AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an...

122
AWS Single Sign-On API Reference

Transcript of AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an...

Page 1: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-OnAPI Reference

Page 2: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API Reference

AWS Single Sign-On: API ReferenceCopyright © Amazon Web Services, Inc. and/or its affiliates. All rights reserved.

Amazon's trademarks and trade dress may not be used in connection with any product or service that is notAmazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages ordiscredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who mayor may not be affiliated with, connected to, or sponsored by Amazon.

Page 3: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API Reference

Table of ContentsWelcome .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Actions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

AttachManagedPolicyToPermissionSet .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

CreateAccountAssignment .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

CreateInstanceAccessControlAttributeConfiguration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

CreatePermissionSet .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

DeleteAccountAssignment .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

DeleteInlinePolicyFromPermissionSet .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

DeleteInstanceAccessControlAttributeConfiguration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

DeletePermissionSet .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

DescribeAccountAssignmentCreationStatus .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

iii

Page 4: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API Reference

Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

DescribeAccountAssignmentDeletionStatus .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

DescribeInstanceAccessControlAttributeConfiguration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

DescribePermissionSet .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

DescribePermissionSetProvisioningStatus .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

DetachManagedPolicyFromPermissionSet .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

GetInlinePolicyForPermissionSet .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

ListAccountAssignmentCreationStatus .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

ListAccountAssignmentDeletionStatus .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

iv

Page 5: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API Reference

Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

ListAccountAssignments .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

ListAccountsForProvisionedPermissionSet .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

ListInstances .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

ListManagedPoliciesInPermissionSet .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

ListPermissionSetProvisioningStatus .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

ListPermissionSets .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

ListPermissionSetsProvisionedToAccount .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

ListTagsForResource .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

v

Page 6: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API Reference

Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

ProvisionPermissionSet .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

PutInlinePolicyToPermissionSet .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

TagResource .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

UntagResource .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

UpdateInstanceAccessControlAttributeConfiguration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

UpdatePermissionSet .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Data Types .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93AccessControlAttribute .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

AccessControlAttributeValue .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

AccountAssignment .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

AccountAssignmentOperationStatus .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

AccountAssignmentOperationStatusMetadata .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

AttachedManagedPolicy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

vi

Page 7: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API Reference

Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

InstanceAccessControlAttributeConfiguration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

InstanceMetadata .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

OperationStatusFilter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

PermissionSet .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

PermissionSetProvisioningStatus .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

PermissionSetProvisioningStatusMetadata .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Tag .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Common Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Common Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Document History .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

vii

Page 8: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API Reference

Welcome to the AWS Single Sign-OnAPI Reference Guide

AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access tomultiple AWS accounts and business applications. This guide provides information on SSO operationswhich could be used for access management of AWS accounts. For information about AWS SSO features,see the AWS Single Sign-On User Guide.

Many operations in the AWS SSO APIs rely on identifiers for users and groups, known as principals. Formore information about how to work with principals and principal IDs in AWS SSO, see the AWS SSOIdentity Store API Reference.

NoteAWS provides SDKs that consist of libraries and sample code for various programminglanguages and platforms (Java, Ruby, .Net, iOS, Android, and more). The SDKs provide aconvenient way to create programmatic access to AWS SSO and other AWS services. For moreinformation about the AWS SDKs, including how to download and install them, see Tools forAmazon Web Services.

1

https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/welcome.html
https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/welcome.html
http://aws.amazon.com/tools/
http://aws.amazon.com/tools/
Page 9: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API Reference

ActionsThe following actions are supported:

• AttachManagedPolicyToPermissionSet (p. 3)• CreateAccountAssignment (p. 6)• CreateInstanceAccessControlAttributeConfiguration (p. 10)• CreatePermissionSet (p. 12)• DeleteAccountAssignment (p. 16)• DeleteInlinePolicyFromPermissionSet (p. 20)• DeleteInstanceAccessControlAttributeConfiguration (p. 22)• DeletePermissionSet (p. 24)• DescribeAccountAssignmentCreationStatus (p. 26)• DescribeAccountAssignmentDeletionStatus (p. 29)• DescribeInstanceAccessControlAttributeConfiguration (p. 32)• DescribePermissionSet (p. 35)• DescribePermissionSetProvisioningStatus (p. 38)• DetachManagedPolicyFromPermissionSet (p. 41)• GetInlinePolicyForPermissionSet (p. 43)• ListAccountAssignmentCreationStatus (p. 46)• ListAccountAssignmentDeletionStatus (p. 49)• ListAccountAssignments (p. 52)• ListAccountsForProvisionedPermissionSet (p. 55)• ListInstances (p. 58)• ListManagedPoliciesInPermissionSet (p. 61)• ListPermissionSetProvisioningStatus (p. 64)• ListPermissionSets (p. 67)• ListPermissionSetsProvisionedToAccount (p. 70)• ListTagsForResource (p. 73)• ProvisionPermissionSet (p. 76)• PutInlinePolicyToPermissionSet (p. 79)• TagResource (p. 82)• UntagResource (p. 85)• UpdateInstanceAccessControlAttributeConfiguration (p. 88)• UpdatePermissionSet (p. 90)

2

Page 10: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceAttachManagedPolicyToPermissionSet

AttachManagedPolicyToPermissionSetAttaches an IAM managed policy ARN to a permission set.

NoteIf the permission set is already referenced by one or more account assignments, you willneed to call ProvisionPermissionSet (p. 76) after this operation. CallingProvisionPermissionSet applies the corresponding IAM policy updates to all assignedaccounts.

Request Syntax{ "InstanceArn": "string", "ManagedPolicyArn": "string", "PermissionSetArn": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InstanceArn (p. 3)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesManagedPolicyArn (p. 3)

The IAM managed policy ARN to be attached to a permission set.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 2048.

Required: YesPermissionSetArn (p. 3)

The ARN of the PermissionSet (p. 105) that the managed policy should be attached to.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

3

/general/latest/gr/aws-arns-and-namespaces.html
Page 11: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Elements

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400ConflictException

Occurs when a conflict with a previous successful write is detected. This generally occurs when theprevious write did not have time to propagate to the host serving the current request. A retry (withappropriate backoff logic) is the recommended response to this exception.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ServiceQuotaExceededException

Indicates that the principal has crossed the permitted number of resources that can be created.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET

4

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/AttachManagedPolicyToPermissionSet
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/AttachManagedPolicyToPermissionSet
Page 12: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

5

https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/AttachManagedPolicyToPermissionSet
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/AttachManagedPolicyToPermissionSet
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/AttachManagedPolicyToPermissionSet
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/AttachManagedPolicyToPermissionSet
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/AttachManagedPolicyToPermissionSet
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/AttachManagedPolicyToPermissionSet
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/AttachManagedPolicyToPermissionSet
Page 13: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceCreateAccountAssignment

CreateAccountAssignmentAssigns access to a principal for a specified AWS account using a specified permission set.

NoteThe term principal here refers to a user or group that is defined in AWS SSO.

NoteAs part of a successful CreateAccountAssignment call, the specified permission set willautomatically be provisioned to the account in the form of an IAM policy. That policy is attachedto the SSO-created IAM role. If the permission set is subsequently updated, the correspondingIAM policies attached to roles in your accounts will not be updated automatically. In this case,you must call ProvisionPermissionSet (p. 76) to make these updates.

Request Syntax{ "InstanceArn": "string", "PermissionSetArn": "string", "PrincipalId": "string", "PrincipalType": "string", "TargetId": "string", "TargetType": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InstanceArn (p. 6)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesPermissionSetArn (p. 6)

The ARN of the permission set that the admin wants to grant the principal access to.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

Required: Yes

6

/general/latest/gr/aws-arns-and-namespaces.html
Page 14: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Syntax

PrincipalId (p. 6)

An identifier for an object in AWS SSO, such as a user or group. PrincipalIds are GUIDs (For example,f81d4fae-7dec-11d0-a765-00a0c91e6bf6). For more information about PrincipalIds in AWS SSO,see the AWS SSO Identity Store API Reference.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 47.

Pattern: ^([0-9a-f]{10}-|)[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}$

Required: Yes

PrincipalType (p. 6)

The entity type for which the assignment will be created.

Type: String

Valid Values: USER | GROUP

Required: Yes

TargetId (p. 6)

TargetID is an AWS account identifier, typically a 10-12 digit string (For example, 123456789012).

Type: String

Pattern: \d{12}

Required: Yes

TargetType (p. 6)

The entity type for which the assignment will be created.

Type: String

Valid Values: AWS_ACCOUNT

Required: Yes

Response Syntax{ "AccountAssignmentCreationStatus": { "CreatedDate": number, "FailureReason": "string", "PermissionSetArn": "string", "PrincipalId": "string", "PrincipalType": "string", "RequestId": "string", "Status": "string", "TargetId": "string", "TargetType": "string" }}

7

/singlesignon/latest/IdentityStoreAPIReference/welcome.html
Page 15: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Elements

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

AccountAssignmentCreationStatus (p. 7)

The status object for the account assignment creation operation.

Type: AccountAssignmentOperationStatus (p. 98) object

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400

ConflictException

Occurs when a conflict with a previous successful write is detected. This generally occurs when theprevious write did not have time to propagate to the host serving the current request. A retry (withappropriate backoff logic) is the recommended response to this exception.

HTTP Status Code: 400

InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400

ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400

ServiceQuotaExceededException

Indicates that the principal has crossed the permitted number of resources that can be created.

HTTP Status Code: 400

ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400

ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

8

Page 16: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

9

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/CreateAccountAssignment
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/CreateAccountAssignment
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/CreateAccountAssignment
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/CreateAccountAssignment
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/CreateAccountAssignment
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/CreateAccountAssignment
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/CreateAccountAssignment
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/CreateAccountAssignment
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/CreateAccountAssignment
Page 17: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceCreateInstanceAccessControlAttributeConfiguration

CreateInstanceAccessControlAttributeConfigurationEnables the attributes-based access control (ABAC) feature for the specified AWS SSO instance. You canalso specify new attributes to add to your ABAC configuration during the enabling process. For moreinformation about ABAC, see Attribute-Based Access Control in the AWS SSO User Guide.

Request Syntax{ "InstanceAccessControlAttributeConfiguration": { "AccessControlAttributes": [ { "Key": "string", "Value": { "Source": [ "string" ] } } ] }, "InstanceArn": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InstanceAccessControlAttributeConfiguration (p. 10)

Specifies the AWS SSO identity store attributes to add to your ABAC configuration. When using anexternal identity provider as an identity source, you can pass attributes through the SAML assertion.Doing so provides an alternative to configuring attributes from the AWS SSO identity store. If aSAML assertion passes any of these attributes, AWS SSO will replace the attribute value with thevalue from the AWS SSO identity store.

Type: InstanceAccessControlAttributeConfiguration (p. 102) object

Required: YesInstanceArn (p. 10)

The ARN of the SSO instance under which the operation will be executed.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

10

/singlesignon/latest/userguide/abac.html
Page 18: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceErrors

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400ConflictException

Occurs when a conflict with a previous successful write is detected. This generally occurs when theprevious write did not have time to propagate to the host serving the current request. A retry (withappropriate backoff logic) is the recommended response to this exception.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

11

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/CreateInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/CreateInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/CreateInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/CreateInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/CreateInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/CreateInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/CreateInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/CreateInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/CreateInstanceAccessControlAttributeConfiguration
Page 19: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceCreatePermissionSet

CreatePermissionSetCreates a permission set within a specified SSO instance.

NoteTo grant users and groups access to AWS account resources, use CreateAccountAssignment (p. 6) .

Request Syntax{ "Description": "string", "InstanceArn": "string", "Name": "string", "RelayState": "string", "SessionDuration": "string", "Tags": [ { "Key": "string", "Value": "string" } ]}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

Description (p. 12)

The description of the PermissionSet (p. 105).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 700.

Pattern: [\p{L}\p{M}\p{Z}\p{S}\p{N}\p{P}]*

Required: NoInstanceArn (p. 12)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesName (p. 12)

The name of the PermissionSet (p. 105).

12

/general/latest/gr/aws-arns-and-namespaces.html
Page 20: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Syntax

Type: String

Length Constraints: Minimum length of 1. Maximum length of 32.

Pattern: [\w+=,.@-]+

Required: YesRelayState (p. 12)

Used to redirect users within the application during the federation authentication process.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 240.

Pattern: [a-zA-Z0-9&$@#\\\/%?=~\-_'"|!:,.;*+\[\]\ \(\)\{\}]+

Required: NoSessionDuration (p. 12)

The length of time that the application user sessions are valid in the ISO-8601 standard.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 100.

Pattern: ^(-?)P(?=\d|T\d)(?:(\d+)Y)?(?:(\d+)M)?(?:(\d+)([DW]))?(?:T(?:(\d+)H)?(?:(\d+)M)?(?:(\d+(?:\.\d+)?)S)?)?$

Required: NoTags (p. 12)

The tags to attach to the new PermissionSet (p. 105).

Type: Array of Tag (p. 110) objects

Array Members: Minimum number of 0 items. Maximum number of 50 items.

Required: No

Response Syntax{ "PermissionSet": { "CreatedDate": number, "Description": "string", "Name": "string", "PermissionSetArn": "string", "RelayState": "string", "SessionDuration": "string" }}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

13

Page 21: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceErrors

PermissionSet (p. 13)

Defines the level of access on an AWS account.

Type: PermissionSet (p. 105) object

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400ConflictException

Occurs when a conflict with a previous successful write is detected. This generally occurs when theprevious write did not have time to propagate to the host serving the current request. A retry (withappropriate backoff logic) is the recommended response to this exception.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ServiceQuotaExceededException

Indicates that the principal has crossed the permitted number of resources that can be created.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++

14

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/CreatePermissionSet
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/CreatePermissionSet
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/CreatePermissionSet
Page 22: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

15

https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/CreatePermissionSet
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/CreatePermissionSet
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/CreatePermissionSet
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/CreatePermissionSet
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/CreatePermissionSet
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/CreatePermissionSet
Page 23: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceDeleteAccountAssignment

DeleteAccountAssignmentDeletes a principal's access from a specified AWS account using a specified permission set.

Request Syntax{ "InstanceArn": "string", "PermissionSetArn": "string", "PrincipalId": "string", "PrincipalType": "string", "TargetId": "string", "TargetType": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InstanceArn (p. 16)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesPermissionSetArn (p. 16)

The ARN of the permission set that will be used to remove access.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

Required: YesPrincipalId (p. 16)

An identifier for an object in AWS SSO, such as a user or group. PrincipalIds are GUIDs (For example,f81d4fae-7dec-11d0-a765-00a0c91e6bf6). For more information about PrincipalIds in AWS SSO,see the AWS SSO Identity Store API Reference.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 47.

16

/general/latest/gr/aws-arns-and-namespaces.html
/singlesignon/latest/IdentityStoreAPIReference/welcome.html
Page 24: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Syntax

Pattern: ^([0-9a-f]{10}-|)[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}$

Required: YesPrincipalType (p. 16)

The entity type for which the assignment will be deleted.

Type: String

Valid Values: USER | GROUP

Required: YesTargetId (p. 16)

TargetID is an AWS account identifier, typically a 10-12 digit string (For example, 123456789012).

Type: String

Pattern: \d{12}

Required: YesTargetType (p. 16)

The entity type for which the assignment will be deleted.

Type: String

Valid Values: AWS_ACCOUNT

Required: Yes

Response Syntax{ "AccountAssignmentDeletionStatus": { "CreatedDate": number, "FailureReason": "string", "PermissionSetArn": "string", "PrincipalId": "string", "PrincipalType": "string", "RequestId": "string", "Status": "string", "TargetId": "string", "TargetType": "string" }}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

AccountAssignmentDeletionStatus (p. 17)

The status object for the account assignment deletion operation.

17

Page 25: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceErrors

Type: AccountAssignmentOperationStatus (p. 98) object

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400ConflictException

Occurs when a conflict with a previous successful write is detected. This generally occurs when theprevious write did not have time to propagate to the host serving the current request. A retry (withappropriate backoff logic) is the recommended response to this exception.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

18

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/DeleteAccountAssignment
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/DeleteAccountAssignment
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/DeleteAccountAssignment
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/DeleteAccountAssignment
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/DeleteAccountAssignment
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/DeleteAccountAssignment
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/DeleteAccountAssignment
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/DeleteAccountAssignment
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/DeleteAccountAssignment
Page 26: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

19

Page 27: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceDeleteInlinePolicyFromPermissionSet

DeleteInlinePolicyFromPermissionSetDeletes the inline policy from a specified permission set.

Request Syntax{ "InstanceArn": "string", "PermissionSetArn": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InstanceArn (p. 20)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesPermissionSetArn (p. 20)

The ARN of the permission set that will be used to remove access.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

20

/general/latest/gr/aws-arns-and-namespaces.html
Page 28: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

HTTP Status Code: 400ConflictException

Occurs when a conflict with a previous successful write is detected. This generally occurs when theprevious write did not have time to propagate to the host serving the current request. A retry (withappropriate backoff logic) is the recommended response to this exception.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

21

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/DeleteInlinePolicyFromPermissionSet
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/DeleteInlinePolicyFromPermissionSet
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/DeleteInlinePolicyFromPermissionSet
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/DeleteInlinePolicyFromPermissionSet
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/DeleteInlinePolicyFromPermissionSet
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/DeleteInlinePolicyFromPermissionSet
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/DeleteInlinePolicyFromPermissionSet
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/DeleteInlinePolicyFromPermissionSet
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/DeleteInlinePolicyFromPermissionSet
Page 29: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceDeleteInstanceAccessControlAttributeConfiguration

DeleteInstanceAccessControlAttributeConfigurationDisables the attributes-based access control (ABAC) feature for the specified AWS SSO instance anddeletes all of the attribute mappings that have been configured. Once deleted, any attributes that arereceived from an identity source and any custom attributes you have previously configured will not bepassed. For more information about ABAC, see Attribute-Based Access Control in the AWS SSO UserGuide.

Request Syntax{ "InstanceArn": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InstanceArn (p. 22)

The ARN of the SSO instance under which the operation will be executed.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400ConflictException

Occurs when a conflict with a previous successful write is detected. This generally occurs when theprevious write did not have time to propagate to the host serving the current request. A retry (withappropriate backoff logic) is the recommended response to this exception.

HTTP Status Code: 400

22

/singlesignon/latest/userguide/abac.html
Page 30: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

23

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/DeleteInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/DeleteInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/DeleteInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/DeleteInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/DeleteInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/DeleteInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/DeleteInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/DeleteInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/DeleteInstanceAccessControlAttributeConfiguration
Page 31: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceDeletePermissionSet

DeletePermissionSetDeletes the specified permission set.

Request Syntax{ "InstanceArn": "string", "PermissionSetArn": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InstanceArn (p. 24)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesPermissionSetArn (p. 24)

The ARN of the permission set that should be deleted.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

24

/general/latest/gr/aws-arns-and-namespaces.html
Page 32: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

HTTP Status Code: 400ConflictException

Occurs when a conflict with a previous successful write is detected. This generally occurs when theprevious write did not have time to propagate to the host serving the current request. A retry (withappropriate backoff logic) is the recommended response to this exception.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

25

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/DeletePermissionSet
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/DeletePermissionSet
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/DeletePermissionSet
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/DeletePermissionSet
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/DeletePermissionSet
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/DeletePermissionSet
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/DeletePermissionSet
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/DeletePermissionSet
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/DeletePermissionSet
Page 33: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceDescribeAccountAssignmentCreationStatus

DescribeAccountAssignmentCreationStatusDescribes the status of the assignment creation request.

Request Syntax{ "AccountAssignmentCreationRequestId": "string", "InstanceArn": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

AccountAssignmentCreationRequestId (p. 26)

The identifier that is used to track the request operation progress.

Type: String

Pattern: \b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b

Required: YesInstanceArn (p. 26)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: Yes

Response Syntax{ "AccountAssignmentCreationStatus": { "CreatedDate": number, "FailureReason": "string", "PermissionSetArn": "string", "PrincipalId": "string", "PrincipalType": "string", "RequestId": "string", "Status": "string", "TargetId": "string", "TargetType": "string" }

26

/general/latest/gr/aws-arns-and-namespaces.html
Page 34: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Elements

}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

AccountAssignmentCreationStatus (p. 26)

The status object for the account assignment creation operation.

Type: AccountAssignmentOperationStatus (p. 98) object

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2

27

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/DescribeAccountAssignmentCreationStatus
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/DescribeAccountAssignmentCreationStatus
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/DescribeAccountAssignmentCreationStatus
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/DescribeAccountAssignmentCreationStatus
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/DescribeAccountAssignmentCreationStatus
Page 35: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

28

https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/DescribeAccountAssignmentCreationStatus
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/DescribeAccountAssignmentCreationStatus
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/DescribeAccountAssignmentCreationStatus
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/DescribeAccountAssignmentCreationStatus
Page 36: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceDescribeAccountAssignmentDeletionStatus

DescribeAccountAssignmentDeletionStatusDescribes the status of the assignment deletion request.

Request Syntax{ "AccountAssignmentDeletionRequestId": "string", "InstanceArn": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

AccountAssignmentDeletionRequestId (p. 29)

The identifier that is used to track the request operation progress.

Type: String

Pattern: \b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b

Required: YesInstanceArn (p. 29)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: Yes

Response Syntax{ "AccountAssignmentDeletionStatus": { "CreatedDate": number, "FailureReason": "string", "PermissionSetArn": "string", "PrincipalId": "string", "PrincipalType": "string", "RequestId": "string", "Status": "string", "TargetId": "string", "TargetType": "string" }

29

/general/latest/gr/aws-arns-and-namespaces.html
Page 37: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Elements

}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

AccountAssignmentDeletionStatus (p. 29)

The status object for the account assignment deletion operation.

Type: AccountAssignmentOperationStatus (p. 98) object

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2

30

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/DescribeAccountAssignmentDeletionStatus
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/DescribeAccountAssignmentDeletionStatus
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/DescribeAccountAssignmentDeletionStatus
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/DescribeAccountAssignmentDeletionStatus
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/DescribeAccountAssignmentDeletionStatus
Page 38: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

31

https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/DescribeAccountAssignmentDeletionStatus
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/DescribeAccountAssignmentDeletionStatus
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/DescribeAccountAssignmentDeletionStatus
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/DescribeAccountAssignmentDeletionStatus
Page 39: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceDescribeInstanceAccessControlAttributeConfiguration

DescribeInstanceAccessControlAttributeConfigurationReturns the list of AWS SSO identity store attributes that have been configured to work with attributes-based access control (ABAC) for the specified AWS SSO instance. This will not return attributesconfigured and sent by an external identity provider. For more information about ABAC, see Attribute-Based Access Control in the AWS SSO User Guide.

Request Syntax{ "InstanceArn": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InstanceArn (p. 32)

The ARN of the SSO instance under which the operation will be executed.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: Yes

Response Syntax{ "InstanceAccessControlAttributeConfiguration": { "AccessControlAttributes": [ { "Key": "string", "Value": { "Source": [ "string" ] } } ] }, "Status": "string", "StatusReason": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

32

/singlesignon/latest/userguide/abac.html
/singlesignon/latest/userguide/abac.html
Page 40: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceErrors

InstanceAccessControlAttributeConfiguration (p. 32)

Gets the list of AWS SSO identity store attributes that have been added to your ABAC configuration.

Type: InstanceAccessControlAttributeConfiguration (p. 102) objectStatus (p. 32)

The status of the attribute configuration process.

Type: String

Valid Values: ENABLED | CREATION_IN_PROGRESS | CREATION_FAILEDStatusReason (p. 32)

Provides more details about the current status of the specified attribute.

Type: String

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++

33

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/DescribeInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/DescribeInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/DescribeInstanceAccessControlAttributeConfiguration
Page 41: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

34

https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/DescribeInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/DescribeInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/DescribeInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/DescribeInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/DescribeInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/DescribeInstanceAccessControlAttributeConfiguration
Page 42: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceDescribePermissionSet

DescribePermissionSetGets the details of the permission set.

Request Syntax{ "InstanceArn": "string", "PermissionSetArn": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InstanceArn (p. 35)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesPermissionSetArn (p. 35)

The ARN of the permission set.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

Required: Yes

Response Syntax{ "PermissionSet": { "CreatedDate": number, "Description": "string", "Name": "string", "PermissionSetArn": "string", "RelayState": "string", "SessionDuration": "string" }

35

/general/latest/gr/aws-arns-and-namespaces.html
Page 43: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Elements

}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

PermissionSet (p. 35)

Describes the level of access on an AWS account.

Type: PermissionSet (p. 105) object

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2

36

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/DescribePermissionSet
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/DescribePermissionSet
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/DescribePermissionSet
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/DescribePermissionSet
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/DescribePermissionSet
Page 44: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

37

https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/DescribePermissionSet
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/DescribePermissionSet
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/DescribePermissionSet
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/DescribePermissionSet
Page 45: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceDescribePermissionSetProvisioningStatus

DescribePermissionSetProvisioningStatusDescribes the status for the given permission set provisioning request.

Request Syntax{ "InstanceArn": "string", "ProvisionPermissionSetRequestId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InstanceArn (p. 38)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesProvisionPermissionSetRequestId (p. 38)

The identifier that is provided by the ProvisionPermissionSet (p. 76) call to retrieve the currentstatus of the provisioning workflow.

Type: String

Pattern: \b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b

Required: Yes

Response Syntax{ "PermissionSetProvisioningStatus": { "AccountId": "string", "CreatedDate": number, "FailureReason": "string", "PermissionSetArn": "string", "RequestId": "string", "Status": "string" }}

38

/general/latest/gr/aws-arns-and-namespaces.html
Page 46: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Elements

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

PermissionSetProvisioningStatus (p. 38)

The status object for the permission set provisioning operation.

Type: PermissionSetProvisioningStatus (p. 107) object

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3

39

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/DescribePermissionSetProvisioningStatus
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/DescribePermissionSetProvisioningStatus
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/DescribePermissionSetProvisioningStatus
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/DescribePermissionSetProvisioningStatus
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/DescribePermissionSetProvisioningStatus
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/DescribePermissionSetProvisioningStatus
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/DescribePermissionSetProvisioningStatus
Page 47: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

• AWS SDK for Python• AWS SDK for Ruby V3

40

https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/DescribePermissionSetProvisioningStatus
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/DescribePermissionSetProvisioningStatus
Page 48: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceDetachManagedPolicyFromPermissionSet

DetachManagedPolicyFromPermissionSetDetaches the attached IAM managed policy ARN from the specified permission set.

Request Syntax{ "InstanceArn": "string", "ManagedPolicyArn": "string", "PermissionSetArn": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InstanceArn (p. 41)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesManagedPolicyArn (p. 41)

The IAM managed policy ARN to be attached to a permission set.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 2048.

Required: YesPermissionSetArn (p. 41)

The ARN of the PermissionSet (p. 105) from which the policy should be detached.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

41

/general/latest/gr/aws-arns-and-namespaces.html
Page 49: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceErrors

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400ConflictException

Occurs when a conflict with a previous successful write is detected. This generally occurs when theprevious write did not have time to propagate to the host serving the current request. A retry (withappropriate backoff logic) is the recommended response to this exception.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

42

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/DetachManagedPolicyFromPermissionSet
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/DetachManagedPolicyFromPermissionSet
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/DetachManagedPolicyFromPermissionSet
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/DetachManagedPolicyFromPermissionSet
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/DetachManagedPolicyFromPermissionSet
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/DetachManagedPolicyFromPermissionSet
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/DetachManagedPolicyFromPermissionSet
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/DetachManagedPolicyFromPermissionSet
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/DetachManagedPolicyFromPermissionSet
Page 50: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceGetInlinePolicyForPermissionSet

GetInlinePolicyForPermissionSetObtains the inline policy assigned to the permission set.

Request Syntax{ "InstanceArn": "string", "PermissionSetArn": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InstanceArn (p. 43)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesPermissionSetArn (p. 43)

The ARN of the permission set.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

Required: Yes

Response Syntax{ "InlinePolicy": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

43

/general/latest/gr/aws-arns-and-namespaces.html
Page 51: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceErrors

The following data is returned in JSON format by the service.

InlinePolicy (p. 43)

The IAM inline policy that is attached to the permission set.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 10240.

Pattern: [\u0009\u000A\u000D\u0020-\u00FF]+

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python

44

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/GetInlinePolicyForPermissionSet
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/GetInlinePolicyForPermissionSet
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/GetInlinePolicyForPermissionSet
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/GetInlinePolicyForPermissionSet
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/GetInlinePolicyForPermissionSet
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/GetInlinePolicyForPermissionSet
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/GetInlinePolicyForPermissionSet
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/GetInlinePolicyForPermissionSet
Page 52: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

• AWS SDK for Ruby V3

45

https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/GetInlinePolicyForPermissionSet
Page 53: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceListAccountAssignmentCreationStatus

ListAccountAssignmentCreationStatusLists the status of the AWS account assignment creation requests for a specified SSO instance.

Request Syntax{ "Filter": { "Status": "string" }, "InstanceArn": "string", "MaxResults": number, "NextToken": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

Filter (p. 46)

Filters results based on the passed attribute value.

Type: OperationStatusFilter (p. 104) object

Required: NoInstanceArn (p. 46)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesMaxResults (p. 46)

The maximum number of results to display for the assignment.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 100.

Required: NoNextToken (p. 46)

The pagination token for the list API. Initially the value is null. Use the output of previous API calls tomake subsequent calls.

Type: String

46

/general/latest/gr/aws-arns-and-namespaces.html
Page 54: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Syntax

Length Constraints: Maximum length of 2048.

Pattern: ^[-a-zA-Z0-9+=/]*

Required: No

Response Syntax{ "AccountAssignmentsCreationStatus": [ { "CreatedDate": number, "RequestId": "string", "Status": "string" } ], "NextToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

AccountAssignmentsCreationStatus (p. 47)

The status object for the account assignment creation operation.

Type: Array of AccountAssignmentOperationStatusMetadata (p. 100) objectsNextToken (p. 47)

The pagination token for the list API. Initially the value is null. Use the output of previous API calls tomake subsequent calls.

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^[-a-zA-Z0-9+=/]*

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400

47

Page 55: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

48

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/ListAccountAssignmentCreationStatus
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/ListAccountAssignmentCreationStatus
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/ListAccountAssignmentCreationStatus
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/ListAccountAssignmentCreationStatus
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/ListAccountAssignmentCreationStatus
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/ListAccountAssignmentCreationStatus
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/ListAccountAssignmentCreationStatus
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/ListAccountAssignmentCreationStatus
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/ListAccountAssignmentCreationStatus
Page 56: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceListAccountAssignmentDeletionStatus

ListAccountAssignmentDeletionStatusLists the status of the AWS account assignment deletion requests for a specified SSO instance.

Request Syntax{ "Filter": { "Status": "string" }, "InstanceArn": "string", "MaxResults": number, "NextToken": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

Filter (p. 49)

Filters results based on the passed attribute value.

Type: OperationStatusFilter (p. 104) object

Required: NoInstanceArn (p. 49)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesMaxResults (p. 49)

The maximum number of results to display for the assignment.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 100.

Required: NoNextToken (p. 49)

The pagination token for the list API. Initially the value is null. Use the output of previous API calls tomake subsequent calls.

Type: String

49

/general/latest/gr/aws-arns-and-namespaces.html
Page 57: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Syntax

Length Constraints: Maximum length of 2048.

Pattern: ^[-a-zA-Z0-9+=/]*

Required: No

Response Syntax{ "AccountAssignmentsDeletionStatus": [ { "CreatedDate": number, "RequestId": "string", "Status": "string" } ], "NextToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

AccountAssignmentsDeletionStatus (p. 50)

The status object for the account assignment deletion operation.

Type: Array of AccountAssignmentOperationStatusMetadata (p. 100) objectsNextToken (p. 50)

The pagination token for the list API. Initially the value is null. Use the output of previous API calls tomake subsequent calls.

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^[-a-zA-Z0-9+=/]*

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400

50

Page 58: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

51

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/ListAccountAssignmentDeletionStatus
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/ListAccountAssignmentDeletionStatus
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/ListAccountAssignmentDeletionStatus
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/ListAccountAssignmentDeletionStatus
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/ListAccountAssignmentDeletionStatus
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/ListAccountAssignmentDeletionStatus
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/ListAccountAssignmentDeletionStatus
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/ListAccountAssignmentDeletionStatus
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/ListAccountAssignmentDeletionStatus
Page 59: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceListAccountAssignments

ListAccountAssignmentsLists the assignee of the specified AWS account with the specified permission set.

Request Syntax{ "AccountId": "string", "InstanceArn": "string", "MaxResults": number, "NextToken": "string", "PermissionSetArn": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

AccountId (p. 52)

The identifier of the AWS account from which to list the assignments.

Type: String

Pattern: \d{12}

Required: YesInstanceArn (p. 52)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesMaxResults (p. 52)

The maximum number of results to display for the assignment.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 100.

Required: NoNextToken (p. 52)

The pagination token for the list API. Initially the value is null. Use the output of previous API calls tomake subsequent calls.

Type: String

52

/general/latest/gr/aws-arns-and-namespaces.html
Page 60: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Syntax

Length Constraints: Maximum length of 2048.

Pattern: ^[-a-zA-Z0-9+=/]*

Required: NoPermissionSetArn (p. 52)

The ARN of the permission set from which to list assignments.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

Required: Yes

Response Syntax{ "AccountAssignments": [ { "AccountId": "string", "PermissionSetArn": "string", "PrincipalId": "string", "PrincipalType": "string" } ], "NextToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

AccountAssignments (p. 53)

The list of assignments that match the input AWS account and permission set.

Type: Array of AccountAssignment (p. 96) objectsNextToken (p. 53)

The pagination token for the list API. Initially the value is null. Use the output of previous API calls tomake subsequent calls.

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^[-a-zA-Z0-9+=/]*

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

53

Page 61: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

54

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/ListAccountAssignments
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/ListAccountAssignments
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/ListAccountAssignments
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/ListAccountAssignments
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/ListAccountAssignments
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/ListAccountAssignments
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/ListAccountAssignments
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/ListAccountAssignments
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/ListAccountAssignments
Page 62: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceListAccountsForProvisionedPermissionSet

ListAccountsForProvisionedPermissionSetLists all the AWS accounts where the specified permission set is provisioned.

Request Syntax{ "InstanceArn": "string", "MaxResults": number, "NextToken": "string", "PermissionSetArn": "string", "ProvisioningStatus": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InstanceArn (p. 55)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesMaxResults (p. 55)

The maximum number of results to display for the PermissionSet (p. 105).

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 100.

Required: NoNextToken (p. 55)

The pagination token for the list API. Initially the value is null. Use the output of previous API calls tomake subsequent calls.

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^[-a-zA-Z0-9+=/]*

Required: NoPermissionSetArn (p. 55)

The ARN of the PermissionSet (p. 105) from which the associated AWS accounts will be listed.

55

/general/latest/gr/aws-arns-and-namespaces.html
Page 63: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Syntax

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

Required: YesProvisioningStatus (p. 55)

The permission set provisioning status for an AWS account.

Type: String

Valid Values: LATEST_PERMISSION_SET_PROVISIONED |LATEST_PERMISSION_SET_NOT_PROVISIONED

Required: No

Response Syntax{ "AccountIds": [ "string" ], "NextToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

AccountIds (p. 56)

The list of AWS AccountIds.

Type: Array of strings

Pattern: \d{12}NextToken (p. 56)

The pagination token for the list API. Initially the value is null. Use the output of previous API calls tomake subsequent calls.

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^[-a-zA-Z0-9+=/]*

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

56

Page 64: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

57

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/ListAccountsForProvisionedPermissionSet
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/ListAccountsForProvisionedPermissionSet
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/ListAccountsForProvisionedPermissionSet
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/ListAccountsForProvisionedPermissionSet
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/ListAccountsForProvisionedPermissionSet
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/ListAccountsForProvisionedPermissionSet
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/ListAccountsForProvisionedPermissionSet
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/ListAccountsForProvisionedPermissionSet
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/ListAccountsForProvisionedPermissionSet
Page 65: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceListInstances

ListInstancesLists the SSO instances that the caller has access to.

Request Syntax{ "MaxResults": number, "NextToken": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

MaxResults (p. 58)

The maximum number of results to display for the instance.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 100.

Required: NoNextToken (p. 58)

The pagination token for the list API. Initially the value is null. Use the output of previous API calls tomake subsequent calls.

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^[-a-zA-Z0-9+=/]*

Required: No

Response Syntax{ "Instances": [ { "IdentityStoreId": "string", "InstanceArn": "string" } ], "NextToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

58

Page 66: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceErrors

The following data is returned in JSON format by the service.

Instances (p. 58)

Lists the SSO instances that the caller has access to.

Type: Array of InstanceMetadata (p. 103) objectsNextToken (p. 58)

The pagination token for the list API. Initially the value is null. Use the output of previous API calls tomake subsequent calls.

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^[-a-zA-Z0-9+=/]*

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3

59

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/ListInstances
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/ListInstances
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/ListInstances
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/ListInstances
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/ListInstances
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/ListInstances
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/ListInstances
Page 67: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

• AWS SDK for Python• AWS SDK for Ruby V3

60

https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/ListInstances
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/ListInstances
Page 68: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceListManagedPoliciesInPermissionSet

ListManagedPoliciesInPermissionSetLists the IAM managed policy that is attached to a specified permission set.

Request Syntax{ "InstanceArn": "string", "MaxResults": number, "NextToken": "string", "PermissionSetArn": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InstanceArn (p. 61)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesMaxResults (p. 61)

The maximum number of results to display for the PermissionSet (p. 105).

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 100.

Required: NoNextToken (p. 61)

The pagination token for the list API. Initially the value is null. Use the output of previous API calls tomake subsequent calls.

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^[-a-zA-Z0-9+=/]*

Required: NoPermissionSetArn (p. 61)

The ARN of the PermissionSet (p. 105) whose managed policies will be listed.

61

/general/latest/gr/aws-arns-and-namespaces.html
Page 69: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Syntax

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

Required: Yes

Response Syntax{ "AttachedManagedPolicies": [ { "Arn": "string", "Name": "string" } ], "NextToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

AttachedManagedPolicies (p. 62)

The array of the AttachedManagedPolicy (p. 101) data type object.

Type: Array of AttachedManagedPolicy (p. 101) objectsNextToken (p. 62)

The pagination token for the list API. Initially the value is null. Use the output of previous API calls tomake subsequent calls.

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^[-a-zA-Z0-9+=/]*

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

62

Page 70: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

63

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/ListManagedPoliciesInPermissionSet
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/ListManagedPoliciesInPermissionSet
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/ListManagedPoliciesInPermissionSet
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/ListManagedPoliciesInPermissionSet
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/ListManagedPoliciesInPermissionSet
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/ListManagedPoliciesInPermissionSet
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/ListManagedPoliciesInPermissionSet
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/ListManagedPoliciesInPermissionSet
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/ListManagedPoliciesInPermissionSet
Page 71: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceListPermissionSetProvisioningStatus

ListPermissionSetProvisioningStatusLists the status of the permission set provisioning requests for a specified SSO instance.

Request Syntax{ "Filter": { "Status": "string" }, "InstanceArn": "string", "MaxResults": number, "NextToken": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

Filter (p. 64)

Filters results based on the passed attribute value.

Type: OperationStatusFilter (p. 104) object

Required: NoInstanceArn (p. 64)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesMaxResults (p. 64)

The maximum number of results to display for the assignment.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 100.

Required: NoNextToken (p. 64)

The pagination token for the list API. Initially the value is null. Use the output of previous API calls tomake subsequent calls.

Type: String

64

/general/latest/gr/aws-arns-and-namespaces.html
Page 72: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Syntax

Length Constraints: Maximum length of 2048.

Pattern: ^[-a-zA-Z0-9+=/]*

Required: No

Response Syntax{ "NextToken": "string", "PermissionSetsProvisioningStatus": [ { "CreatedDate": number, "RequestId": "string", "Status": "string" } ]}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

NextToken (p. 65)

The pagination token for the list API. Initially the value is null. Use the output of previous API calls tomake subsequent calls.

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^[-a-zA-Z0-9+=/]*PermissionSetsProvisioningStatus (p. 65)

The status object for the permission set provisioning operation.

Type: Array of PermissionSetProvisioningStatusMetadata (p. 109) objects

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400

65

Page 73: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

66

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/ListPermissionSetProvisioningStatus
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/ListPermissionSetProvisioningStatus
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/ListPermissionSetProvisioningStatus
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/ListPermissionSetProvisioningStatus
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/ListPermissionSetProvisioningStatus
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/ListPermissionSetProvisioningStatus
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/ListPermissionSetProvisioningStatus
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/ListPermissionSetProvisioningStatus
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/ListPermissionSetProvisioningStatus
Page 74: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceListPermissionSets

ListPermissionSetsLists the PermissionSet (p. 105)s in an SSO instance.

Request Syntax{ "InstanceArn": "string", "MaxResults": number, "NextToken": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InstanceArn (p. 67)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesMaxResults (p. 67)

The maximum number of results to display for the assignment.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 100.

Required: NoNextToken (p. 67)

The pagination token for the list API. Initially the value is null. Use the output of previous API calls tomake subsequent calls.

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^[-a-zA-Z0-9+=/]*

Required: No

Response Syntax{

67

/general/latest/gr/aws-arns-and-namespaces.html
Page 75: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Elements

"NextToken": "string", "PermissionSets": [ "string" ]}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

NextToken (p. 67)

The pagination token for the list API. Initially the value is null. Use the output of previous API calls tomake subsequent calls.

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^[-a-zA-Z0-9+=/]*PermissionSets (p. 67)

Defines the level of access on an AWS account.

Type: Array of strings

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400

68

Page 76: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

69

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/ListPermissionSets
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/ListPermissionSets
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/ListPermissionSets
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/ListPermissionSets
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/ListPermissionSets
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/ListPermissionSets
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/ListPermissionSets
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/ListPermissionSets
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/ListPermissionSets
Page 77: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceListPermissionSetsProvisionedToAccount

ListPermissionSetsProvisionedToAccountLists all the permission sets that are provisioned to a specified AWS account.

Request Syntax{ "AccountId": "string", "InstanceArn": "string", "MaxResults": number, "NextToken": "string", "ProvisioningStatus": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

AccountId (p. 70)

The identifier of the AWS account from which to list the assignments.

Type: String

Pattern: \d{12}

Required: YesInstanceArn (p. 70)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesMaxResults (p. 70)

The maximum number of results to display for the assignment.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 100.

Required: NoNextToken (p. 70)

The pagination token for the list API. Initially the value is null. Use the output of previous API calls tomake subsequent calls.

70

/general/latest/gr/aws-arns-and-namespaces.html
Page 78: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Syntax

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^[-a-zA-Z0-9+=/]*

Required: NoProvisioningStatus (p. 70)

The status object for the permission set provisioning operation.

Type: String

Valid Values: LATEST_PERMISSION_SET_PROVISIONED |LATEST_PERMISSION_SET_NOT_PROVISIONED

Required: No

Response Syntax{ "NextToken": "string", "PermissionSets": [ "string" ]}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

NextToken (p. 71)

The pagination token for the list API. Initially the value is null. Use the output of previous API calls tomake subsequent calls.

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^[-a-zA-Z0-9+=/]*PermissionSets (p. 71)

Defines the level of access that an AWS account has.

Type: Array of strings

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

71

Page 79: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

72

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/ListPermissionSetsProvisionedToAccount
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/ListPermissionSetsProvisionedToAccount
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/ListPermissionSetsProvisionedToAccount
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/ListPermissionSetsProvisionedToAccount
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/ListPermissionSetsProvisionedToAccount
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/ListPermissionSetsProvisionedToAccount
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/ListPermissionSetsProvisionedToAccount
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/ListPermissionSetsProvisionedToAccount
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/ListPermissionSetsProvisionedToAccount
Page 80: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceListTagsForResource

ListTagsForResourceLists the tags that are attached to a specified resource.

Request Syntax{ "InstanceArn": "string", "NextToken": "string", "ResourceArn": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InstanceArn (p. 73)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: Yes

NextToken (p. 73)

The pagination token for the list API. Initially the value is null. Use the output of previous API calls tomake subsequent calls.

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^[-a-zA-Z0-9+=/]*

Required: No

ResourceArn (p. 73)

The ARN of the resource with the tags to be listed.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 2048.

Pattern: arn:aws:sso:([a-zA-Z0-9-]+)?:(\d{12})?:[a-zA-Z0-9-]+/[a-zA-Z0-9-/.]+

Required: Yes

73

/general/latest/gr/aws-arns-and-namespaces.html
Page 81: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Syntax

Response Syntax{ "NextToken": "string", "Tags": [ { "Key": "string", "Value": "string" } ]}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

NextToken (p. 74)

The pagination token for the list API. Initially the value is null. Use the output of previous API calls tomake subsequent calls.

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^[-a-zA-Z0-9+=/]*Tags (p. 74)

A set of key-value pairs that are used to manage the resource.

Type: Array of Tag (p. 110) objects

Array Members: Minimum number of 0 items. Maximum number of 50 items.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400

74

Page 82: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

75

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/ListTagsForResource
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/ListTagsForResource
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/ListTagsForResource
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/ListTagsForResource
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/ListTagsForResource
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/ListTagsForResource
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/ListTagsForResource
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/ListTagsForResource
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/ListTagsForResource
Page 83: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceProvisionPermissionSet

ProvisionPermissionSetThe process by which a specified permission set is provisioned to the specified target.

Request Syntax{ "InstanceArn": "string", "PermissionSetArn": "string", "TargetId": "string", "TargetType": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InstanceArn (p. 76)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesPermissionSetArn (p. 76)

The ARN of the permission set.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

Required: YesTargetId (p. 76)

TargetID is an AWS account identifier, typically a 10-12 digit string (For example, 123456789012).

Type: String

Pattern: \d{12}

Required: NoTargetType (p. 76)

The entity type for which the assignment will be created.

76

/general/latest/gr/aws-arns-and-namespaces.html
Page 84: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Syntax

Type: String

Valid Values: AWS_ACCOUNT | ALL_PROVISIONED_ACCOUNTS

Required: Yes

Response Syntax{ "PermissionSetProvisioningStatus": { "AccountId": "string", "CreatedDate": number, "FailureReason": "string", "PermissionSetArn": "string", "RequestId": "string", "Status": "string" }}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

PermissionSetProvisioningStatus (p. 77)

The status object for the permission set provisioning operation.

Type: PermissionSetProvisioningStatus (p. 107) object

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400ConflictException

Occurs when a conflict with a previous successful write is detected. This generally occurs when theprevious write did not have time to propagate to the host serving the current request. A retry (withappropriate backoff logic) is the recommended response to this exception.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

77

Page 85: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

78

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/ProvisionPermissionSet
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/ProvisionPermissionSet
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/ProvisionPermissionSet
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/ProvisionPermissionSet
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/ProvisionPermissionSet
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/ProvisionPermissionSet
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/ProvisionPermissionSet
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/ProvisionPermissionSet
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/ProvisionPermissionSet
Page 86: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferencePutInlinePolicyToPermissionSet

PutInlinePolicyToPermissionSetAttaches an IAM inline policy to a permission set.

NoteIf the permission set is already referenced by one or more account assignments, you will need tocall ProvisionPermissionSet (p. 76) after this action to apply the corresponding IAMpolicy updates to all assigned accounts.

Request Syntax{ "InlinePolicy": "string", "InstanceArn": "string", "PermissionSetArn": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InlinePolicy (p. 79)

The IAM inline policy to attach to a PermissionSet (p. 105).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 10240.

Pattern: [\u0009\u000A\u000D\u0020-\u00FF]+

Required: YesInstanceArn (p. 79)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesPermissionSetArn (p. 79)

The ARN of the permission set.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

79

/general/latest/gr/aws-arns-and-namespaces.html
Page 87: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Elements

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400ConflictException

Occurs when a conflict with a previous successful write is detected. This generally occurs when theprevious write did not have time to propagate to the host serving the current request. A retry (withappropriate backoff logic) is the recommended response to this exception.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ServiceQuotaExceededException

Indicates that the principal has crossed the permitted number of resources that can be created.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET

80

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/PutInlinePolicyToPermissionSet
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/PutInlinePolicyToPermissionSet
Page 88: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

81

https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/PutInlinePolicyToPermissionSet
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/PutInlinePolicyToPermissionSet
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/PutInlinePolicyToPermissionSet
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/PutInlinePolicyToPermissionSet
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/PutInlinePolicyToPermissionSet
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/PutInlinePolicyToPermissionSet
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/PutInlinePolicyToPermissionSet
Page 89: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceTagResource

TagResourceAssociates a set of tags with a specified resource.

Request Syntax{ "InstanceArn": "string", "ResourceArn": "string", "Tags": [ { "Key": "string", "Value": "string" } ]}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InstanceArn (p. 82)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesResourceArn (p. 82)

The ARN of the resource with the tags to be listed.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 2048.

Pattern: arn:aws:sso:([a-zA-Z0-9-]+)?:(\d{12})?:[a-zA-Z0-9-]+/[a-zA-Z0-9-/.]+

Required: YesTags (p. 82)

A set of key-value pairs that are used to manage the resource.

Type: Array of Tag (p. 110) objects

Array Members: Minimum number of 0 items. Maximum number of 50 items.

Required: Yes

82

/general/latest/gr/aws-arns-and-namespaces.html
Page 90: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Elements

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400ConflictException

Occurs when a conflict with a previous successful write is detected. This generally occurs when theprevious write did not have time to propagate to the host serving the current request. A retry (withappropriate backoff logic) is the recommended response to this exception.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ServiceQuotaExceededException

Indicates that the principal has crossed the permitted number of resources that can be created.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go

83

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/TagResource
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/TagResource
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/TagResource
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/TagResource
Page 91: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

84

https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/TagResource
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/TagResource
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/TagResource
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/TagResource
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/TagResource
Page 92: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceUntagResource

UntagResourceDisassociates a set of tags from a specified resource.

Request Syntax{ "InstanceArn": "string", "ResourceArn": "string", "TagKeys": [ "string" ]}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InstanceArn (p. 85)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesResourceArn (p. 85)

The ARN of the resource with the tags to be listed.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 2048.

Pattern: arn:aws:sso:([a-zA-Z0-9-]+)?:(\d{12})?:[a-zA-Z0-9-]+/[a-zA-Z0-9-/.]+

Required: YesTagKeys (p. 85)

The keys of tags that are attached to the resource.

Type: Array of strings

Array Members: Minimum number of 1 item. Maximum number of 50 items.

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$

Required: Yes

85

/general/latest/gr/aws-arns-and-namespaces.html
Page 93: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Elements

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400ConflictException

Occurs when a conflict with a previous successful write is detected. This generally occurs when theprevious write did not have time to propagate to the host serving the current request. A retry (withappropriate backoff logic) is the recommended response to this exception.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python

86

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/UntagResource
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/UntagResource
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/UntagResource
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/UntagResource
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/UntagResource
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/UntagResource
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/UntagResource
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/UntagResource
Page 94: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

• AWS SDK for Ruby V3

87

https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/UntagResource
Page 95: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceUpdateInstanceAccessControlAttributeConfiguration

UpdateInstanceAccessControlAttributeConfigurationUpdates the AWS SSO identity store attributes that you can use with the AWS SSO instance forattributes-based access control (ABAC). When using an external identity provider as an identity source,you can pass attributes through the SAML assertion as an alternative to configuring attributes fromthe AWS SSO identity store. If a SAML assertion passes any of these attributes, AWS SSO replaces theattribute value with the value from the AWS SSO identity store. For more information about ABAC, seeAttribute-Based Access Control in the AWS SSO User Guide.

Request Syntax

{ "InstanceAccessControlAttributeConfiguration": { "AccessControlAttributes": [ { "Key": "string", "Value": { "Source": [ "string" ] } } ] }, "InstanceArn": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

InstanceAccessControlAttributeConfiguration (p. 88)

Updates the attributes for your ABAC configuration.

Type: InstanceAccessControlAttributeConfiguration (p. 102) object

Required: Yes

InstanceArn (p. 88)

The ARN of the SSO instance under which the operation will be executed.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

88

/singlesignon/latest/userguide/abac.html
Page 96: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceErrors

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400ConflictException

Occurs when a conflict with a previous successful write is detected. This generally occurs when theprevious write did not have time to propagate to the host serving the current request. A retry (withappropriate backoff logic) is the recommended response to this exception.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

89

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/UpdateInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/UpdateInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/UpdateInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/UpdateInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/UpdateInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/UpdateInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/UpdateInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/UpdateInstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/UpdateInstanceAccessControlAttributeConfiguration
Page 97: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceUpdatePermissionSet

UpdatePermissionSetUpdates an existing permission set.

Request Syntax{ "Description": "string", "InstanceArn": "string", "PermissionSetArn": "string", "RelayState": "string", "SessionDuration": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 111).

The request accepts the following data in JSON format.

Description (p. 90)

The description of the PermissionSet (p. 105).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 700.

Pattern: [\p{L}\p{M}\p{Z}\p{S}\p{N}\p{P}]*

Required: NoInstanceArn (p. 90)

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: YesPermissionSetArn (p. 90)

The ARN of the permission set.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

Required: Yes

90

/general/latest/gr/aws-arns-and-namespaces.html
Page 98: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceResponse Elements

RelayState (p. 90)

Used to redirect users within the application during the federation authentication process.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 240.

Pattern: [a-zA-Z0-9&$@#\\\/%?=~\-_'"|!:,.;*+\[\]\ \(\)\{\}]+

Required: NoSessionDuration (p. 90)

The length of time that the application user sessions are valid for in the ISO-8601 standard.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 100.

Pattern: ^(-?)P(?=\d|T\d)(?:(\d+)Y)?(?:(\d+)M)?(?:(\d+)([DW]))?(?:T(?:(\d+)H)?(?:(\d+)M)?(?:(\d+(?:\.\d+)?)S)?)?$

Required: No

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 113).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400ConflictException

Occurs when a conflict with a previous successful write is detected. This generally occurs when theprevious write did not have time to propagate to the host serving the current request. A retry (withappropriate backoff logic) is the recommended response to this exception.

HTTP Status Code: 400InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internalserver.

HTTP Status Code: 400ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

91

Page 99: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

HTTP Status Code: 400ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

92

https://docs.aws.amazon.com/goto/aws-cli/sso-admin-2020-07-20/UpdatePermissionSet
https://docs.aws.amazon.com/goto/DotNetSDKV3/sso-admin-2020-07-20/UpdatePermissionSet
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/UpdatePermissionSet
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/UpdatePermissionSet
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/UpdatePermissionSet
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sso-admin-2020-07-20/UpdatePermissionSet
https://docs.aws.amazon.com/goto/SdkForPHPV3/sso-admin-2020-07-20/UpdatePermissionSet
https://docs.aws.amazon.com/goto/boto3/sso-admin-2020-07-20/UpdatePermissionSet
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/UpdatePermissionSet
Page 100: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API Reference

Data TypesThe AWS Single Sign-On Admin API contains several data types that various actions use. This sectiondescribes each data type in detail.

NoteThe order of each element in a data type structure is not guaranteed. Applications should notassume a particular order.

The following data types are supported:

• AccessControlAttribute (p. 94)• AccessControlAttributeValue (p. 95)• AccountAssignment (p. 96)• AccountAssignmentOperationStatus (p. 98)• AccountAssignmentOperationStatusMetadata (p. 100)• AttachedManagedPolicy (p. 101)• InstanceAccessControlAttributeConfiguration (p. 102)• InstanceMetadata (p. 103)• OperationStatusFilter (p. 104)• PermissionSet (p. 105)• PermissionSetProvisioningStatus (p. 107)• PermissionSetProvisioningStatusMetadata (p. 109)• Tag (p. 110)

93

Page 101: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceAccessControlAttribute

AccessControlAttributeThese are AWS SSO identity store attributes that you can configure for use in attributes-basedaccess control (ABAC). You can create permissions policies that determine who can access yourAWS resources based upon the configured attribute values. When you enable ABAC and specifyAccessControlAttributes, AWS SSO passes the attribute values of the authenticated user into IAMfor use in policy evaluation.

ContentsKey

The name of the attribute associated with your identities in your identity source. This is used to mapa specified attribute in your identity source with an attribute in AWS SSO.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: [\p{L}\p{Z}\p{N}_.:\/=+\-@]+

Required: YesValue

The value used for mapping a specified attribute to an identity source.

Type: AccessControlAttributeValue (p. 95) object

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

94

https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/AccessControlAttribute
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/AccessControlAttribute
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/AccessControlAttribute
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/AccessControlAttribute
Page 102: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceAccessControlAttributeValue

AccessControlAttributeValueThe value used for mapping a specified attribute to an identity source.

ContentsSource

The identity source to use when mapping a specified attribute to AWS SSO.

Type: Array of strings

Array Members: Fixed number of 1 item.

Length Constraints: Minimum length of 0. Maximum length of 256.

Pattern: [\p{L}\p{Z}\p{N}_.:\/=+\-@\[\]\{\}\$\\"]*

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

95

https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/AccessControlAttributeValue
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/AccessControlAttributeValue
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/AccessControlAttributeValue
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/AccessControlAttributeValue
Page 103: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceAccountAssignment

AccountAssignmentThe assignment that indicates a principal's limited access to a specified AWS account with a specifiedpermission set.

NoteThe term principal here refers to a user or group that is defined in AWS SSO.

ContentsAccountId

The identifier of the AWS account.

Type: String

Pattern: \d{12}

Required: NoPermissionSetArn

The ARN of the permission set. For more information about ARNs, see Amazon Resource Names(ARNs) and AWS Service Namespaces in the AWS General Reference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

Required: NoPrincipalId

An identifier for an object in AWS SSO, such as a user or group. PrincipalIds are GUIDs (For example,f81d4fae-7dec-11d0-a765-00a0c91e6bf6). For more information about PrincipalIds in AWS SSO,see the AWS SSO Identity Store API Reference.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 47.

Pattern: ^([0-9a-f]{10}-|)[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}$

Required: NoPrincipalType

The entity type for which the assignment will be created.

Type: String

Valid Values: USER | GROUP

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

96

/general/latest/gr/aws-arns-and-namespaces.html
/general/latest/gr/aws-arns-and-namespaces.html
/singlesignon/latest/IdentityStoreAPIReference/welcome.html
Page 104: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

97

https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/AccountAssignment
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/AccountAssignment
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/AccountAssignment
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/AccountAssignment
Page 105: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceAccountAssignmentOperationStatus

AccountAssignmentOperationStatusThe status of the creation or deletion operation of an assignment that a principal needs to access anaccount.

ContentsCreatedDate

The date that the permission set was created.

Type: Timestamp

Required: NoFailureReason

The message that contains an error or exception in case of an operation failure.

Type: String

Pattern: [\p{L}\p{M}\p{Z}\p{S}\p{N}\p{P}]*

Required: NoPermissionSetArn

The ARN of the permission set. For more information about ARNs, see Amazon Resource Names(ARNs) and AWS Service Namespaces in the AWS General Reference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

Required: NoPrincipalId

An identifier for an object in AWS SSO, such as a user or group. PrincipalIds are GUIDs (For example,f81d4fae-7dec-11d0-a765-00a0c91e6bf6). For more information about PrincipalIds in AWS SSO,see the AWS SSO Identity Store API Reference.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 47.

Pattern: ^([0-9a-f]{10}-|)[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}$

Required: NoPrincipalType

The entity type for which the assignment will be created.

Type: String

Valid Values: USER | GROUP

Required: No

98

/general/latest/gr/aws-arns-and-namespaces.html
/general/latest/gr/aws-arns-and-namespaces.html
/singlesignon/latest/IdentityStoreAPIReference/welcome.html
Page 106: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

RequestId

The identifier for tracking the request operation that is generated by the universally uniqueidentifier (UUID) workflow.

Type: String

Pattern: \b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b

Required: NoStatus

The status of the permission set provisioning process.

Type: String

Valid Values: IN_PROGRESS | FAILED | SUCCEEDED

Required: NoTargetId

TargetID is an AWS account identifier, typically a 10-12 digit string (For example, 123456789012).

Type: String

Pattern: \d{12}

Required: NoTargetType

The entity type for which the assignment will be created.

Type: String

Valid Values: AWS_ACCOUNT

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

99

https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/AccountAssignmentOperationStatus
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/AccountAssignmentOperationStatus
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/AccountAssignmentOperationStatus
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/AccountAssignmentOperationStatus
Page 107: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceAccountAssignmentOperationStatusMetadata

AccountAssignmentOperationStatusMetadataProvides information about the AccountAssignment (p. 96) creation request.

ContentsCreatedDate

The date that the permission set was created.

Type: Timestamp

Required: NoRequestId

The identifier for tracking the request operation that is generated by the universally uniqueidentifier (UUID) workflow.

Type: String

Pattern: \b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b

Required: NoStatus

The status of the permission set provisioning process.

Type: String

Valid Values: IN_PROGRESS | FAILED | SUCCEEDED

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

100

https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/AccountAssignmentOperationStatusMetadata
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/AccountAssignmentOperationStatusMetadata
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/AccountAssignmentOperationStatusMetadata
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/AccountAssignmentOperationStatusMetadata
Page 108: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceAttachedManagedPolicy

AttachedManagedPolicyA structure that stores the details of the IAM managed policy.

ContentsArn

The ARN of the IAM managed policy. For more information about ARNs, see Amazon ResourceNames (ARNs) and AWS Service Namespaces in the AWS General Reference.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 2048.

Required: NoName

The name of the IAM managed policy.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 100.

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

101

/general/latest/gr/aws-arns-and-namespaces.html
/general/latest/gr/aws-arns-and-namespaces.html
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/AttachedManagedPolicy
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/AttachedManagedPolicy
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/AttachedManagedPolicy
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/AttachedManagedPolicy
Page 109: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceInstanceAccessControlAttributeConfiguration

InstanceAccessControlAttributeConfigurationSpecifies the attributes to add to your attribute-based access control (ABAC) configuration.

ContentsAccessControlAttributes

Lists the attributes that are configured for ABAC in the specified AWS SSO instance.

Type: Array of AccessControlAttribute (p. 94) objects

Array Members: Minimum number of 0 items. Maximum number of 50 items.

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

102

https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/InstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/InstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/InstanceAccessControlAttributeConfiguration
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/InstanceAccessControlAttributeConfiguration
Page 110: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceInstanceMetadata

InstanceMetadataProvides information about the SSO instance.

ContentsIdentityStoreId

The identifier of the identity store that is connected to the SSO instance.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 64.

Pattern: ^[a-zA-Z0-9-]*

Required: NoInstanceArn

The ARN of the SSO instance under which the operation will be executed. For more informationabout ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS GeneralReference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

103

/general/latest/gr/aws-arns-and-namespaces.html
https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/InstanceMetadata
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/InstanceMetadata
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/InstanceMetadata
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/InstanceMetadata
Page 111: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceOperationStatusFilter

OperationStatusFilterFilters he operation status list based on the passed attribute value.

ContentsStatus

Filters the list operations result based on the status attribute.

Type: String

Valid Values: IN_PROGRESS | FAILED | SUCCEEDED

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

104

https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/OperationStatusFilter
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/OperationStatusFilter
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/OperationStatusFilter
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/OperationStatusFilter
Page 112: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferencePermissionSet

PermissionSetAn entity that contains IAM policies.

ContentsCreatedDate

The date that the permission set was created.

Type: Timestamp

Required: NoDescription

The description of the PermissionSet (p. 105).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 700.

Pattern: [\p{L}\p{M}\p{Z}\p{S}\p{N}\p{P}]*

Required: NoName

The name of the permission set.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 32.

Pattern: [\w+=,.@-]+

Required: NoPermissionSetArn

The ARN of the permission set. For more information about ARNs, see Amazon Resource Names(ARNs) and AWS Service Namespaces in the AWS General Reference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

Required: NoRelayState

Used to redirect users within the application during the federation authentication process.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 240.

Pattern: [a-zA-Z0-9&$@#\\\/%?=~\-_'"|!:,.;*+\[\]\ \(\)\{\}]+

Required: No

105

/general/latest/gr/aws-arns-and-namespaces.html
/general/latest/gr/aws-arns-and-namespaces.html
Page 113: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

SessionDuration

The length of time that the application user sessions are valid for in the ISO-8601 standard.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 100.

Pattern: ^(-?)P(?=\d|T\d)(?:(\d+)Y)?(?:(\d+)M)?(?:(\d+)([DW]))?(?:T(?:(\d+)H)?(?:(\d+)M)?(?:(\d+(?:\.\d+)?)S)?)?$

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

106

https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/PermissionSet
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/PermissionSet
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/PermissionSet
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/PermissionSet
Page 114: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferencePermissionSetProvisioningStatus

PermissionSetProvisioningStatusA structure that is used to provide the status of the provisioning operation for a specified permission set.

ContentsAccountId

The identifier of the AWS account from which to list the assignments.

Type: String

Pattern: \d{12}

Required: NoCreatedDate

The date that the permission set was created.

Type: Timestamp

Required: NoFailureReason

The message that contains an error or exception in case of an operation failure.

Type: String

Pattern: [\p{L}\p{M}\p{Z}\p{S}\p{N}\p{P}]*

Required: NoPermissionSetArn

The ARN of the permission set that is being provisioned. For more information about ARNs, seeAmazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

Required: NoRequestId

The identifier for tracking the request operation that is generated by the universally uniqueidentifier (UUID) workflow.

Type: String

Pattern: \b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b

Required: NoStatus

The status of the permission set provisioning process.

107

/general/latest/gr/aws-arns-and-namespaces.html
Page 115: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceSee Also

Type: String

Valid Values: IN_PROGRESS | FAILED | SUCCEEDED

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

108

https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/PermissionSetProvisioningStatus
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/PermissionSetProvisioningStatus
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/PermissionSetProvisioningStatus
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/PermissionSetProvisioningStatus
Page 116: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferencePermissionSetProvisioningStatusMetadata

PermissionSetProvisioningStatusMetadataProvides information about the permission set provisioning status.

ContentsCreatedDate

The date that the permission set was created.

Type: Timestamp

Required: NoRequestId

The identifier for tracking the request operation that is generated by the universally uniqueidentifier (UUID) workflow.

Type: String

Pattern: \b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b

Required: NoStatus

The status of the permission set provisioning process.

Type: String

Valid Values: IN_PROGRESS | FAILED | SUCCEEDED

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

109

https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/PermissionSetProvisioningStatusMetadata
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/PermissionSetProvisioningStatusMetadata
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/PermissionSetProvisioningStatusMetadata
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/PermissionSetProvisioningStatusMetadata
Page 117: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API ReferenceTag

TagA set of key-value pairs that are used to manage the resource. Tags can only be applied to permissionsets and cannot be applied to corresponding roles that AWS SSO creates in AWS accounts.

ContentsKey

The key for the tag.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$

Required: NoValue

The value of the tag.

Type: String

Length Constraints: Minimum length of 0. Maximum length of 256.

Pattern: ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

110

https://docs.aws.amazon.com/goto/SdkForCpp/sso-admin-2020-07-20/Tag
https://docs.aws.amazon.com/goto/SdkForGoV1/sso-admin-2020-07-20/Tag
https://docs.aws.amazon.com/goto/SdkForJavaV2/sso-admin-2020-07-20/Tag
https://docs.aws.amazon.com/goto/SdkForRubyV3/sso-admin-2020-07-20/Tag
Page 118: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API Reference

Common ParametersThe following list contains the parameters that all actions use for signing Signature Version 4 requestswith a query string. Any action-specific parameters are listed in the topic for that action. For moreinformation about Signature Version 4, see Signature Version 4 Signing Process in the Amazon WebServices General Reference.

Action

The action to be performed.

Type: string

Required: YesVersion

The API version that the request is written for, expressed in the format YYYY-MM-DD.

Type: string

Required: YesX-Amz-Algorithm

The hash algorithm that you used to create the request signature.

Condition: Specify this parameter when you include authentication information in a query stringinstead of in the HTTP authorization header.

Type: string

Valid Values: AWS4-HMAC-SHA256

Required: ConditionalX-Amz-Credential

The credential scope value, which is a string that includes your access key, the date, the region youare targeting, the service you are requesting, and a termination string ("aws4_request"). The value isexpressed in the following format: access_key/YYYYMMDD/region/service/aws4_request.

For more information, see Task 2: Create a String to Sign for Signature Version 4 in the Amazon WebServices General Reference.

Condition: Specify this parameter when you include authentication information in a query stringinstead of in the HTTP authorization header.

Type: string

Required: ConditionalX-Amz-Date

The date that is used to create the signature. The format must be ISO 8601 basic format(YYYYMMDD'T'HHMMSS'Z'). For example, the following date time is a valid X-Amz-Date value:20120325T120000Z.

Condition: X-Amz-Date is optional for all requests; it can be used to override the date used forsigning requests. If the Date header is specified in the ISO 8601 basic format, X-Amz-Date is

111

http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
http://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html
Page 119: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API Reference

not required. When X-Amz-Date is used, it always overrides the value of the Date header. Formore information, see Handling Dates in Signature Version 4 in the Amazon Web Services GeneralReference.

Type: string

Required: ConditionalX-Amz-Security-Token

The temporary security token that was obtained through a call to AWS Security Token Service (AWSSTS). For a list of services that support temporary security credentials from AWS Security TokenService, go to AWS Services That Work with IAM in the IAM User Guide.

Condition: If you're using temporary security credentials from the AWS Security Token Service, youmust include the security token.

Type: string

Required: ConditionalX-Amz-Signature

Specifies the hex-encoded signature that was calculated from the string to sign and the derivedsigning key.

Condition: Specify this parameter when you include authentication information in a query stringinstead of in the HTTP authorization header.

Type: string

Required: ConditionalX-Amz-SignedHeaders

Specifies all the HTTP headers that were included as part of the canonical request. For moreinformation about specifying signed headers, see Task 1: Create a Canonical Request For SignatureVersion 4 in the Amazon Web Services General Reference.

Condition: Specify this parameter when you include authentication information in a query stringinstead of in the HTTP authorization header.

Type: string

Required: Conditional

112

http://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
Page 120: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API Reference

Common ErrorsThis section lists the errors common to the API actions of all AWS services. For errors specific to an APIaction for this service, see the topic for that API action.

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400IncompleteSignature

The request signature does not conform to AWS standards.

HTTP Status Code: 400InternalFailure

The request processing has failed because of an unknown error, exception or failure.

HTTP Status Code: 500InvalidAction

The action or operation requested is invalid. Verify that the action is typed correctly.

HTTP Status Code: 400InvalidClientTokenId

The X.509 certificate or AWS access key ID provided does not exist in our records.

HTTP Status Code: 403InvalidParameterCombination

Parameters that must not be used together were used together.

HTTP Status Code: 400InvalidParameterValue

An invalid or out-of-range value was supplied for the input parameter.

HTTP Status Code: 400InvalidQueryParameter

The AWS query string is malformed or does not adhere to AWS standards.

HTTP Status Code: 400MalformedQueryString

The query string contains a syntax error.

HTTP Status Code: 404MissingAction

The request is missing an action or a required parameter.

HTTP Status Code: 400

113

Page 121: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API Reference

MissingAuthenticationToken

The request must contain either a valid (registered) AWS access key ID or X.509 certificate.

HTTP Status Code: 403MissingParameter

A required parameter for the specified action is not supplied.

HTTP Status Code: 400NotAuthorized

You do not have permission to perform this action.

HTTP Status Code: 400OptInRequired

The AWS access key ID needs a subscription for the service.

HTTP Status Code: 403RequestExpired

The request reached the service more than 15 minutes after the date stamp on the request or morethan 15 minutes after the request expiration date (such as for pre-signed URLs), or the date stampon the request is more than 15 minutes in the future.

HTTP Status Code: 400ServiceUnavailable

The request has failed due to a temporary failure of the server.

HTTP Status Code: 503ThrottlingException

The request was denied due to request throttling.

HTTP Status Code: 400ValidationError

The input fails to satisfy the constraints specified by an AWS service.

HTTP Status Code: 400

114

Page 122: AWS Single Sign-On · 9/10/2020  · automatically be provisioned to the account in the form of an IAM policy attached to the SSO-created IAM role. If the permission set is subsequently

AWS Single Sign-On API Reference

Document HistoryThe following table describes the important changes to the documentation in this release of the AWSSSO API Reference Guide.

• Latest documentation update: September 10, 2020

Change Description Date Changed

New guide This is the first release of the AWS Single Sign-On APIReference Guide.

September 10,2020

115


Introduccion Sso

Introduccion Sso

Conceptos sso

Conceptos sso

TD and HBUG Meetings - NCEdCloud IAM Service · The Identity and Access Management (IAM) Service Questions? Links: IAM Information Site - ncedcloud.mcnc.org NCEdCloud IAM Service

TD and HBUG Meetings - NCEdCloud IAM Service · The Identity and Access Management (IAM) Service Questions? Links: IAM Information Site - ncedcloud.mcnc.org NCEdCloud IAM Service

어렵지 않아요 SSO 연동 - uneedcomms.cdn.smart-img.com · SSO 연동, 어렵지 않아요! - 유니드컴즈 SSO 연동 매뉴얼 - 클릭해주세요. 유니드컴즈 로그인계정으로

어렵지 않아요 SSO 연동 - uneedcomms.cdn.smart-img.com · SSO 연동, 어렵지 않아요! - 유니드컴즈 SSO 연동 매뉴얼 - 클릭해주세요. 유니드컴즈 로그인계정으로

Stay or Go? Participation in Under-Provisioned Video Streamsnetecon.seas.harvard.edu/NetEcon09/Papers/Levin_09.pdfStay or Go? Participation in Under-Provisioned Video Streams Dave

Stay or Go? Participation in Under-Provisioned Video Streamsnetecon.seas.harvard.edu/NetEcon09/Papers/Levin_09.pdfStay or Go? Participation in Under-Provisioned Video Streams Dave

STATE SAFETY VERSIGHT CORE FEATURES...1. SSO commitment 2. SSO authority, organization 3. SSO minimum standards 4. SSO enforcement apparatus 5. Methodology for accident investigations,

STATE SAFETY VERSIGHT CORE FEATURES...1. SSO commitment 2. SSO authority, organization 3. SSO minimum standards 4. SSO enforcement apparatus 5. Methodology for accident investigations,

The ROI of IAM - docs.bankinfosecurity.comdocs.bankinfosecurity.com/files/handbooks/IAM/IAM-eHandbook.pdf · IAM, of course, is a huge issue for financial institutions – not just

The ROI of IAM - docs.bankinfosecurity.comdocs.bankinfosecurity.com/files/handbooks/IAM/IAM-eHandbook.pdf · IAM, of course, is a huge issue for financial institutions – not just

BSE (Bombay Stock Exchange) · BSE (Bombay Stock Exchange) IAM & SSO Process Flow User Manual

BSE (Bombay Stock Exchange) · BSE (Bombay Stock Exchange) IAM & SSO Process Flow User Manual

Sso fédération

Sso fédération

Business Models for Dynamically Provisioned Optical Networks

Business Models for Dynamically Provisioned Optical Networks

Brian Limperopulos Programs Manager IAM. IAM Programs IAM Governing Members’ Meeting How IAM serves its Governing Membership: Receivable Protection Program.

Brian Limperopulos Programs Manager IAM. IAM Programs IAM Governing Members’ Meeting How IAM serves its Governing Membership: Receivable Protection Program.

Trusted Source SSO - IAM Cloud · IAM Cloud Trusted Source SSO v1.0.0 1 Introduction Trusted Source SSO is a feature of the IAM Cloud platform, available on the Advanced and Expert

Trusted Source SSO - IAM Cloud · IAM Cloud Trusted Source SSO v1.0.0 1 Introduction Trusted Source SSO is a feature of the IAM Cloud platform, available on the Advanced and Expert

IAM Committee Notes... · 12/11/2018 · Adopt standards-based Web SSO Separate Guest (External) and Enterprise (Internal) Web SSO Proposed key directions for Identity Governance

IAM Committee Notes... · 12/11/2018 · Adopt standards-based Web SSO Separate Guest (External) and Enterprise (Internal) Web SSO Proposed key directions for Identity Governance

Spyglass: Demand-Provisioned Linux Containers for … · USENIX Association 29th Large Installation System Administration Conference (LISA15) 37 Spyglass: Demand-Provisioned Linux

Spyglass: Demand-Provisioned Linux Containers for … · USENIX Association 29th Large Installation System Administration Conference (LISA15) 37 Spyglass: Demand-Provisioned Linux

iam and harvard policiesiam.harvard.edu/files/iam/files/iam-security-privacy-policies.pdf · IAM$Security$&Privacy$Policies Scott%Bradner November%24,%2015 December%2,%2015 Tuesday

iam and harvard policiesiam.harvard.edu/files/iam/files/iam-security-privacy-policies.pdf · IAM$Security$&Privacy$Policies Scott%Bradner November%24,%2015 December%2,%2015 Tuesday

Alfresco SSO

Alfresco SSO

Double SSO – A Prudent and Lightweight SSO Schemepublications.lib.chalmers.se/records/fulltext/131919.pdf · Double SSO – A Prudent and Lightweight SSO Scheme Master of Science

Double SSO – A Prudent and Lightweight SSO Schemepublications.lib.chalmers.se/records/fulltext/131919.pdf · Double SSO – A Prudent and Lightweight SSO Scheme Master of Science

Tririga sso

Tririga sso

SSO Presentation

SSO Presentation

GRIDY SSO(シングルサインオン) · sso(シングルサインオン)とは saml2.0シングルサインオンの仕組み 【シングルサインオン(sso)】

GRIDY SSO(シングルサインオン) · sso(シングルサインオン)とは saml2.0シングルサインオンの仕組み 【シングルサインオン(sso)】