Alchemy

Appearance

Assignment ​

The Assignment resource lets you manage AWS SSO Assignments that link users or groups to permission sets for specific AWS accounts. This simplifies access management in AWS Single Sign-On.

Minimal Example ​

Create a basic SSO assignment for a user linking them to a permission set in an AWS account.

ts
import AWS from "alchemy/aws/control";

const ssoAssignment = await AWS.SSO.Assignment("user-assignment", {
  PrincipalId: "user-123456",
  InstanceArn: "arn:aws:sso:us-west-2:123456789012:instance/ssoins-12345678",
  TargetType: "AWS_ACCOUNT",
  PermissionSetArn: "arn:aws:sso:::permissionSet/ssoins-12345678/ps-12345678",
  PrincipalType: "USER",
  TargetId: "account-123456"
});

Advanced Configuration ​

Assign a user with the option to adopt existing resources if they already exist.

ts
const advancedAssignment = await AWS.SSO.Assignment("advanced-user-assignment", {
  PrincipalId: "user-987654",
  InstanceArn: "arn:aws:sso:us-west-2:123456789012:instance/ssoins-87654321",
  TargetType: "AWS_ACCOUNT",
  PermissionSetArn: "arn:aws:sso:::permissionSet/ssoins-87654321/ps-87654321",
  PrincipalType: "USER",
  TargetId: "account-987654",
  adopt: true // Adopt existing resource if it already exists
});

Assigning a Group to a Permission Set ​

Assign a group to a specific permission set, allowing multiple users to gain access through their group association.

ts
const groupAssignment = await AWS.SSO.Assignment("group-assignment", {
  PrincipalId: "group-123456",
  InstanceArn: "arn:aws:sso:us-west-2:123456789012:instance/ssoins-12345678",
  TargetType: "AWS_ACCOUNT",
  PermissionSetArn: "arn:aws:sso:::permissionSet/ssoins-12345678/ps-12345678",
  PrincipalType: "GROUP",
  TargetId: "account-123456"
});

Updating an Existing Assignment ​

You can also update an existing assignment by modifying its properties.

ts
const updateAssignment = await AWS.SSO.Assignment("update-user-assignment", {
  PrincipalId: "user-123456",
  InstanceArn: "arn:aws:sso:us-west-2:123456789012:instance/ssoins-12345678",
  TargetType: "AWS_ACCOUNT",
  PermissionSetArn: "arn:aws:sso:::permissionSet/ssoins-12345678/ps-87654321", // Updated permission set
  PrincipalType: "USER",
  TargetId: "account-123456"
});