Skip to content

Enable provisioning of permission set to orgMain / delegated admin account #80

New issue
New issue
Open
Open
Enable provisioning of permission set to orgMain / delegated admin account#80
Assignees
leelalagudu
Labels
p2Priority 2 tasksrefactorRefactor existing code to a better version
@leelalagudu

Description

@leelalagudu
leelalagudu
opened on May 24, 2022
  • There's been a recent change in the SSO admin API, wherein using specific IAM permisisons, you could now programmatically create/delete account assignments for org main/delegated admin account.
  • The solution currently excludes provisioning to org main/delegated admin account as the earlier version of SSO admin API did not allow this.
  • However, using the following permissions policy, provisioning lambda can now successfully assign/remove account assignment to org main / delegated admin account
{
    effect = "Allow"
    actions = [
      "iam:CreateRole",
      "iam:ListRolePolicies",
      "iam:AttachRolePolicy",
      "iam:PutRolePolicy"
    ]
    resources = [
      "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO*",
    ]
  }

  statement {
    effect = "Allow"
    actions = [
      "iam:GetSAMLProvider",
      "iam:CreateSAMLProvider"
    ]
    resources = [
      "arn:aws:iam::*:saml-provider/AWSSSO*",
    ]
  }

AC:

  • The solution should now programmatically switch the permissions it uses to provision based on the target account it's provisioning the account assignment to
  • Update docs to remove this limitation

Metadata

Metadata

Assignees

Labels

p2Priority 2 tasksrefactorRefactor existing code to a better version

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions