sso

(Service: IAM Identity Center (successor to AWS Single Sign-On))

action	access level	condition keys	dependent actions	source
`sso:AssociateDirectory`	Write		ds:AuthorizeApplication	source
`sso:AssociateProfile`	Write			source
`sso:AttachCustomerManagedPolicyReferenceToPermissionSet`	Permissions management			source
`sso:AttachManagedPolicyToPermissionSet`	Permissions management			source
`sso:CreateAccountAssignment`	Write			source
`sso:CreateApplication`	Write	aws:RequestTag/${TagKey} aws:TagKeys		source
`sso:CreateApplicationAssignment`	Write	sso:ApplicationAccount		source
`sso:CreateApplicationInstance`	Write			source
`sso:CreateApplicationInstanceCertificate`	Write			source
`sso:CreateInstance`	Write	aws:RequestTag/${TagKey} aws:TagKeys	iam:CreateServiceLinkedRole organizations:DescribeOrganization	source
`sso:CreateInstanceAccessControlAttributeConfiguration`	Write		iam:AttachRolePolicy iam:CreateRole iam:DeleteRole iam:DeleteRolePolicy iam:DetachRolePolicy iam:GetRole iam:ListAttachedRolePolicies iam:ListRolePolicies iam:PutRolePolicy iam:UpdateAssumeRolePolicy	source
`sso:CreateManagedApplicationInstance`	Write			source
`sso:CreatePermissionSet`	Write	aws:RequestTag/${TagKey} aws:TagKeys		source
`sso:CreateProfile`	Write			source
`sso:CreateTrust`	Write			source
`sso:CreateTrustedTokenIssuer`	Write	aws:RequestTag/${TagKey} aws:TagKeys		source
`sso:DeleteAccountAssignment`	Write			source
`sso:DeleteApplication`	Write	sso:ApplicationAccount		source
`sso:DeleteApplicationAccessScope`	Write	sso:ApplicationAccount		source
`sso:DeleteApplicationAssignment`	Write	sso:ApplicationAccount		source
`sso:DeleteApplicationAuthenticationMethod`	Write	sso:ApplicationAccount		source
`sso:DeleteApplicationGrant`	Write	sso:ApplicationAccount		source
`sso:DeleteApplicationInstance`	Write			source
`sso:DeleteApplicationInstanceCertificate`	Write			source
`sso:DeleteInlinePolicyFromPermissionSet`	Write			source
`sso:DeleteInstance`	Write			source
`sso:DeleteInstanceAccessControlAttributeConfiguration`	Write			source
`sso:DeleteManagedApplicationInstance`	Write			source
`sso:DeletePermissionSet`	Write			source
`sso:DeletePermissionsBoundaryFromPermissionSet`	Permissions management			source
`sso:DeletePermissionsPolicy`	Permissions management			source
`sso:DeleteProfile`	Write			source
`sso:DeleteTrustedTokenIssuer`	Write			source
`sso:DescribeAccountAssignmentCreationStatus`	Read			source
`sso:DescribeAccountAssignmentDeletionStatus`	Read			source
`sso:DescribeApplication`	Read	sso:ApplicationAccount		source
`sso:DescribeApplicationAssignment`	Read	sso:ApplicationAccount		source
`sso:DescribeApplicationProvider`	Read			source
`sso:DescribeDirectories`	Read			source
`sso:DescribeInstance`	Read			source
`sso:DescribeInstanceAccessControlAttributeConfiguration`	Read			source
`sso:DescribePermissionSet`	Read			source
`sso:DescribePermissionSetProvisioningStatus`	Read			source
`sso:DescribePermissionsPolicies`	Read			source
`sso:DescribeRegisteredRegions`	Read			source
`sso:DescribeTrustedTokenIssuer`	Read			source
`sso:DescribeTrusts`	Read			source
`sso:DetachCustomerManagedPolicyReferenceFromPermissionSet`	Permissions management			source
`sso:DetachManagedPolicyFromPermissionSet`	Permissions management			source
`sso:DisassociateDirectory`	Write		ds:UnauthorizeApplication	source
`sso:DisassociateProfile`	Write			source
`sso:GetApplicationAccessScope`	Read	sso:ApplicationAccount		source
`sso:GetApplicationAssignmentConfiguration`	Read	sso:ApplicationAccount		source
`sso:GetApplicationAuthenticationMethod`	Read	sso:ApplicationAccount		source
`sso:GetApplicationGrant`	Read	sso:ApplicationAccount		source
`sso:GetApplicationInstance`	Read			source
`sso:GetApplicationTemplate`	Read			source
`sso:GetInlinePolicyForPermissionSet`	Read			source
`sso:GetManagedApplicationInstance`	Read			source
`sso:GetMfaDeviceManagementForDirectory`	Read			source
`sso:GetPermissionSet`	Read			source
`sso:GetPermissionsBoundaryForPermissionSet`	Read			source
`sso:GetPermissionsPolicy`	Read		sso:DescribePermissionsPolicies	source
`sso:GetProfile`	Read			source
`sso:GetSSOStatus`	Read			source
`sso:GetSharedSsoConfiguration`	Read			source
`sso:GetSsoConfiguration`	Read			source
`sso:GetTrust`	Read			source
`sso:ImportApplicationInstanceServiceProviderMetadata`	Write			source
`sso:ListAccountAssignmentCreationStatus`	List			source
`sso:ListAccountAssignmentDeletionStatus`	List			source
`sso:ListAccountAssignments`	List			source
`sso:ListAccountAssignmentsForPrincipal`	List			source
`sso:ListAccountsForProvisionedPermissionSet`	List			source
`sso:ListApplicationAccessScopes`	List	sso:ApplicationAccount		source
`sso:ListApplicationAssignments`	List	sso:ApplicationAccount		source
`sso:ListApplicationAssignmentsForPrincipal`	List	sso:ApplicationAccount		source
`sso:ListApplicationAuthenticationMethods`	List	sso:ApplicationAccount		source
`sso:ListApplicationGrants`	List	sso:ApplicationAccount		source
`sso:ListApplicationInstanceCertificates`	Read			source
`sso:ListApplicationInstances`	List		sso:GetApplicationInstance	source
`sso:ListApplicationProviders`	List			source
`sso:ListApplicationTemplates`	List		sso:GetApplicationTemplate	source
`sso:ListApplications`	List			source
`sso:ListCustomerManagedPolicyReferencesInPermissionSet`	List			source
`sso:ListDirectoryAssociations`	Read			source
`sso:ListInstances`	List			source
`sso:ListManagedPoliciesInPermissionSet`	List			source
`sso:ListPermissionSetProvisioningStatus`	List			source
`sso:ListPermissionSets`	List			source
`sso:ListPermissionSetsProvisionedToAccount`	List			source
`sso:ListProfileAssociations`	Read			source
`sso:ListProfiles`	List		sso:GetProfile	source
`sso:ListTagsForResource`	Read			source
`sso:ListTrustedTokenIssuers`	List			source
`sso:ProvisionPermissionSet`	Write			source
`sso:PutApplicationAccessScope`	Write	sso:ApplicationAccount		source
`sso:PutApplicationAssignmentConfiguration`	Write	sso:ApplicationAccount		source
`sso:PutApplicationAuthenticationMethod`	Write	sso:ApplicationAccount		source
`sso:PutApplicationGrant`	Write	sso:ApplicationAccount		source
`sso:PutInlinePolicyToPermissionSet`	Write			source
`sso:PutMfaDeviceManagementForDirectory`	Write			source
`sso:PutPermissionsBoundaryToPermissionSet`	Permissions management			source
`sso:PutPermissionsPolicy`	Permissions management			source
`sso:SearchGroups`	Read		ds:DescribeDirectories	source
`sso:SearchUsers`	Read		ds:DescribeDirectories	source
`sso:StartSSO`	Write		organizations:DescribeOrganization organizations:EnableAWSServiceAccess	source
`sso:TagResource`	Tagging	aws:RequestTag/${TagKey} aws:TagKeys		source
`sso:UntagResource`	Tagging	aws:TagKeys		source
`sso:UpdateApplication`	Write	sso:ApplicationAccount		source
`sso:UpdateApplicationInstanceActiveCertificate`	Write			source
`sso:UpdateApplicationInstanceDisplayData`	Write			source
`sso:UpdateApplicationInstanceResponseConfiguration`	Write			source
`sso:UpdateApplicationInstanceResponseSchemaConfiguration`	Write			source
`sso:UpdateApplicationInstanceSecurityConfiguration`	Write			source
`sso:UpdateApplicationInstanceServiceProviderConfiguration`	Write			source
`sso:UpdateApplicationInstanceStatus`	Write			source
`sso:UpdateDirectoryAssociation`	Write			source
`sso:UpdateInstance`	Write			source
`sso:UpdateInstanceAccessControlAttributeConfiguration`	Write			source
`sso:UpdateManagedApplicationInstanceStatus`	Write			source
`sso:UpdatePermissionSet`	Permissions management			source
`sso:UpdateProfile`	Write			source
`sso:UpdateSSOConfiguration`	Write			source
`sso:UpdateTrust`	Write			source
`sso:UpdateTrustedTokenIssuer`	Write			source