@cloud-copilot/iam-data
Version:
1,908 lines • 60.6 kB
JSON
{
"addregion": {
"name": "AddRegion",
"description": "Grants permission to add a region to an IAM Identity Center instance",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"identitystore:AddRegion",
"kms:Decrypt"
]
},
"associatedirectory": {
"name": "AssociateDirectory",
"description": "Grants permission to connect a directory to be used by AWS IAM Identity Center",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"ds:AuthorizeApplication",
"identitystore:CreateIdentityStore",
"kms:Decrypt"
]
},
"associateprofile": {
"name": "AssociateProfile",
"description": "Grants permission to create an association between a directory user or group and a profile",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"attachcustomermanagedpolicyreferencetopermissionset": {
"name": "AttachCustomerManagedPolicyReferenceToPermissionSet",
"description": "Grants permission to attach a customer managed policy reference to a permission set",
"accessLevel": "Permissions management",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "PermissionSet",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"attachmanagedpolicytopermissionset": {
"name": "AttachManagedPolicyToPermissionSet",
"description": "Grants permission to attach an AWS managed policy to a permission set",
"accessLevel": "Permissions management",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "PermissionSet",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"createaccountassignment": {
"name": "CreateAccountAssignment",
"description": "Grants permission to assign access to a Principal for a specified AWS account using a specified permission set",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Account",
"required": true,
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
},
{
"name": "PermissionSet",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"createapplication": {
"name": "CreateApplication",
"description": "Grants permission to create an application",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "ApplicationProvider",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": []
},
"createapplicationassignment": {
"name": "CreateApplicationAssignment",
"description": "Grants permission to create an application assignment",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"createapplicationinstance": {
"name": "CreateApplicationInstance",
"description": "Grants permission to add an application instance to AWS IAM Identity Center",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"createapplicationinstancecertificate": {
"name": "CreateApplicationInstanceCertificate",
"description": "Grants permission to add a new certificate for an application instance",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"createinstance": {
"name": "CreateInstance",
"description": "Grants permission to create an identity center instance",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [],
"dependentActions": [
"iam:CreateServiceLinkedRole",
"identitystore:CreateIdentityStore",
"organizations:DescribeOrganization"
]
}
],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": []
},
"createinstanceaccesscontrolattributeconfiguration": {
"name": "CreateInstanceAccessControlAttributeConfiguration",
"description": "Grants permission to enable the instance for ABAC and specify the attributes",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:PutRolePolicy",
"iam:UpdateAssumeRolePolicy",
"kms:Decrypt"
]
},
"createmanagedapplicationinstance": {
"name": "CreateManagedApplicationInstance",
"description": "Grants permission to add a managed application instance to AWS IAM Identity Center",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"createpermissionset": {
"name": "CreatePermissionSet",
"description": "Grants permission to create a permission set",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "PermissionSet",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": []
},
"createprofile": {
"name": "CreateProfile",
"description": "Grants permission to create a profile for an application instance",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"createtrust": {
"name": "CreateTrust",
"description": "Grants permission to create a federation trust in a target account",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"createtrustedtokenissuer": {
"name": "CreateTrustedTokenIssuer",
"description": "Grants permission to create a trusted token issuer for an instance",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "TrustedTokenIssuer",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": []
},
"deleteaccountassignment": {
"name": "DeleteAccountAssignment",
"description": "Grants permission to delete a Principal's access from a specified AWS account using a specified permission set",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Account",
"required": true,
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
},
{
"name": "PermissionSet",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deleteapplication": {
"name": "DeleteApplication",
"description": "Grants permission to delete an application",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"deleteapplicationaccessscope": {
"name": "DeleteApplicationAccessScope",
"description": "Grants permission to delete an access scope to an application",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"deleteapplicationassignment": {
"name": "DeleteApplicationAssignment",
"description": "Grants permission to delete an application assignment",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"deleteapplicationauthenticationmethod": {
"name": "DeleteApplicationAuthenticationMethod",
"description": "Grants permission to delete an authentication method to an application",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"deleteapplicationgrant": {
"name": "DeleteApplicationGrant",
"description": "Grants permission to delete a grant from an application",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"deleteapplicationinstance": {
"name": "DeleteApplicationInstance",
"description": "Grants permission to delete the application instance",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"deleteapplicationinstancecertificate": {
"name": "DeleteApplicationInstanceCertificate",
"description": "Grants permission to delete an inactive or expired certificate from the application instance",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"deleteinlinepolicyfrompermissionset": {
"name": "DeleteInlinePolicyFromPermissionSet",
"description": "Grants permission to delete the inline policy from a specified permission set",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "PermissionSet",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deleteinstance": {
"name": "DeleteInstance",
"description": "Grants permission to delete an identity center instance",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"identitystore:DeleteIdentityStore"
]
},
"deleteinstanceaccesscontrolattributeconfiguration": {
"name": "DeleteInstanceAccessControlAttributeConfiguration",
"description": "Grants permission to disable ABAC and remove the attributes list for the instance",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
"deletemanagedapplicationinstance": {
"name": "DeleteManagedApplicationInstance",
"description": "Grants permission to delete the managed application instance",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"deletepermissionset": {
"name": "DeletePermissionSet",
"description": "Grants permission to delete a permission set",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "PermissionSet",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deletepermissionsboundaryfrompermissionset": {
"name": "DeletePermissionsBoundaryFromPermissionSet",
"description": "Grants permission to remove permissions boundary from a permission set",
"accessLevel": "Permissions management",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "PermissionSet",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deleteprofile": {
"name": "DeleteProfile",
"description": "Grants permission to delete the profile for an application instance",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"deletetrustedtokenissuer": {
"name": "DeleteTrustedTokenIssuer",
"description": "Grants permission to delete a trusted token issuer for an instance",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "TrustedTokenIssuer",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
"describeaccountassignmentcreationstatus": {
"name": "DescribeAccountAssignmentCreationStatus",
"description": "Grants permission to describe the status of the assignment creation request",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
"describeaccountassignmentdeletionstatus": {
"name": "DescribeAccountAssignmentDeletionStatus",
"description": "Grants permission to describe the status of an assignment deletion request",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
"describeapplication": {
"name": "DescribeApplication",
"description": "Grants permission to obtain information about an application",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"describeapplicationassignment": {
"name": "DescribeApplicationAssignment",
"description": "Grants permission to retrieve an application assignment",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"describeapplicationprovider": {
"name": "DescribeApplicationProvider",
"description": "Grants permission to describe an application provider",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "ApplicationProvider",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"describeinstance": {
"name": "DescribeInstance",
"description": "Grants permission to obtain information about an identity center instance",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
},
"describeinstanceaccesscontrolattributeconfiguration": {
"name": "DescribeInstanceAccessControlAttributeConfiguration",
"description": "Grants permission to get the list of attributes used by the instance for ABAC",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
"describepermissionset": {
"name": "DescribePermissionSet",
"description": "Grants permission to describe a permission set",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "PermissionSet",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"describepermissionsetprovisioningstatus": {
"name": "DescribePermissionSetProvisioningStatus",
"description": "Grants permission to describe the status for the given Permission Set Provisioning request",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
"describeregion": {
"name": "DescribeRegion",
"description": "Grants permission to retrieve configuration details for a specific IAM Identity Center instance region",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
"describeregisteredregions": {
"name": "DescribeRegisteredRegions",
"description": "Grants permission to obtain the regions where your organization has enabled AWS IAM Identity Center",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"describetrustedtokenissuer": {
"name": "DescribeTrustedTokenIssuer",
"description": "Grants permission to describe a trusted token issuer for an instance",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "TrustedTokenIssuer",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
"detachcustomermanagedpolicyreferencefrompermissionset": {
"name": "DetachCustomerManagedPolicyReferenceFromPermissionSet",
"description": "Grants permission to detach a customer managed policy reference from a permission set",
"accessLevel": "Permissions management",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "PermissionSet",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"detachmanagedpolicyfrompermissionset": {
"name": "DetachManagedPolicyFromPermissionSet",
"description": "Grants permission to detach the attached AWS managed policy from the specified permission set",
"accessLevel": "Permissions management",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "PermissionSet",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"disassociatedirectory": {
"name": "DisassociateDirectory",
"description": "Grants permission to disassociate a directory to be used by AWS IAM Identity Center",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"ds:UnauthorizeApplication",
"identitystore:DeleteIdentityStore",
"kms:Decrypt"
]
},
"disassociateprofile": {
"name": "DisassociateProfile",
"description": "Grants permission to disassociate a directory user or group from a profile",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"getapplicationaccessscope": {
"name": "GetApplicationAccessScope",
"description": "Grants permission to get an access scope to an application",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"getapplicationassignmentconfiguration": {
"name": "GetApplicationAssignmentConfiguration",
"description": "Grants permission to read assignment configurations for an application",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"getapplicationauthenticationmethod": {
"name": "GetApplicationAuthenticationMethod",
"description": "Grants permission to get an authentication method to an application",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"getapplicationgrant": {
"name": "GetApplicationGrant",
"description": "Grants permission to obtain details about a grant belonging to an application",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"getapplicationinstance": {
"name": "GetApplicationInstance",
"description": "Grants permission to retrieve details for an application instance",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"getapplicationsessionconfiguration": {
"name": "GetApplicationSessionConfiguration",
"description": "Grants permission to get session configuration for an application",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"getapplicationtemplate": {
"name": "GetApplicationTemplate",
"description": "Grants permission to retrieve application template details",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"getinlinepolicyforpermissionset": {
"name": "GetInlinePolicyForPermissionSet",
"description": "Grants permission to obtain the inline policy assigned to the permission set",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "PermissionSet",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getmanagedapplicationinstance": {
"name": "GetManagedApplicationInstance",
"description": "Grants permission to retrieve details for an application instance",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"getmfadevicemanagementfordirectory": {
"name": "GetMfaDeviceManagementForDirectory",
"description": "Grants permission to retrieve Mfa Device Management settings for the directory",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"getpermissionset": {
"name": "GetPermissionSet",
"description": "Grants permission to retrieve details of a permission set",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"getpermissionsboundaryforpermissionset": {
"name": "GetPermissionsBoundaryForPermissionSet",
"description": "Grants permission to get permissions boundary for a permission set",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "PermissionSet",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getprofile": {
"name": "GetProfile",
"description": "Grants permission to retrieve a profile for an application instance",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"getssostatus": {
"name": "GetSSOStatus",
"description": "Grants permission to check if AWS IAM Identity Center is enabled",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"getsharedssoconfiguration": {
"name": "GetSharedSsoConfiguration",
"description": "Grants permission to retrieve shared configuration for the current SSO instance",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"getssoconfiguration": {
"name": "GetSsoConfiguration",
"description": "Grants permission to retrieve configuration for the current SSO instance",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"gettrust": {
"name": "GetTrust",
"description": "Grants permission to retrieve the federation trust in a target account",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"importapplicationinstanceserviceprovidermetadata": {
"name": "ImportApplicationInstanceServiceProviderMetadata",
"description": "Grants permission to update the application instance by uploading an application SAML metadata file provided by the service provider",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"listaccountassignmentcreationstatus": {
"name": "ListAccountAssignmentCreationStatus",
"description": "Grants permission to list the status of the AWS account assignment creation requests for a specified SSO instance",
"accessLevel": "List",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
"listaccountassignmentdeletionstatus": {
"name": "ListAccountAssignmentDeletionStatus",
"description": "Grants permission to list the status of the AWS account assignment deletion requests for a specified SSO instance",
"accessLevel": "List",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
"listaccountassignments": {
"name": "ListAccountAssignments",
"description": "Grants permission to list the assignee of the specified AWS account with the specified permission set",
"accessLevel": "List",
"resourceTypes": [
{
"name": "Account",
"required": true,
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
},
{
"name": "PermissionSet",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"listaccountassignmentsforprincipal": {
"name": "ListAccountAssignmentsForPrincipal",
"description": "Grants permission to list accounts assigned to user or group",
"accessLevel": "List",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
"listaccountsforprovisionedpermissionset": {
"name": "ListAccountsForProvisionedPermissionSet",
"description": "Grants permission to list all the AWS accounts where the specified permission set is provisioned",
"accessLevel": "List",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "PermissionSet",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"listapplicationaccessscopes": {
"name": "ListApplicationAccessScopes",
"description": "Grants permission to list access scopes to an application",
"accessLevel": "List",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"listapplicationassignments": {
"name": "ListApplicationAssignments",
"description": "Grants permission to list application assignments",
"accessLevel": "List",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"listapplicationassignmentsforprincipal": {
"name": "ListApplicationAssignmentsForPrincipal",
"description": "Grants permission to list applications assigned to user or group",
"accessLevel": "List",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"listapplicationauthenticationmethods": {
"name": "ListApplicationAuthenticationMethods",
"description": "Grants permission to list authentication methods to an application",
"accessLevel": "List",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"listapplicationgrants": {
"name": "ListApplicationGrants",
"description": "Grants permission to list grants from an application",
"accessLevel": "List",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"listapplicationinstancecertificates": {
"name": "ListApplicationInstanceCertificates",
"description": "Grants permission to retrieve all of the certificates for a given application instance",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"listapplicationinstances": {
"name": "ListApplicationInstances",
"description": "Grants permission to retrieve all application instances",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt",
"sso:GetApplicationInstance"
]
},
"listapplicationproviders": {
"name": "ListApplicationProviders",
"description": "Grants permission to list application providers",
"accessLevel": "List",
"resourceTypes": [
{
"name": "ApplicationProvider",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"listapplicationtemplates": {
"name": "ListApplicationTemplates",
"description": "Grants permission to retrieve all supported application templates",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"sso:GetApplicationTemplate"
]
},
"listapplications": {
"name": "ListApplications",
"description": "Grants permission to retrieve all applications associated with the instance of IAM Identity Center",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"listcustomermanagedpolicyreferencesinpermissionset": {
"name": "ListCustomerManagedPolicyReferencesInPermissionSet",
"description": "Grants permission to list the customer managed policy references that are attached to a permission set",
"accessLevel": "List",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "PermissionSet",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"listdirectoryassociations": {
"name": "ListDirectoryAssociations",
"description": "Grants permission to retrieve details about the directory connected to AWS IAM Identity Center",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"listinstances": {
"name": "ListInstances",
"description": "Grants permission to list the SSO Instances that the caller has access to",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listmanagedpoliciesinpermissionset": {
"name": "ListManagedPoliciesInPermissionSet",
"description": "Grants permission to list the AWS managed policies that are attached to a specified permission set",
"accessLevel": "List",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "PermissionSet",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"listpermissionsetprovisioningstatus": {
"name": "ListPermissionSetProvisioningStatus",
"description": "Grants permission to list the status of the Permission Set Provisioning requests for a specified SSO instance",
"accessLevel": "List",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
"listpermissionsets": {
"name": "ListPermissionSets",
"description": "Grants permission to retrieve all permission sets",
"accessLevel": "List",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
"listpermissionsetsprovisionedtoaccount": {
"name": "ListPermissionSetsProvisionedToAccount",
"description": "Grants permission to list all the permission sets that are provisioned to a specified AWS account",
"accessLevel": "List",
"resourceTypes": [
{
"name": "Account",
"required": true,
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"listprofileassociations": {
"name": "ListProfileAssociations",
"description": "Grants permission to retrieve the directory user or group associated with the profile",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
"listprofiles": {
"name": "ListProfiles",
"description": "Grants permission to retrieve all profiles for an application instance",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt",
"sso:GetProfile"
]
},
"listregions": {
"name": "ListRegions",
"description": "Grants permission to list all regions configured for an IAM Identity Center instance",
"accessLevel": "List",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
"listtagsforresource": {
"name": "ListTagsForResource",
"description": "Grants permission to list the tags that are attached to a specified resource",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Application",
"required": false,
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "Instance",
"required": false,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "PermissionSet",
"required": false,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "TrustedTokenIssuer",
"required": false,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"listtrustedtokenissuers": {
"name": "ListTrustedTokenIssuers",
"description": "Grants permission to list trusted token issuers for an instance",
"accessLevel": "List",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
"provisionpermissionset": {
"name": "ProvisionPermissionSet",
"description": "Grants permission to provision a specified permission set to the specified target",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Account",
"required": true,
"conditionKeys": [],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
},
{
"name": "PermissionSet",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"putapplicationaccessscope": {
"name": "PutApplicationAccessScope",
"description": "Grants permission to create/update an access scope to an application",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"putapplicationassignmentconfiguration": {
"name": "PutApplicationAssignmentConfiguration",
"description": "Grants permission to add assignment configurations to an application",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"putapplicationauthenticationmethod": {
"name": "PutApplicationAuthenticationMethod",
"description": "Grants permission to create/update an authentication method to an application",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"putapplicationgrant": {
"name": "PutApplicationGrant",
"description": "Grants permission to create/update a grant to an application",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"putapplicationsessionconfiguration": {
"name": "PutApplicationSessionConfiguration",
"description": "Grants permission to put session configuration for an application",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Application",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
}
],
"conditionKeys": [
"sso:ApplicationAccount"
],
"dependentActions": []
},
"putinlinepolicytopermissionset": {
"name": "PutInlinePolicyToPermissionSet",
"description": "Grants permission to attach an IAM inline policy to a permission set",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Instance",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": [
"kms:Decrypt"
]
},
{
"name": "PermissionSet",
"required": true,
"conditionKeys": [
"sso:PrimaryRegion"
],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"putmfadevicemanagementfordirectory": {
"name": "PutMfaDeviceManagementForDirectory",
"description": "Grants permission to put Mfa Device Management settings for the directory",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"