inline_policy = each.value
instance_arn = var.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.this.arn
}
resource "aws_ssoadmin_permission_set_inline_policy" "main" {
count = length(var.inline_policy_jsons) > 0 ? 1 : 0
inline_policy = data.aws_iam_policy_document.main.json
instance_arn = aws_ssoadmin_permission_set.main.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.main.arn
resource "aws_ssoadmin_permission_set_inline_policy" "ssoadmin_permission_set_inline_policy" {
count = var.enable_ssoadmin_permission_set_inline_policy ? length(var.ssoadmin_permission_set_inline_policy_inline_policies) : 0
inline_policy = var.ssoadmin_permission_set_inline_policy_inline_policies[count.index]
instance_arn = var.ssoadmin_permission_set_inline_policy_instance_arn != "" ? var.ssoadmin_permission_set_inline_policy_instance_arn : (var.enable_ssoadmin_permission_set ? aws_ssoadmin_permission_set.ssoadmin_permission_set[0].instance_arn : null)
permission_set_arn = var.ssoadmin_permission_set_inline_policy_permission_set_arn != "" ? var.ssoadmin_permission_set_inline_policy_permission_set_arn : (var.enable_ssoadmin_permission_set ? aws_ssoadmin_permission_set.ssoadmin_permission_set[0].arn : null)
resource "aws_ssoadmin_permission_set_inline_policy" "this" {
count = length(var.inline_policy) > 0 ? 1 : 0
inline_policy = var.inline_policy
instance_arn = aws_ssoadmin_permission_set.this.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.this.arn
}
Parameters
-
id
optional computed - string -
inline_policy
required - string -
instance_arn
required - string -
permission_set_arn
required - string
Explanation in Terraform Registry
Provides an IAM inline policy for a Single Sign-On (SSO) Permission Set resource
NOTE: AWS Single Sign-On (SSO) only supports one IAM inline policy per
aws_ssoadmin_permission_set
resource. Creating or updating this resource will automatically Provision the Permission Set to apply the corresponding updates to all assigned accounts.
AWS::SSO::PermissionSet (CloudFormation)
The PermissionSet in SSO can be configured in CloudFormation with the resource name AWS::SSO::PermissionSet
. The following sections describe 8 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::SSO::PermissionSet
Properties:
Name: ExampleSet
InstanceArn: !Ref SSOInstance
PolicyDocument:
Version: 2012-10-17
Type: AWS::SSO::PermissionSet
Properties:
Name: TestPS1
Description: Readonly Access
InstanceArn: arn:aws:sso:::instance/ssoins-6804ad5dfea0d87e
ManagedPolicies:
Type: AWS::SSO::PermissionSet
Properties:
Name: TestPS2
Description: Readonly Access
InstanceArn: arn:aws:sso:::instance/ssoins-6804ad5dfea0d87e
ManagedPolicies:
Type: AWS::SSO::PermissionSet
Properties:
Description: 'Permission set being used for AdministratorAccess that bypasses X SCPs'
SessionDuration: 'PT12H' # The length of time that the application user sessions are valid for in the ISO-8601 standard.
InstanceArn: !Ref pAwsSsoInsanceArn
Name: 'FullAdministratorAccess'
Type: AWS::SSO::PermissionSet
Properties:
Name: TestPSABC
Description: Readonly Access
InstanceArn: !Ref instanceArn
ManagedPolicies:
"Type": "AWS::SSO::PermissionSet",
"Properties": {
"InstanceArn": "arn:aws:sso:::instance/ssoins-111222333444",
"Name": "MyPermissionSet",
"ManagedPolicies": [
{
"resourceType": "AWS::SSO::PermissionSet",
"filePath": null
},
{
"resourceType": "AWS::SSO::InstanceAccessControlAttributeConfiguration",
"filePath": null
"AWS::SSO::PermissionSet": {
"Type": "AWS::SSO::PermissionSet",
"Properties": {}
},
"AWS::Pinpoint::PushTemplate": {
"Type": "AWS::Pinpoint::PushTemplate",
Parameters
-
Name
required - String -
Description
optional - String -
InstanceArn
required - String -
SessionDuration
optional - String -
RelayStateType
optional - String -
ManagedPolicies
optional - List -
InlinePolicy
optional - Json -
Tags
optional - List of Tag
Explanation in CloudFormation Registry
Specifies a permission set within a specified SSO instance.
Frequently asked questions
What is AWS SSO Permission Set Inline Policy?
AWS SSO Permission Set Inline Policy is a resource for SSO of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS SSO Permission Set Inline Policy?
For Terraform, the glyhood/AWSSSO, cloud-security-labs/terraform-aws-ssoadmin-permission-set and gadgetry-io/terraform-aws-sso-permission-set source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the ArjenSchwarz/cloudformation-macros, org-formation/org-formation-cli and org-formation/org-formation-cli source code examples are useful. See the CloudFormation Example section for further details.