AWS Single Sign-On Admin

2020/09/10 - AWS Single Sign-On Admin - 27 new api methods

Changes  This is an initial release of AWS Single Sign-On (SSO) Access Management APIs. This release adds support for SSO operations which could be used for managing access to AWS accounts.

ListAccountAssignmentCreationStatus (new) Link ¶

Lists the status of the AWS account assignment creation requests for a specified SSO instance.

See also: AWS API Documentation

Request Syntax

client.list_account_assignment_creation_status(
    InstanceArn='string',
    MaxResults=123,
    NextToken='string',
    Filter={
        'Status': 'IN_PROGRESS'|'FAILED'|'SUCCEEDED'
    }
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type MaxResults

integer

param MaxResults

The maximum number of results to display for the assignment.

type NextToken

string

param NextToken

The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.

type Filter

dict

param Filter

Filters results based on the passed attribute value.

  • Status (string) --

    Filters the list operations result based on the status attribute.

rtype

dict

returns

Response Syntax

{
    'AccountAssignmentsCreationStatus': [
        {
            'Status': 'IN_PROGRESS'|'FAILED'|'SUCCEEDED',
            'RequestId': 'string',
            'CreatedDate': datetime(2015, 1, 1)
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • AccountAssignmentsCreationStatus (list) --

      The status object for the account assignment creation operation.

      • (dict) --

        Provides information about the AccountAssignment creation request.

        • Status (string) --

          The status of the permission set provisioning process.

        • RequestId (string) --

          The identifier for tracking the request operation that is generated by the universally unique identifier (UUID) workflow.

        • CreatedDate (datetime) --

          The date that the permission set was created.

    • NextToken (string) --

      The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.

ListPermissionSetsProvisionedToAccount (new) Link ¶

Lists all the permission sets that are provisioned to a specified AWS account.

See also: AWS API Documentation

Request Syntax

client.list_permission_sets_provisioned_to_account(
    InstanceArn='string',
    AccountId='string',
    ProvisioningStatus='LATEST_PERMISSION_SET_PROVISIONED'|'LATEST_PERMISSION_SET_NOT_PROVISIONED',
    MaxResults=123,
    NextToken='string'
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type AccountId

string

param AccountId

[REQUIRED]

The identifier of the AWS account from which to list the assignments.

type ProvisioningStatus

string

param ProvisioningStatus

The status object for the permission set provisioning operation.

type MaxResults

integer

param MaxResults

The maximum number of results to display for the assignment.

type NextToken

string

param NextToken

The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.

rtype

dict

returns

Response Syntax

{
    'NextToken': 'string',
    'PermissionSets': [
        'string',
    ]
}

Response Structure

  • (dict) --

    • NextToken (string) --

      The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.

    • PermissionSets (list) --

      Defines the level of access that an AWS account has.

      • (string) --

DeletePermissionSet (new) Link ¶

Deletes the specified permission set.

See also: AWS API Documentation

Request Syntax

client.delete_permission_set(
    InstanceArn='string',
    PermissionSetArn='string'
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type PermissionSetArn

string

param PermissionSetArn

[REQUIRED]

The ARN of the permission set that should be deleted.

rtype

dict

returns

Response Syntax

{}

Response Structure

  • (dict) --

ListAccountsForProvisionedPermissionSet (new) Link ¶

Lists all the AWS accounts where the specified permission set is provisioned.

See also: AWS API Documentation

Request Syntax

client.list_accounts_for_provisioned_permission_set(
    InstanceArn='string',
    PermissionSetArn='string',
    ProvisioningStatus='LATEST_PERMISSION_SET_PROVISIONED'|'LATEST_PERMISSION_SET_NOT_PROVISIONED',
    MaxResults=123,
    NextToken='string'
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type PermissionSetArn

string

param PermissionSetArn

[REQUIRED]

The ARN of the PermissionSet from which the associated AWS accounts will be listed.

type ProvisioningStatus

string

param ProvisioningStatus

The permission set provisioning status for an AWS account.

type MaxResults

integer

param MaxResults

The maximum number of results to display for the PermissionSet.

type NextToken

string

param NextToken

The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.

rtype

dict

returns

Response Syntax

{
    'AccountIds': [
        'string',
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • AccountIds (list) --

      The list of AWS AccountIds .

      • (string) --

    • NextToken (string) --

      The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.

DetachManagedPolicyFromPermissionSet (new) Link ¶

Detaches the attached IAM managed policy ARN from the specified permission set.

See also: AWS API Documentation

Request Syntax

client.detach_managed_policy_from_permission_set(
    InstanceArn='string',
    PermissionSetArn='string',
    ManagedPolicyArn='string'
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type PermissionSetArn

string

param PermissionSetArn

[REQUIRED]

The ARN of the PermissionSet from which the policy should be detached.

type ManagedPolicyArn

string

param ManagedPolicyArn

[REQUIRED]

The IAM managed policy ARN to be attached to a permission set.

rtype

dict

returns

Response Syntax

{}

Response Structure

  • (dict) --

UntagResource (new) Link ¶

Disassociates a set of tags from a specified resource.

See also: AWS API Documentation

Request Syntax

client.untag_resource(
    InstanceArn='string',
    ResourceArn='string',
    TagKeys=[
        'string',
    ]
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type ResourceArn

string

param ResourceArn

[REQUIRED]

The ARN of the resource with the tags to be listed.

type TagKeys

list

param TagKeys

[REQUIRED]

The keys of tags that are attached to the resource.

  • (string) --

rtype

dict

returns

Response Syntax

{}

Response Structure

  • (dict) --

AttachManagedPolicyToPermissionSet (new) Link ¶

Attaches an IAM managed policy ARN to a permission set.

See also: AWS API Documentation

Request Syntax

client.attach_managed_policy_to_permission_set(
    InstanceArn='string',
    PermissionSetArn='string',
    ManagedPolicyArn='string'
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type PermissionSetArn

string

param PermissionSetArn

[REQUIRED]

The ARN of the PermissionSet that the managed policy should be attached to.

type ManagedPolicyArn

string

param ManagedPolicyArn

[REQUIRED]

The IAM managed policy ARN to be attached to a permission set.

rtype

dict

returns

Response Syntax

{}

Response Structure

  • (dict) --

DeleteAccountAssignment (new) Link ¶

Deletes a principal's access from a specified AWS account using a specified permission set.

See also: AWS API Documentation

Request Syntax

client.delete_account_assignment(
    InstanceArn='string',
    TargetId='string',
    TargetType='AWS_ACCOUNT',
    PermissionSetArn='string',
    PrincipalType='USER'|'GROUP',
    PrincipalId='string'
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type TargetId

string

param TargetId

[REQUIRED]

The identifier for the chosen target.

type TargetType

string

param TargetType

[REQUIRED]

The entity type for which the assignment will be deleted.

type PermissionSetArn

string

param PermissionSetArn

[REQUIRED]

The ARN of the permission set that will be used to remove access.

type PrincipalType

string

param PrincipalType

[REQUIRED]

The entity type for which the assignment will be deleted.

type PrincipalId

string

param PrincipalId

[REQUIRED]

The identifier of the principal.

rtype

dict

returns

Response Syntax

{
    'AccountAssignmentDeletionStatus': {
        'Status': 'IN_PROGRESS'|'FAILED'|'SUCCEEDED',
        'RequestId': 'string',
        'FailureReason': 'string',
        'TargetId': 'string',
        'TargetType': 'AWS_ACCOUNT',
        'PermissionSetArn': 'string',
        'PrincipalType': 'USER'|'GROUP',
        'PrincipalId': 'string',
        'CreatedDate': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) --

    • AccountAssignmentDeletionStatus (dict) --

      The status object for the account assignment deletion operation.

      • Status (string) --

        The status of the permission set provisioning process.

      • RequestId (string) --

        The identifier for tracking the request operation that is generated by the universally unique identifier (UUID) workflow.

      • FailureReason (string) --

        The message that contains an error or exception in case of an operation failure.

      • TargetId (string) --

        The identifier for the chosen target.

      • TargetType (string) --

        The entity type for which the assignment will be created.

      • PermissionSetArn (string) --

        The ARN of the permission set. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

      • PrincipalType (string) --

        The entity type for which the assignment will be created.

      • PrincipalId (string) --

        The identifier of the principal.

      • CreatedDate (datetime) --

        The date that the permission set was created.

ListPermissionSets (new) Link ¶

Lists the PermissionSet s in an SSO instance.

See also: AWS API Documentation

Request Syntax

client.list_permission_sets(
    InstanceArn='string',
    NextToken='string',
    MaxResults=123
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type NextToken

string

param NextToken

The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.

type MaxResults

integer

param MaxResults

The maximum number of results to display for the assignment.

rtype

dict

returns

Response Syntax

{
    'PermissionSets': [
        'string',
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • PermissionSets (list) --

      Defines the level of access on an AWS account.

      • (string) --

    • NextToken (string) --

      The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.

DescribePermissionSet (new) Link ¶

Gets the details of the permission set.

See also: AWS API Documentation

Request Syntax

client.describe_permission_set(
    InstanceArn='string',
    PermissionSetArn='string'
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type PermissionSetArn

string

param PermissionSetArn

[REQUIRED]

The ARN of the permission set.

rtype

dict

returns

Response Syntax

{
    'PermissionSet': {
        'Name': 'string',
        'PermissionSetArn': 'string',
        'Description': 'string',
        'CreatedDate': datetime(2015, 1, 1),
        'SessionDuration': 'string',
        'RelayState': 'string'
    }
}

Response Structure

  • (dict) --

    • PermissionSet (dict) --

      Describes the level of access on an AWS account.

      • Name (string) --

        The name of the permission set.

      • PermissionSetArn (string) --

        The ARN of the permission set. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

      • Description (string) --

        The description of the PermissionSet.

      • CreatedDate (datetime) --

        The date that the permission set was created.

      • SessionDuration (string) --

        The length of time that the application user sessions are valid for in the ISO-8601 standard.

      • RelayState (string) --

        Used to redirect users within the application during the federation authentication process.

ProvisionPermissionSet (new) Link ¶

The process by which a specified permission set is provisioned to the specified target.

See also: AWS API Documentation

Request Syntax

client.provision_permission_set(
    InstanceArn='string',
    PermissionSetArn='string',
    TargetId='string',
    TargetType='AWS_ACCOUNT'|'ALL_PROVISIONED_ACCOUNTS'
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type PermissionSetArn

string

param PermissionSetArn

[REQUIRED]

The ARN of the permission set.

type TargetId

string

param TargetId

The identifier for the chosen target.

type TargetType

string

param TargetType

[REQUIRED]

The entity type for which the assignment will be created.

rtype

dict

returns

Response Syntax

{
    'PermissionSetProvisioningStatus': {
        'Status': 'IN_PROGRESS'|'FAILED'|'SUCCEEDED',
        'RequestId': 'string',
        'AccountId': 'string',
        'PermissionSetArn': 'string',
        'FailureReason': 'string',
        'CreatedDate': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) --

    • PermissionSetProvisioningStatus (dict) --

      The status object for the permission set provisioning operation.

      • Status (string) --

        The status of the permission set provisioning process.

      • RequestId (string) --

        The identifier for tracking the request operation that is generated by the universally unique identifier (UUID) workflow.

      • AccountId (string) --

        The identifier of the AWS account from which to list the assignments.

      • PermissionSetArn (string) --

        The ARN of the permission set that is being provisioned. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

      • FailureReason (string) --

        The message that contains an error or exception in case of an operation failure.

      • CreatedDate (datetime) --

        The date that the permission set was created.

CreatePermissionSet (new) Link ¶

Creates a permission set within a specified SSO instance.

See also: AWS API Documentation

Request Syntax

client.create_permission_set(
    Name='string',
    Description='string',
    InstanceArn='string',
    SessionDuration='string',
    RelayState='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type Name

string

param Name

[REQUIRED]

The name of the PermissionSet.

type Description

string

param Description

The description of the PermissionSet.

type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type SessionDuration

string

param SessionDuration

The length of time that the application user sessions are valid in the ISO-8601 standard.

type RelayState

string

param RelayState

Used to redirect users within the application during the federation authentication process.

type Tags

list

param Tags

The tags to attach to the new PermissionSet.

  • (dict) --

    A set of key-value pairs that are used to manage the resource. Tags can only be applied to permission sets and cannot be applied to corresponding roles that AWS SSO creates in AWS accounts.

    • Key (string) --

      The key for the tag.

    • Value (string) --

      The value of the tag.

rtype

dict

returns

Response Syntax

{
    'PermissionSet': {
        'Name': 'string',
        'PermissionSetArn': 'string',
        'Description': 'string',
        'CreatedDate': datetime(2015, 1, 1),
        'SessionDuration': 'string',
        'RelayState': 'string'
    }
}

Response Structure

  • (dict) --

    • PermissionSet (dict) --

      Defines the level of access on an AWS account.

      • Name (string) --

        The name of the permission set.

      • PermissionSetArn (string) --

        The ARN of the permission set. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

      • Description (string) --

        The description of the PermissionSet.

      • CreatedDate (datetime) --

        The date that the permission set was created.

      • SessionDuration (string) --

        The length of time that the application user sessions are valid for in the ISO-8601 standard.

      • RelayState (string) --

        Used to redirect users within the application during the federation authentication process.

CreateAccountAssignment (new) Link ¶

Assigns access to a principal for a specified AWS account using a specified permission set.

Note

The term principal here refers to a user or group that is defined in AWS SSO.

See also: AWS API Documentation

Request Syntax

client.create_account_assignment(
    InstanceArn='string',
    TargetId='string',
    TargetType='AWS_ACCOUNT',
    PermissionSetArn='string',
    PrincipalType='USER'|'GROUP',
    PrincipalId='string'
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type TargetId

string

param TargetId

[REQUIRED]

The identifier for the chosen target.

type TargetType

string

param TargetType

[REQUIRED]

The entity type for which the assignment will be created.

type PermissionSetArn

string

param PermissionSetArn

[REQUIRED]

The ARN of the permission set that the admin wants to grant the principal access to.

type PrincipalType

string

param PrincipalType

[REQUIRED]

The entity type for which the assignment will be created.

type PrincipalId

string

param PrincipalId

[REQUIRED]

The identifier of the principal.

rtype

dict

returns

Response Syntax

{
    'AccountAssignmentCreationStatus': {
        'Status': 'IN_PROGRESS'|'FAILED'|'SUCCEEDED',
        'RequestId': 'string',
        'FailureReason': 'string',
        'TargetId': 'string',
        'TargetType': 'AWS_ACCOUNT',
        'PermissionSetArn': 'string',
        'PrincipalType': 'USER'|'GROUP',
        'PrincipalId': 'string',
        'CreatedDate': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) --

    • AccountAssignmentCreationStatus (dict) --

      The status object for the account assignment creation operation.

      • Status (string) --

        The status of the permission set provisioning process.

      • RequestId (string) --

        The identifier for tracking the request operation that is generated by the universally unique identifier (UUID) workflow.

      • FailureReason (string) --

        The message that contains an error or exception in case of an operation failure.

      • TargetId (string) --

        The identifier for the chosen target.

      • TargetType (string) --

        The entity type for which the assignment will be created.

      • PermissionSetArn (string) --

        The ARN of the permission set. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

      • PrincipalType (string) --

        The entity type for which the assignment will be created.

      • PrincipalId (string) --

        The identifier of the principal.

      • CreatedDate (datetime) --

        The date that the permission set was created.

ListAccountAssignmentDeletionStatus (new) Link ¶

Lists the status of the AWS account assignment deletion requests for a specified SSO instance.

See also: AWS API Documentation

Request Syntax

client.list_account_assignment_deletion_status(
    InstanceArn='string',
    MaxResults=123,
    NextToken='string',
    Filter={
        'Status': 'IN_PROGRESS'|'FAILED'|'SUCCEEDED'
    }
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type MaxResults

integer

param MaxResults

The maximum number of results to display for the assignment.

type NextToken

string

param NextToken

The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.

type Filter

dict

param Filter

Filters results based on the passed attribute value.

  • Status (string) --

    Filters the list operations result based on the status attribute.

rtype

dict

returns

Response Syntax

{
    'AccountAssignmentsDeletionStatus': [
        {
            'Status': 'IN_PROGRESS'|'FAILED'|'SUCCEEDED',
            'RequestId': 'string',
            'CreatedDate': datetime(2015, 1, 1)
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • AccountAssignmentsDeletionStatus (list) --

      The status object for the account assignment deletion operation.

      • (dict) --

        Provides information about the AccountAssignment creation request.

        • Status (string) --

          The status of the permission set provisioning process.

        • RequestId (string) --

          The identifier for tracking the request operation that is generated by the universally unique identifier (UUID) workflow.

        • CreatedDate (datetime) --

          The date that the permission set was created.

    • NextToken (string) --

      The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.

DescribePermissionSetProvisioningStatus (new) Link ¶

Describes the status for the given permission set provisioning request.

See also: AWS API Documentation

Request Syntax

client.describe_permission_set_provisioning_status(
    InstanceArn='string',
    ProvisionPermissionSetRequestId='string'
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type ProvisionPermissionSetRequestId

string

param ProvisionPermissionSetRequestId

[REQUIRED]

The identifier that is provided by the ProvisionPermissionSet call to retrieve the current status of the provisioning workflow.

rtype

dict

returns

Response Syntax

{
    'PermissionSetProvisioningStatus': {
        'Status': 'IN_PROGRESS'|'FAILED'|'SUCCEEDED',
        'RequestId': 'string',
        'AccountId': 'string',
        'PermissionSetArn': 'string',
        'FailureReason': 'string',
        'CreatedDate': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) --

    • PermissionSetProvisioningStatus (dict) --

      The status object for the permission set provisioning operation.

      • Status (string) --

        The status of the permission set provisioning process.

      • RequestId (string) --

        The identifier for tracking the request operation that is generated by the universally unique identifier (UUID) workflow.

      • AccountId (string) --

        The identifier of the AWS account from which to list the assignments.

      • PermissionSetArn (string) --

        The ARN of the permission set that is being provisioned. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

      • FailureReason (string) --

        The message that contains an error or exception in case of an operation failure.

      • CreatedDate (datetime) --

        The date that the permission set was created.

PutInlinePolicyToPermissionSet (new) Link ¶

Attaches an IAM inline policy to a permission set.

See also: AWS API Documentation

Request Syntax

client.put_inline_policy_to_permission_set(
    InstanceArn='string',
    PermissionSetArn='string',
    InlinePolicy='string'
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type PermissionSetArn

string

param PermissionSetArn

[REQUIRED]

The ARN of the permission set.

type InlinePolicy

string

param InlinePolicy

[REQUIRED]

The IAM inline policy to attach to a PermissionSet.

rtype

dict

returns

Response Syntax

{}

Response Structure

  • (dict) --

ListAccountAssignments (new) Link ¶

Lists the assignee of the specified AWS account with the specified permission set.

See also: AWS API Documentation

Request Syntax

client.list_account_assignments(
    InstanceArn='string',
    AccountId='string',
    PermissionSetArn='string',
    MaxResults=123,
    NextToken='string'
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type AccountId

string

param AccountId

[REQUIRED]

The identifier of the AWS account from which to list the assignments.

type PermissionSetArn

string

param PermissionSetArn

[REQUIRED]

The ARN of the permission set from which to list assignments.

type MaxResults

integer

param MaxResults

The maximum number of results to display for the assignment.

type NextToken

string

param NextToken

The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.

rtype

dict

returns

Response Syntax

{
    'AccountAssignments': [
        {
            'AccountId': 'string',
            'PermissionSetArn': 'string',
            'PrincipalType': 'USER'|'GROUP',
            'PrincipalId': 'string'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • AccountAssignments (list) --

      The list of assignments that match the input AWS account and permission set.

      • (dict) --

        The assignment that indicates a principal's limited access to a specified AWS account with a specified permission set.

        Note

        The term principal here refers to a user or group that is defined in AWS SSO.

        • AccountId (string) --

          The identifier of the AWS account.

        • PermissionSetArn (string) --

          The ARN of the permission set. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

        • PrincipalType (string) --

          The entity type for which the assignment will be created.

        • PrincipalId (string) --

          The identifier of the principal.

    • NextToken (string) --

      The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.

ListPermissionSetProvisioningStatus (new) Link ¶

Lists the status of the permission set provisioning requests for a specified SSO instance.

See also: AWS API Documentation

Request Syntax

client.list_permission_set_provisioning_status(
    InstanceArn='string',
    MaxResults=123,
    NextToken='string',
    Filter={
        'Status': 'IN_PROGRESS'|'FAILED'|'SUCCEEDED'
    }
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type MaxResults

integer

param MaxResults

The maximum number of results to display for the assignment.

type NextToken

string

param NextToken

The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.

type Filter

dict

param Filter

Filters results based on the passed attribute value.

  • Status (string) --

    Filters the list operations result based on the status attribute.

rtype

dict

returns

Response Syntax

{
    'PermissionSetsProvisioningStatus': [
        {
            'Status': 'IN_PROGRESS'|'FAILED'|'SUCCEEDED',
            'RequestId': 'string',
            'CreatedDate': datetime(2015, 1, 1)
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • PermissionSetsProvisioningStatus (list) --

      The status object for the permission set provisioning operation.

      • (dict) --

        Provides information about the permission set provisioning status.

        • Status (string) --

          The status of the permission set provisioning process.

        • RequestId (string) --

          The identifier for tracking the request operation that is generated by the universally unique identifier (UUID) workflow.

        • CreatedDate (datetime) --

          The date that the permission set was created.

    • NextToken (string) --

      The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.

DescribeAccountAssignmentDeletionStatus (new) Link ¶

Describes the status of the assignment deletion request.

See also: AWS API Documentation

Request Syntax

client.describe_account_assignment_deletion_status(
    InstanceArn='string',
    AccountAssignmentDeletionRequestId='string'
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type AccountAssignmentDeletionRequestId

string

param AccountAssignmentDeletionRequestId

[REQUIRED]

The identifier that is used to track the request operation progress.

rtype

dict

returns

Response Syntax

{
    'AccountAssignmentDeletionStatus': {
        'Status': 'IN_PROGRESS'|'FAILED'|'SUCCEEDED',
        'RequestId': 'string',
        'FailureReason': 'string',
        'TargetId': 'string',
        'TargetType': 'AWS_ACCOUNT',
        'PermissionSetArn': 'string',
        'PrincipalType': 'USER'|'GROUP',
        'PrincipalId': 'string',
        'CreatedDate': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) --

    • AccountAssignmentDeletionStatus (dict) --

      The status object for the account assignment deletion operation.

      • Status (string) --

        The status of the permission set provisioning process.

      • RequestId (string) --

        The identifier for tracking the request operation that is generated by the universally unique identifier (UUID) workflow.

      • FailureReason (string) --

        The message that contains an error or exception in case of an operation failure.

      • TargetId (string) --

        The identifier for the chosen target.

      • TargetType (string) --

        The entity type for which the assignment will be created.

      • PermissionSetArn (string) --

        The ARN of the permission set. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

      • PrincipalType (string) --

        The entity type for which the assignment will be created.

      • PrincipalId (string) --

        The identifier of the principal.

      • CreatedDate (datetime) --

        The date that the permission set was created.

GetInlinePolicyForPermissionSet (new) Link ¶

Obtains the inline policy assigned to the permission set.

See also: AWS API Documentation

Request Syntax

client.get_inline_policy_for_permission_set(
    InstanceArn='string',
    PermissionSetArn='string'
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type PermissionSetArn

string

param PermissionSetArn

[REQUIRED]

The ARN of the permission set.

rtype

dict

returns

Response Syntax

{
    'InlinePolicy': 'string'
}

Response Structure

  • (dict) --

    • InlinePolicy (string) --

      The IAM inline policy that is attached to the permission set.

DeleteInlinePolicyFromPermissionSet (new) Link ¶

Deletes the inline policy from a specified permission set.

See also: AWS API Documentation

Request Syntax

client.delete_inline_policy_from_permission_set(
    InstanceArn='string',
    PermissionSetArn='string'
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type PermissionSetArn

string

param PermissionSetArn

[REQUIRED]

The ARN of the permission set that will be used to remove access.

rtype

dict

returns

Response Syntax

{}

Response Structure

  • (dict) --

ListManagedPoliciesInPermissionSet (new) Link ¶

Lists the IAM managed policy that is attached to a specified permission set.

See also: AWS API Documentation

Request Syntax

client.list_managed_policies_in_permission_set(
    InstanceArn='string',
    PermissionSetArn='string',
    MaxResults=123,
    NextToken='string'
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type PermissionSetArn

string

param PermissionSetArn

[REQUIRED]

The ARN of the PermissionSet whose managed policies will be listed.

type MaxResults

integer

param MaxResults

The maximum number of results to display for the PermissionSet.

type NextToken

string

param NextToken

The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.

rtype

dict

returns

Response Syntax

{
    'AttachedManagedPolicies': [
        {
            'Name': 'string',
            'Arn': 'string'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • AttachedManagedPolicies (list) --

      The array of the AttachedManagedPolicy data type object.

      • (dict) --

        A structure that stores the details of the IAM managed policy.

    • NextToken (string) --

      The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.

DescribeAccountAssignmentCreationStatus (new) Link ¶

Describes the status of the assignment creation request.

See also: AWS API Documentation

Request Syntax

client.describe_account_assignment_creation_status(
    InstanceArn='string',
    AccountAssignmentCreationRequestId='string'
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type AccountAssignmentCreationRequestId

string

param AccountAssignmentCreationRequestId

[REQUIRED]

The identifier that is used to track the request operation progress.

rtype

dict

returns

Response Syntax

{
    'AccountAssignmentCreationStatus': {
        'Status': 'IN_PROGRESS'|'FAILED'|'SUCCEEDED',
        'RequestId': 'string',
        'FailureReason': 'string',
        'TargetId': 'string',
        'TargetType': 'AWS_ACCOUNT',
        'PermissionSetArn': 'string',
        'PrincipalType': 'USER'|'GROUP',
        'PrincipalId': 'string',
        'CreatedDate': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) --

    • AccountAssignmentCreationStatus (dict) --

      The status object for the account assignment creation operation.

      • Status (string) --

        The status of the permission set provisioning process.

      • RequestId (string) --

        The identifier for tracking the request operation that is generated by the universally unique identifier (UUID) workflow.

      • FailureReason (string) --

        The message that contains an error or exception in case of an operation failure.

      • TargetId (string) --

        The identifier for the chosen target.

      • TargetType (string) --

        The entity type for which the assignment will be created.

      • PermissionSetArn (string) --

        The ARN of the permission set. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

      • PrincipalType (string) --

        The entity type for which the assignment will be created.

      • PrincipalId (string) --

        The identifier of the principal.

      • CreatedDate (datetime) --

        The date that the permission set was created.

TagResource (new) Link ¶

Associates a set of tags with a specified resource.

See also: AWS API Documentation

Request Syntax

client.tag_resource(
    InstanceArn='string',
    ResourceArn='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type ResourceArn

string

param ResourceArn

[REQUIRED]

The ARN of the resource with the tags to be listed.

type Tags

list

param Tags

[REQUIRED]

A set of key-value pairs that are used to manage the resource.

  • (dict) --

    A set of key-value pairs that are used to manage the resource. Tags can only be applied to permission sets and cannot be applied to corresponding roles that AWS SSO creates in AWS accounts.

    • Key (string) --

      The key for the tag.

    • Value (string) --

      The value of the tag.

rtype

dict

returns

Response Syntax

{}

Response Structure

  • (dict) --

UpdatePermissionSet (new) Link ¶

Updates an existing permission set.

See also: AWS API Documentation

Request Syntax

client.update_permission_set(
    InstanceArn='string',
    PermissionSetArn='string',
    Description='string',
    SessionDuration='string',
    RelayState='string'
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type PermissionSetArn

string

param PermissionSetArn

[REQUIRED]

The ARN of the permission set.

type Description

string

param Description

The description of the PermissionSet.

type SessionDuration

string

param SessionDuration

The length of time that the application user sessions are valid for in the ISO-8601 standard.

type RelayState

string

param RelayState

Used to redirect users within the application during the federation authentication process.

rtype

dict

returns

Response Syntax

{}

Response Structure

  • (dict) --

ListTagsForResource (new) Link ¶

Lists the tags that are attached to a specified resource.

See also: AWS API Documentation

Request Syntax

client.list_tags_for_resource(
    InstanceArn='string',
    ResourceArn='string',
    NextToken='string'
)
type InstanceArn

string

param InstanceArn

[REQUIRED]

The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

type ResourceArn

string

param ResourceArn

[REQUIRED]

The ARN of the resource with the tags to be listed.

type NextToken

string

param NextToken

The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.

rtype

dict

returns

Response Syntax

{
    'Tags': [
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • Tags (list) --

      A set of key-value pairs that are used to manage the resource.

      • (dict) --

        A set of key-value pairs that are used to manage the resource. Tags can only be applied to permission sets and cannot be applied to corresponding roles that AWS SSO creates in AWS accounts.

        • Key (string) --

          The key for the tag.

        • Value (string) --

          The value of the tag.

    • NextToken (string) --

      The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.

ListInstances (new) Link ¶

Lists the SSO instances that the caller has access to.

See also: AWS API Documentation

Request Syntax

client.list_instances(
    MaxResults=123,
    NextToken='string'
)
type MaxResults

integer

param MaxResults

The maximum number of results to display for the instance.

type NextToken

string

param NextToken

The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.

rtype

dict

returns

Response Syntax

{
    'Instances': [
        {
            'InstanceArn': 'string',
            'IdentityStoreId': 'string'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • Instances (list) --

      Lists the SSO instances that the caller has access to.

      • (dict) --

        Provides information about the SSO instance.

        • InstanceArn (string) --

          The ARN of the SSO instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

        • IdentityStoreId (string) --

          The identifier of the identity store that is connected to the SSO instance.

    • NextToken (string) --

      The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.