Expand description
Account-partitioned, serializable state for AWS IAM Identity Center’s SSO
Admin (sso-admin) control plane.
Everything the service owns for one account: IAM Identity Center instances
(each with its regions), permission sets (with their inline / managed /
customer-managed / boundary policies), account assignments and their async
operation statuses, permission-set provisioning statuses, applications (with
their assignments, access scopes, authentication methods, grants and
session/assignment configuration), trusted token issuers, per-instance
access-control attribute configuration, and resource tags. Nested config
objects are stored as the raw request Value so they echo back verbatim.
Structs§
- SsoAdmin
Data - Per-account SSO Admin state.
- SsoAdmin
Snapshot - Stored
Application - An application registered on an instance.
- Stored
Assignment - An account assignment linking a principal to a permission set on an account.
- Stored
Instance - An IAM Identity Center instance.
- Stored
Managed Policy - A managed policy attached to a permission set.
- Stored
OpStatus - Async status for account-assignment create/delete operations.
- Stored
Permission Set - A permission set within an instance.
- Stored
Provisioning Status - Async status for permission-set provisioning.
- Stored
Region - A region enabled on an IAM Identity Center instance.
- Stored
Trusted Token Issuer - A trusted token issuer.
Constants§
Functions§
- ensure_
default_ instance - Seed a default, always-
ACTIVEIAM Identity Center instance foraccount_idwhen it has none. Real AWS requires enabling IAM Identity Center before instances exist, but seeding one makes the control plane (and the paired Identity Store directory) usable out of the box — and lets tools that first resolveListInstances(e.g. Terraform’saws_ssoadmin_instances) proceed. The instance id is derived from the account id so it is stable across restarts. No-op if an instance already exists (e.g. restored from a snapshot).