Skip to content
Alchemy
GitHubXDiscord

Assignment

The Assignment resource lets you manage AWS SSO Assignments that link users or groups to permission sets for specific AWS accounts. This simplifies access management in AWS Single Sign-On.

Minimal Example

Section titled “Minimal Example”

Create a basic SSO assignment for a user linking them to a permission set in an AWS account.

import AWS from "alchemy/aws/control";


const ssoAssignment = await AWS.SSO.Assignment("user-assignment", {
  PrincipalId: "user-123456",
  InstanceArn: "arn:aws:sso:us-west-2:123456789012:instance/ssoins-12345678",
  TargetType: "AWS_ACCOUNT",
  PermissionSetArn: "arn:aws:sso:::permissionSet/ssoins-12345678/ps-12345678",
  PrincipalType: "USER",
  TargetId: "account-123456"
});

Advanced Configuration

Section titled “Advanced Configuration”

Assign a user with the option to adopt existing resources if they already exist.

const advancedAssignment = await AWS.SSO.Assignment("advanced-user-assignment", {
  PrincipalId: "user-987654",
  InstanceArn: "arn:aws:sso:us-west-2:123456789012:instance/ssoins-87654321",
  TargetType: "AWS_ACCOUNT",
  PermissionSetArn: "arn:aws:sso:::permissionSet/ssoins-87654321/ps-87654321",
  PrincipalType: "USER",
  TargetId: "account-987654",
  adopt: true // Adopt existing resource if it already exists
});

Assigning a Group to a Permission Set

Section titled “Assigning a Group to a Permission Set”

Assign a group to a specific permission set, allowing multiple users to gain access through their group association.

const groupAssignment = await AWS.SSO.Assignment("group-assignment", {
  PrincipalId: "group-123456",
  InstanceArn: "arn:aws:sso:us-west-2:123456789012:instance/ssoins-12345678",
  TargetType: "AWS_ACCOUNT",
  PermissionSetArn: "arn:aws:sso:::permissionSet/ssoins-12345678/ps-12345678",
  PrincipalType: "GROUP",
  TargetId: "account-123456"
});

Updating an Existing Assignment

Section titled “Updating an Existing Assignment”

You can also update an existing assignment by modifying its properties.

const updateAssignment = await AWS.SSO.Assignment("update-user-assignment", {
  PrincipalId: "user-123456",
  InstanceArn: "arn:aws:sso:us-west-2:123456789012:instance/ssoins-12345678",
  TargetType: "AWS_ACCOUNT",
  PermissionSetArn: "arn:aws:sso:::permissionSet/ssoins-12345678/ps-87654321", // Updated permission set
  PrincipalType: "USER",
  TargetId: "account-123456"
});