permission_sets
Creates, updates, deletes or gets a permission_set resource or lists permission_sets in a region
Overview
| Name | permission_sets |
| Type | Resource |
| Description | Resource Type definition for SSO PermissionSet |
| Id | awscc.sso.permission_sets |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
name | string | The name you want to assign to this permission set. |
permission_set_arn | string | The permission set that the policy will be attached to |
description | string | The permission set description. |
instance_arn | string | The sso instance arn that the permission set is owned. |
session_duration | string | The length of time that a user can be signed in to an AWS account. |
relay_state_type | string | The relay state URL that redirect links to any service in the AWS Management Console. |
managed_policies | array | |
inline_policy | object | The inline policy to put in permission set. |
tags | array | |
customer_managed_policy_references | array | |
permissions_boundary | object | |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
permission_set_arn | string | The permission set that the policy will be attached to |
instance_arn | string | The sso instance arn that the permission set is owned. |
region | string | AWS region. |
For more information, see AWS::SSO::PermissionSet.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | permission_sets | INSERT | Name, InstanceArn, region |
delete_resource | permission_sets | DELETE | Identifier, region |
update_resource | permission_sets | UPDATE | Identifier, PatchDocument, region |
list_resources | permission_sets_list_only | SELECT | region |
get_resource | permission_sets | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual permission_set.
SELECT
region,
name,
permission_set_arn,
description,
instance_arn,
session_duration,
relay_state_type,
managed_policies,
inline_policy,
tags,
customer_managed_policy_references,
permissions_boundary
FROM awscc.sso.permission_sets
WHERE
region = 'us-east-1' AND
Identifier = '{{ instance_arn }}|{{ permission_set_arn }}';
Lists all permission_sets in a region.
SELECT
region,
instance_arn,
permission_set_arn
FROM awscc.sso.permission_sets_list_only
WHERE
region = 'us-east-1';
INSERT example
Use the following StackQL query and manifest file to create a new permission_set resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.sso.permission_sets (
Name,
InstanceArn,
region
)
SELECT
'{{ name }}',
'{{ instance_arn }}',
'{{ region }}';
/*+ create */
INSERT INTO awscc.sso.permission_sets (
Name,
Description,
InstanceArn,
SessionDuration,
RelayStateType,
ManagedPolicies,
InlinePolicy,
Tags,
CustomerManagedPolicyReferences,
PermissionsBoundary,
region
)
SELECT
'{{ name }}',
'{{ description }}',
'{{ instance_arn }}',
'{{ session_duration }}',
'{{ relay_state_type }}',
'{{ managed_policies }}',
'{{ inline_policy }}',
'{{ tags }}',
'{{ customer_managed_policy_references }}',
'{{ permissions_boundary }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: permission_set
props:
- name: name
value: '{{ name }}'
- name: description
value: '{{ description }}'
- name: instance_arn
value: '{{ instance_arn }}'
- name: session_duration
value: '{{ session_duration }}'
- name: relay_state_type
value: '{{ relay_state_type }}'
- name: managed_policies
value:
- '{{ managed_policies[0] }}'
- name: inline_policy
value: {}
- name: tags
value:
- key: '{{ key }}'
value: '{{ value }}'
- name: customer_managed_policy_references
value:
- name: '{{ name }}'
path: '{{ path }}'
- name: permissions_boundary
value:
customer_managed_policy_reference: null
managed_policy_arn: null
UPDATE example
Use the following StackQL query and manifest file to update a permission_set resource, using stack-deploy.
/*+ update */
UPDATE awscc.sso.permission_sets
SET PatchDocument = string('{{ {
"Description": description,
"SessionDuration": session_duration,
"RelayStateType": relay_state_type,
"ManagedPolicies": managed_policies,
"InlinePolicy": inline_policy,
"Tags": tags,
"CustomerManagedPolicyReferences": customer_managed_policy_references,
"PermissionsBoundary": permissions_boundary
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ instance_arn }}|{{ permission_set_arn }}';
DELETE example
/*+ delete */
DELETE FROM awscc.sso.permission_sets
WHERE
Identifier = '{{ instance_arn }}|{{ permission_set_arn }}' AND
region = 'us-east-1';
Permissions
To operate on the permission_sets resource, the following permissions are required:
- Create
- Read
- Update
- Delete
- List
sso:CreatePermissionSet,
sso:PutInlinePolicyToPermissionSet,
sso:AttachManagedPolicyToPermissionSet,
sso:AttachCustomerManagedPolicyReferenceToPermissionSet,
sso:PutPermissionsBoundaryToPermissionSet,
sso:TagResource,
sso:DescribePermissionSet,
sso:ListTagsForResource,
sso:ListManagedPoliciesInPermissionSet,
sso:ListCustomerManagedPolicyReferencesInPermissionSet,
sso:GetInlinePolicyForPermissionSet,
sso:GetPermissionsBoundaryForPermissionSet
sso:DescribePermissionSet,
sso:ListTagsForResource,
sso:ListManagedPoliciesInPermissionSet,
sso:ListCustomerManagedPolicyReferencesInPermissionSet,
sso:GetInlinePolicyForPermissionSet,
sso:GetPermissionsBoundaryForPermissionSet
sso:UpdatePermissionSet,
sso:TagResource,
sso:UntagResource,
sso:ListTagsForResource,
sso:AttachManagedPolicyToPermissionSet,
sso:AttachCustomerManagedPolicyReferenceToPermissionSet,
sso:DetachManagedPolicyFromPermissionSet,
sso:DetachCustomerManagedPolicyReferenceFromPermissionSet,
sso:ListManagedPoliciesInPermissionSet,
sso:ListCustomerManagedPolicyReferencesInPermissionSet,
sso:PutInlinePolicyToPermissionSet,
sso:GetPermissionsBoundaryForPermissionSet,
sso:DeletePermissionsBoundaryFromPermissionSet,
sso:PutPermissionsBoundaryToPermissionSet,
sso:DeleteInlinePolicyFromPermissionSet,
sso:ProvisionPermissionSet,
sso:DescribePermissionSet,
sso:GetInlinePolicyForPermissionSet,
sso:DescribePermissionSetProvisioningStatus
sso:DeletePermissionSet
sso:DescribePermissionSet