Actions Defined by AWS SSO Resources Defined by AWS SSO Condition Keys for AWS SSO

Actions, Resources, and Condition Keys for AWS SSO

AWS SSO (service prefix: sso ) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS SSO

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The Actions Table .

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AssociateDirectory Connect a directory to be used by AWS Single Sign-On Write
AssociateProfile Create an association between a directory user or group and a profile Write
CreateApplicationInstance Add an application instance to AWS Single Sign-On Write
CreateApplicationInstanceCertificate Add a new certificate for an application instance Write
CreateManagedApplicationInstance Add a managed application instance to AWS Single Sign-On Write
CreatePermissionSet Create a permission set Write
CreateProfile Create a profile for an application instance Write
CreateTrust Create a federation trust in a target account Write
DeleteApplicationInstance Delete the application instance Write
DeleteApplicationInstanceCertificate Delete an inactive or expired certificate from the application instance Write
DeleteManagedApplicationInstance Delete the managed application instance Write
DeletePermissionSet Delete a permission set Write
DeletePermissionsPolicy Delete the permission policy associated with a permission set Write
DeleteProfile Delete the profile for an application instance Write
DescribePermissionsPolicies Retrieve all the permissions policies associated with a permission set Read
DisassociateDirectory Disassociate a directory to be used by AWS Single Sign-On Write
DisassociateProfile Disassociate a directory user or group from a profile Write
GetApplicationInstance Retrieve details for an application instance Read
GetApplicationTemplate Retrieve application template details Read
GetManagedApplicationInstance Retrieve details for an application instance Read
GetMfaDeviceManagementForDirectory Retrieve Mfa Device Management settings for the directory Read
GetPermissionSet Retrieve details of a permission set Read
GetPermissionsPolicy Retrieve all permission policies associated with a permission set Read

sso:DescribePermissionsPolicies

GetProfile Retrieve a profile for an application instance Read
GetSSOStatus Check if AWS Single Sign-On is enabled Read
GetSharedSsoConfiguration Retrieve shared configuration for the current SSO instance Read
GetSsoConfiguration Retrieve configuration for the current SSO instance Read
GetTrust Retrieve the federation trust in a target account Read
ImportApplicationInstanceServiceProviderMetadata Update the application instance by uploading an application SAML metadata file provided by the service provider Write
ListApplicationInstanceCertificates Retrieve all of the certificates for a given application instance Read
ListApplicationInstances Retrieve all application instances List

sso:GetApplicationInstance

ListApplicationTemplates Retrieve all supported application templates Read

sso:GetApplicationTemplate

ListApplications Retrieve all supported applications Read
ListDirectoryAssociations Retrieve details about the directory connected to AWS Single Sign-On Read
ListPermissionSets Retrieve all permission sets Read
ListProfileAssociations Retrieve the directory user or group associated with the profile Read
ListProfiles Retrieve all profiles for an application instance Read

sso:GetProfile

PutMfaDeviceManagementForDirectory Put Mfa Device Management settings for the directory Write
PutPermissionsPolicy Add a policy to a permission set Write
StartSSO Initialize AWS Single Sign-On Write
UpdateApplicationInstanceActiveCertificate Set a certificate as the active one for this application instance Write
UpdateApplicationInstanceDisplayData Update display data of an application instance Write
UpdateApplicationInstanceResponseConfiguration Update federation response configuration for the application instance Write
UpdateApplicationInstanceResponseSchemaConfiguration Update federation response schema configuration for the application instance Write
UpdateApplicationInstanceSecurityConfiguration Update security details for the application instance Write
UpdateApplicationInstanceServiceProviderConfiguration Update service provider related configuration for the application instance Write
UpdateApplicationInstanceStatus Update the status of an application instance Write
UpdateDirectoryAssociation Update the user attribute mappings for your connected directory Write
UpdateManagedApplicationInstanceStatus Update the status of a managed application instance Write
UpdatePermissionSet Update the permission set. Write
UpdateProfile Update the profile for an application instance Write
UpdateSSOConfiguration Update the configuration for the current SSO instance Write
UpdateTrust Update the federation trust in a target account Write

Resources Defined by AWS SSO

AWS SSO does not support specifying a resource ARN in the Resource element of an IAM policy statement. To allow access to AWS SSO, specify “Resource”: “*” in your policy.

Condition Keys for AWS SSO

SSO has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference .