CreateAccountAssignment - IAM Identity Center
Request SyntaxRequest ParametersResponse SyntaxResponse ElementsErrorsSee Also

CreateAccountAssignment

Assigns access to a principal for a specified AWS account using a specified permission set.

Note

The term principal here refers to a user or group that is defined in IAM Identity Center.

Note

As part of a successful CreateAccountAssignment call, the specified permission set will automatically be provisioned to the account in the form of an IAM policy. That policy is attached to the IAM role created in IAM Identity Center. If the permission set is subsequently updated, the corresponding IAM policies attached to roles in your accounts will not be updated automatically. In this case, you must call ProvisionPermissionSet to make these updates.

Note

After a successful response, call DescribeAccountAssignmentCreationStatus to describe the status of an assignment creation request.

Request Syntax

{
   "InstanceArn": "string",
   "PermissionSetArn": "string",
   "PrincipalId": "string",
   "PrincipalType": "string",
   "TargetId": "string",
   "TargetType": "string"
}

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

InstanceArn

The ARN of the IAM Identity Center instance under which the operation will be executed. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:(aws|aws-us-gov|aws-cn|aws-iso|aws-iso-b):sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Required: Yes

PermissionSetArn

The ARN of the permission set that the admin wants to grant the principal access to.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:(aws|aws-us-gov|aws-cn|aws-iso|aws-iso-b):sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}

Required: Yes

PrincipalId

An identifier for an object in IAM Identity Center, such as a user or group. PrincipalIds are GUIDs (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6). For more information about PrincipalIds in IAM Identity Center, see the IAM Identity Center Identity Store API Reference.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 47.

Pattern: ([0-9a-f]{10}-|)[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}

Required: Yes

PrincipalType

The entity type for which the assignment will be created.

Type: String

Valid Values: USER | GROUP

Required: Yes

TargetId

TargetID is an AWS account identifier, (For example, 123456789012).

Type: String

Length Constraints: Fixed length of 12.

Pattern: \d{12}

Required: Yes

TargetType

The entity type for which the assignment will be created.

Type: String

Valid Values: AWS_ACCOUNT

Required: Yes

Response Syntax

{
   "AccountAssignmentCreationStatus": { 
      "CreatedDate": number,
      "FailureReason": "string",
      "PermissionSetArn": "string",
      "PrincipalId": "string",
      "PrincipalType": "string",
      "RequestId": "string",
      "Status": "string",
      "TargetId": "string",
      "TargetType": "string"
   }
}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

AccountAssignmentCreationStatus

The status object for the account assignment creation operation.

Type: AccountAssignmentOperationStatus object

Errors

For information about the errors that are common to all actions, see Common Errors.

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400

ConflictException

Occurs when a conflict with a previous successful write is detected. This generally occurs when the previous write did not have time to propagate to the host serving the current request. A retry (with appropriate backoff logic) is the recommended response to this exception.

HTTP Status Code: 400

InternalServerException

The request processing has failed because of an unknown error, exception, or failure with an internal server.

HTTP Status Code: 500

ResourceNotFoundException

Indicates that a requested resource is not found.

HTTP Status Code: 400

ServiceQuotaExceededException

Indicates that the principal has crossed the permitted number of resources that can be created.

HTTP Status Code: 400

ThrottlingException

Indicates that the principal has crossed the throttling limits of the API operations.

HTTP Status Code: 400

ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: