0

I have created AWS SSO permission sets through CloudFormation and users are successfully assuming roles in downstream accounts. The issue I am seeing here is when a new change gets added to the code, let's say IAM inline policy gets edited with some extra permissions, I need to login into the account and manually provision the changes from main account to the downstream accounts.

I found provision-permission-set AWS CLI call but it doesn't look like there is a CloudFormation option.

I am considering having this step as a part of my deployment pipeline and if I don't have to create a custom script that is going to use AWS CLI to do that job that would be awesome.

Thanks y'all

Dejan Rajkovic
  • 1
  • 1
  • Unfortunately AWS SSO doesn't have full API coverage as of today, so a fully-automated SSO setup isn't possible. They released some improved coverage late last year, but still waiting for the fully API. I'm guessing that's a precursor to CloudFormation support. If you've got a TAM then +1 it on the team's roadmap to hopefully speed it up. – rowanu Jun 09 '21 at 03:24

1 Answers1

1

You can use AWS::SSO::Assignment to join the permission set, principal and account.

Daniel Scott
  • 7,418
  • 5
  • 39
  • 58