search

org-formation / org-formation-reference

A reference architecture which aims to provide some best practices for any AWS Organization starting out using org-formation.
91 stars 23 forks source link

Allow setting a custom policy for SSO roles #40

Closed zaro0508 closed 6 months ago

zaro0508 commented 3 years ago

AWS SSO parmeter sets do not support customer managed policies[1] The only way to set custom policies for an SSO role is to configure an inline policy. This change allows passing in an inline policy to the AWS SSO template. The inline policy is an AWS policy document in json.

example:

    inlinePolicy: >-
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [ "s3:ListAllMyBuckets" ],
            "Resource": "arn:aws:s3:::*"
          },
          {
            "Effect": "Allow",
            "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ],
            "Resource": [
              "arn:aws:s3:::MY-BUCKET"
            ]
          }
        ]
      }

[1] https://forums.aws.amazon.com/thread.jspa?threadID=282793