permission_sets

Creates, updates, deletes or gets a permission_set resource or lists permission_sets in a region

Overview

Name	permission_sets
Type	Resource
Description	Resource Type definition for SSO PermissionSet
Id	awscc.sso.permission_sets

Fields

get (all properties)

Name	Datatype	Description
name	string	The name you want to assign to this permission set.
permission_set_arn	string	The permission set that the policy will be attached to
description	string	The permission set description.
instance_arn	string	The sso instance arn that the permission set is owned.
session_duration	string	The length of time that a user can be signed in to an AWS account.
relay_state_type	string	The relay state URL that redirect links to any service in the AWS Management Console.
managed_policies	array
inline_policy	object	The inline policy to put in permission set.
▶tags	array
▶customer_managed_policy_references	array
permissions_boundary	object
region	string	AWS region.

list (identifiers only)

Name	Datatype	Description
permission_set_arn	string	The permission set that the policy will be attached to
instance_arn	string	The sso instance arn that the permission set is owned.
region	string	AWS region.

For more information, see AWS::SSO::PermissionSet.

Methods

Name	Resource	Accessible by	Required Params
create_resource	permission_sets	INSERT	Name, InstanceArn, region
delete_resource	permission_sets	DELETE	Identifier, region
update_resource	permission_sets	UPDATE	Identifier, PatchDocument, region
list_resources	permission_sets_list_only	SELECT	region
get_resource	permission_sets	SELECT	Identifier, region

SELECT examples

get (all properties)

Gets all properties from an individual permission_set.

SELECT
  region,
  name,
  permission_set_arn,
  description,
  instance_arn,
  session_duration,
  relay_state_type,
  managed_policies,
  inline_policy,
  tags,
  customer_managed_policy_references,
  permissions_boundary
FROM awscc.sso.permission_sets
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ instance_arn }}|{{ permission_set_arn }}';

list (identifiers only)

Lists all permission_sets in a region.

SELECT
  region,
  instance_arn,
  permission_set_arn
FROM awscc.sso.permission_sets_list_only
WHERE
  region = '{{ region }}';

INSERT example

Use the following StackQL query and manifest file to create a new permission_set resource, using stack-deploy.

Required Properties

/*+ create */
INSERT INTO awscc.sso.permission_sets (
  Name,
  InstanceArn,
  region
)
SELECT
  '{{ name }}',
  '{{ instance_arn }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

All Properties

/*+ create */
INSERT INTO awscc.sso.permission_sets (
  Name,
  Description,
  InstanceArn,
  SessionDuration,
  RelayStateType,
  ManagedPolicies,
  InlinePolicy,
  Tags,
  CustomerManagedPolicyReferences,
  PermissionsBoundary,
  region
)
SELECT
  '{{ name }}',
  '{{ description }}',
  '{{ instance_arn }}',
  '{{ session_duration }}',
  '{{ relay_state_type }}',
  '{{ managed_policies }}',
  '{{ inline_policy }}',
  '{{ tags }}',
  '{{ customer_managed_policy_references }}',
  '{{ permissions_boundary }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

Manifest

version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
  value: '{{ vars.AWS_REGION }}'
resources:
- name: permission_set
  props:
    - name: name
      value: '{{ name }}'
    - name: description
      value: '{{ description }}'
    - name: instance_arn
      value: '{{ instance_arn }}'
    - name: session_duration
      value: '{{ session_duration }}'
    - name: relay_state_type
      value: '{{ relay_state_type }}'
    - name: managed_policies
      value:
        - '{{ managed_policies[0] }}'
    - name: inline_policy
      value: {}
    - name: tags
      value:
        - key: '{{ key }}'
          value: '{{ value }}'
    - name: customer_managed_policy_references
      value:
        - name: '{{ name }}'
          path: '{{ path }}'
    - name: permissions_boundary
      value:
        customer_managed_policy_reference: null
        managed_policy_arn: null

UPDATE example

Use the following StackQL query and manifest file to update a permission_set resource, using stack-deploy.

/*+ update */
UPDATE awscc.sso.permission_sets
SET PatchDocument = string('{{ {
    "Description": description,
    "SessionDuration": session_duration,
    "RelayStateType": relay_state_type,
    "ManagedPolicies": managed_policies,
    "InlinePolicy": inline_policy,
    "Tags": tags,
    "CustomerManagedPolicyReferences": customer_managed_policy_references,
    "PermissionsBoundary": permissions_boundary
} | generate_patch_document }}')
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ instance_arn }}|{{ permission_set_arn }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

DELETE example

/*+ delete */
DELETE FROM awscc.sso.permission_sets
WHERE
  Identifier = '{{ instance_arn }}|{{ permission_set_arn }}' AND
  region = '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

Additional Parameters

Mutable resources in the Cloud Control provider support additional optional parameters which can be supplied with INSERT, UPDATE, or DELETE operations. These include:

Parameter	Description
ClientToken	A unique identifier to ensure the idempotency of the resource request. This allows the provider to accurately distinguish between retries and new requests. A client token is valid for 36 hours once used. After that, a resource request with the same client token is treated as a new request. If you do not specify a client token, one is generated for inclusion in the request.
RoleArn	The ARN of the IAM role used to perform this resource operation. The role specified must have the permissions required for this operation. If you do not specify a role, a temporary session is created using your AWS user credentials.
TypeVersionId	For private resource types, the type version to use in this resource operation. If you do not specify a resource version, the default version is used.

Permissions

To operate on the permission_sets resource, the following permissions are required:

Create

sso:CreatePermissionSet,
sso:PutInlinePolicyToPermissionSet,
sso:AttachManagedPolicyToPermissionSet,
sso:AttachCustomerManagedPolicyReferenceToPermissionSet,
sso:PutPermissionsBoundaryToPermissionSet,
sso:TagResource,
sso:DescribePermissionSet,
sso:ListTagsForResource,
sso:ListManagedPoliciesInPermissionSet,
sso:ListCustomerManagedPolicyReferencesInPermissionSet,
sso:GetInlinePolicyForPermissionSet,
sso:GetPermissionsBoundaryForPermissionSet

Read

sso:DescribePermissionSet,
sso:ListTagsForResource,
sso:ListManagedPoliciesInPermissionSet,
sso:ListCustomerManagedPolicyReferencesInPermissionSet,
sso:GetInlinePolicyForPermissionSet,
sso:GetPermissionsBoundaryForPermissionSet

Update

sso:UpdatePermissionSet,
sso:TagResource,
sso:UntagResource,
sso:ListTagsForResource,
sso:AttachManagedPolicyToPermissionSet,
sso:AttachCustomerManagedPolicyReferenceToPermissionSet,
sso:DetachManagedPolicyFromPermissionSet,
sso:DetachCustomerManagedPolicyReferenceFromPermissionSet,
sso:ListManagedPoliciesInPermissionSet,
sso:ListCustomerManagedPolicyReferencesInPermissionSet,
sso:PutInlinePolicyToPermissionSet,
sso:GetPermissionsBoundaryForPermissionSet,
sso:DeletePermissionsBoundaryFromPermissionSet,
sso:PutPermissionsBoundaryToPermissionSet,
sso:DeleteInlinePolicyFromPermissionSet,
sso:ProvisionPermissionSet,
sso:DescribePermissionSet,
sso:GetInlinePolicyForPermissionSet,
sso:DescribePermissionSetProvisioningStatus

Delete

sso:DeletePermissionSet

List

sso:DescribePermissionSet