assignments

Creates, updates, deletes or gets an assignment resource or lists assignments in a region

Overview

Name	`assignments`
Type	Resource
Description	Resource Type definition for SSO assignmet
Id	`aws.sso.assignments`

Fields

Name	Datatype	Description
`instance_arn`	`string`	The sso instance that the permission set is owned.
`target_id`	`string`	The account id to be provisioned.
`target_type`	`string`	The type of resource to be provsioned to, only aws account now
`permission_set_arn`	`string`	The permission set that the assignemt will be assigned
`principal_type`	`string`	The assignee's type, user/group
`principal_id`	`string`	The assignee's identifier, user id/group id
`region`	`string`	AWS region.

Methods

Name	Accessible by	Required Params
`create_resource`	`INSERT`	`InstanceArn, TargetId, TargetType, PermissionSetArn, PrincipalType, PrincipalId, region`
`delete_resource`	`DELETE`	`data__Identifier, region`
`list_resources`	`SELECT`	`region`
`get_resource`	`SELECT`	`data__Identifier, region`

`SELECT` examples

Gets all assignments in a region.

SELECT
region,
instance_arn,
target_id,
target_type,
permission_set_arn,
principal_type,
principal_id
FROM aws.sso.assignments
WHERE region = 'us-east-1';

Gets all properties from an individual assignment.

SELECT
region,
instance_arn,
target_id,
target_type,
permission_set_arn,
principal_type,
principal_id
FROM aws.sso.assignments
WHERE region = 'us-east-1' AND data__Identifier = '<InstanceArn>|<TargetId>|<TargetType>|<PermissionSetArn>|<PrincipalType>|<PrincipalId>';

`INSERT` example

Use the following StackQL query and manifest file to create a new assignment resource, using stack-deploy.

Required Properties
All Properties
Manifest

/*+ create */
INSERT INTO aws.sso.assignments (
 InstanceArn,
 TargetId,
 TargetType,
 PermissionSetArn,
 PrincipalType,
 PrincipalId,
 region
)
SELECT 
'{{ InstanceArn }}',
 '{{ TargetId }}',
 '{{ TargetType }}',
 '{{ PermissionSetArn }}',
 '{{ PrincipalType }}',
 '{{ PrincipalId }}',
'{{ region }}';

/*+ create */
INSERT INTO aws.sso.assignments (
 InstanceArn,
 TargetId,
 TargetType,
 PermissionSetArn,
 PrincipalType,
 PrincipalId,
 region
)
SELECT 
 '{{ InstanceArn }}',
 '{{ TargetId }}',
 '{{ TargetType }}',
 '{{ PermissionSetArn }}',
 '{{ PrincipalType }}',
 '{{ PrincipalId }}',
 '{{ region }}';

version: 1
name: stack name
description: stack description
providers:
  - aws
globals:
  - name: region
    value: '{{ vars.AWS_REGION }}'
resources:
  - name: assignment
    props:
      - name: InstanceArn
        value: '{{ InstanceArn }}'
      - name: TargetId
        value: '{{ TargetId }}'
      - name: TargetType
        value: '{{ TargetType }}'
      - name: PermissionSetArn
        value: '{{ PermissionSetArn }}'
      - name: PrincipalType
        value: '{{ PrincipalType }}'
      - name: PrincipalId
        value: '{{ PrincipalId }}'

`DELETE` example

/*+ delete */
DELETE FROM aws.sso.assignments
WHERE data__Identifier = '<InstanceArn|TargetId|TargetType|PermissionSetArn|PrincipalType|PrincipalId>'
AND region = 'us-east-1';

Permissions

To operate on the assignments resource, the following permissions are required:

Create

sso:CreateAccountAssignment,
sso:DescribeAccountAssignmentCreationStatus,
sso:ListAccountAssignments,
iam:GetSAMLProvider,
iam:CreateSAMLProvider,
iam:AttachRolePolicy,
iam:PutRolePolicy,
iam:CreateRole,
iam:ListRolePolicies

Read

sso:ListAccountAssignments,
iam:GetSAMLProvider,
iam:ListRolePolicies

Delete

sso:ListAccountAssignments,
sso:DeleteAccountAssignment,
sso:DescribeAccountAssignmentDeletionStatus,
iam:GetSAMLProvider,
iam:ListRolePolicies

List

sso:ListAccountAssignments,
iam:ListRolePolicies

Overview​

Fields​

Methods​

SELECT examples​

INSERT example​

DELETE example​

Permissions​

Create​

Read​

Delete​

List​