2020/11/23 - AWS Single Sign-On Admin - 4 new api methods
Changes AWS Single Sign-On now enables attribute-based access control for workforce identities to simplify permissions in AWS
Updates the AWS SSO identity store attributes to use with the AWS SSO instance for attributes-based access control (ABAC). When using an external identity provider as an identity source, you can pass attributes through the SAML assertion as an alternative to configuring attributes from the AWS SSO identity store. If a SAML assertion passes any of these attributes, AWS SSO will replace the attribute value with the value from the AWS SSO identity store. For more information about ABAC, see Attribute-Based Access Control in the AWS SSO User Guide .
See also: AWS API Documentation
Request Syntax
client.update_instance_access_control_attribute_configuration(
InstanceArn='string',
InstanceAccessControlAttributeConfiguration={
'AccessControlAttributes': [
{
'Key': 'string',
'Value': {
'Source': [
'string',
]
}
},
]
}
)
string
[REQUIRED]
The ARN of the SSO instance under which the operation will be executed.
dict
[REQUIRED]
Updates the attributes for your ABAC configuration.
AccessControlAttributes (list) -- [REQUIRED]
Lists the attributes that are configured for ABAC in the specified AWS SSO instance.
(dict) --
These are AWS SSO identity store attributes that you can configure for use in attributes-based access control (ABAC). You can create permission policies that determine who can access your AWS resources based upon the configured attribute value(s). When you enable ABAC and specify AccessControlAttributes, AWS SSO passes the attribute(s) value of the authenticated user into IAM for use in policy evaluation.
Key (string) -- [REQUIRED]
The name of the attribute associated with your identities in your identity source. This is used to map a specified attribute in your identity source with an attribute in AWS SSO.
Value (dict) -- [REQUIRED]
The value used for mapping a specified attribute to an identity source.
Source (list) -- [REQUIRED]
The identity source to use when mapping a specified attribute to AWS SSO.
(string) --
dict
Response Syntax
{}
Response Structure
(dict) --
Returns the list of AWS SSO identity store attributes that have been configured to work with attributes-based access control (ABAC) for the specified AWS SSO instance. This will not return attributes configured and sent by an external identity provider. For more information about ABAC, see Attribute-Based Access Control in the AWS SSO User Guide .
See also: AWS API Documentation
Request Syntax
client.describe_instance_access_control_attribute_configuration(
InstanceArn='string'
)
string
[REQUIRED]
The ARN of the SSO instance under which the operation will be executed.
dict
Response Syntax
{
'Status': 'ENABLED'|'CREATION_IN_PROGRESS'|'CREATION_FAILED',
'StatusReason': 'string',
'InstanceAccessControlAttributeConfiguration': {
'AccessControlAttributes': [
{
'Key': 'string',
'Value': {
'Source': [
'string',
]
}
},
]
}
}
Response Structure
(dict) --
Status (string) --
The status of the attribute configuration process.
StatusReason (string) --
Provides more details about the current status of the specified attribute.
InstanceAccessControlAttributeConfiguration (dict) --
Gets the list of AWS SSO identity store attributes added to your ABAC configuration.
AccessControlAttributes (list) --
Lists the attributes that are configured for ABAC in the specified AWS SSO instance.
(dict) --
These are AWS SSO identity store attributes that you can configure for use in attributes-based access control (ABAC). You can create permission policies that determine who can access your AWS resources based upon the configured attribute value(s). When you enable ABAC and specify AccessControlAttributes, AWS SSO passes the attribute(s) value of the authenticated user into IAM for use in policy evaluation.
Key (string) --
The name of the attribute associated with your identities in your identity source. This is used to map a specified attribute in your identity source with an attribute in AWS SSO.
Value (dict) --
The value used for mapping a specified attribute to an identity source.
Source (list) --
The identity source to use when mapping a specified attribute to AWS SSO.
(string) --
Enables the attributes-based access control (ABAC) feature for the specified AWS SSO instance. You can also specify new attributes to add to your ABAC configuration during the enabling process. For more information about ABAC, see Attribute-Based Access Control in the AWS SSO User Guide .
See also: AWS API Documentation
Request Syntax
client.create_instance_access_control_attribute_configuration(
InstanceArn='string',
InstanceAccessControlAttributeConfiguration={
'AccessControlAttributes': [
{
'Key': 'string',
'Value': {
'Source': [
'string',
]
}
},
]
}
)
string
[REQUIRED]
The ARN of the SSO instance under which the operation will be executed.
dict
[REQUIRED]
Specifies the AWS SSO identity store attributes to add to your ABAC configuration. When using an external identity provider as an identity source, you can pass attributes through the SAML assertion as an alternative to configuring attributes from the AWS SSO identity store. If a SAML assertion passes any of these attributes, AWS SSO will replace the attribute value with the value from the AWS SSO identity store.
AccessControlAttributes (list) -- [REQUIRED]
Lists the attributes that are configured for ABAC in the specified AWS SSO instance.
(dict) --
These are AWS SSO identity store attributes that you can configure for use in attributes-based access control (ABAC). You can create permission policies that determine who can access your AWS resources based upon the configured attribute value(s). When you enable ABAC and specify AccessControlAttributes, AWS SSO passes the attribute(s) value of the authenticated user into IAM for use in policy evaluation.
Key (string) -- [REQUIRED]
The name of the attribute associated with your identities in your identity source. This is used to map a specified attribute in your identity source with an attribute in AWS SSO.
Value (dict) -- [REQUIRED]
The value used for mapping a specified attribute to an identity source.
Source (list) -- [REQUIRED]
The identity source to use when mapping a specified attribute to AWS SSO.
(string) --
dict
Response Syntax
{}
Response Structure
(dict) --
Disables the attributes-based access control (ABAC) feature for the specified AWS SSO instance and deletes all of the attribute mappings that have been configured. Once deleted, any attributes that are received from an identity source and any custom attributes you have previously configured will not be passed. For more information about ABAC, see Attribute-Based Access Control in the AWS SSO User Guide .
See also: AWS API Documentation
Request Syntax
client.delete_instance_access_control_attribute_configuration(
InstanceArn='string'
)
string
[REQUIRED]
The ARN of the SSO instance under which the operation will be executed.
dict
Response Syntax
{}
Response Structure
(dict) --