AWS SSO Permission Set
This page shows how to write Terraform and CloudFormation for AWS SSO Permission Set and write them securely.
aws_ssoadmin_permission_set (Terraform)
The Permission Set in AWS SSO can be configured in Terraform with the resource name aws_ssoadmin_permission_set
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_ssoadmin_permission_set" "DevOps_DevEnv" {
instance_arn = tolist(data.aws_ssoadmin_instances.okta.arns)[0]
name = "DevOps_DevEnv"
description = "Provides access for members of the DevOps team to the development env"
tags = {
Environment = "Development"
resource "aws_ssoadmin_permission_set" "admin" {
name = "admin"
instance_arn = local.instance_arn
session_duration = "PT1H"
}
resource "aws_ssoadmin_permission_set" "delivery_pipelines_readonly" {
instance_arn = tolist(data.aws_ssoadmin_instances.control_tower.arns)[0]
name = "DeliveryPipelinesReadOnly"
description = "For delivery teams needing to see what fails and how in delivery pipelines."
}
resource "aws_ssoadmin_permission_set" "permissionset" {
name = var.name
description = var.name
instance_arn = tolist(data.aws_ssoadmin_instances.ssos.arns)[0]
}
resource "aws_ssoadmin_permission_set" "this" {
name = var.name
description = var.description
instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
relay_state = var.relay_state
session_duration = var.session_duration
Parameters
-
arn
optional computed - string -
created_date
optional computed - string -
description
optional - string -
id
optional computed - string -
instance_arn
required - string -
name
required - string -
relay_state
optional - string -
session_duration
optional - string -
tags
optional - map from string to string
Explanation in Terraform Registry
Provides a Single Sign-On (SSO) Permission Set resource
NOTE: Updating this resource will automatically Provision the Permission Set to apply the corresponding updates to all assigned accounts.
AWS::SSO::PermissionSet (CloudFormation)
The PermissionSet in SSO can be configured in CloudFormation with the resource name AWS::SSO::PermissionSet
. The following sections describe 8 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::SSO::PermissionSet
Properties:
Name: ExampleSet
InstanceArn: !Ref SSOInstance
PolicyDocument:
Version: 2012-10-17
Type: AWS::SSO::PermissionSet
Properties:
Name: TestPS1
Description: Readonly Access
InstanceArn: arn:aws:sso:::instance/ssoins-6804ad5dfea0d87e
ManagedPolicies:
Type: AWS::SSO::PermissionSet
Properties:
Name: TestPS2
Description: Readonly Access
InstanceArn: arn:aws:sso:::instance/ssoins-6804ad5dfea0d87e
ManagedPolicies:
Type: AWS::SSO::PermissionSet
Properties:
Description: 'Permission set being used for AdministratorAccess that bypasses X SCPs'
SessionDuration: 'PT12H' # The length of time that the application user sessions are valid for in the ISO-8601 standard.
InstanceArn: !Ref pAwsSsoInsanceArn
Name: 'FullAdministratorAccess'
Type: AWS::SSO::PermissionSet
Properties:
Name: TestPSABC
Description: Readonly Access
InstanceArn: !Ref instanceArn
ManagedPolicies:
"Type": "AWS::SSO::PermissionSet",
"Properties": {
"InstanceArn": "arn:aws:sso:::instance/ssoins-111222333444",
"Name": "MyPermissionSet",
"ManagedPolicies": [
{
"resourceType": "AWS::SSO::PermissionSet",
"filePath": null
},
{
"resourceType": "AWS::SSO::InstanceAccessControlAttributeConfiguration",
"filePath": null
"AWS::SSO::PermissionSet": {
"Type": "AWS::SSO::PermissionSet",
"Properties": {}
},
"AWS::Pinpoint::PushTemplate": {
"Type": "AWS::Pinpoint::PushTemplate",
Parameters
-
Name
required - String -
Description
optional - String -
InstanceArn
required - String -
SessionDuration
optional - String -
RelayStateType
optional - String -
ManagedPolicies
optional - List -
InlinePolicy
optional - Json -
Tags
optional - List of Tag
Explanation in CloudFormation Registry
Specifies a permission set within a specified SSO instance.
Frequently asked questions
What is AWS SSO Permission Set?
AWS SSO Permission Set is a resource for SSO of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS SSO Permission Set?
For Terraform, the glyhood/AWSSSO, dharada1/aws-sso-sample and tintulip/cla-organisation source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the ArjenSchwarz/cloudformation-macros, org-formation/org-formation-cli and org-formation/org-formation-cli source code examples are useful. See the CloudFormation Example section for further details.