Table: aws_ssoadmin_account_assignment - Query AWS SSO Admin Account Assignment using SQL
The AWS SSO Admin Account Assignment is a resource within AWS Single Sign-On (SSO) service that allows you to manage the assignment of access permissions to users. It enables the administrators to assign user access to AWS accounts, SSO instances, and permission sets using SQL queries. This resource plays a crucial role in managing and controlling access to AWS resources and services, enhancing the security and governance of your AWS environment.
Table Usage Guide
The aws_ssoadmin_account_assignment
table in Steampipe provides you with information about each AWS SSO (Single Sign-On) admin account assignment within your AWS account. This table allows you, as a DevOps engineer, administrator, or AWS user, to query details related to SSO admin account assignments, including the principal type, principal ID, target type, target ID, and permission set. You can utilize this table to gather insights on SSO admin account assignments, such as the account assignments for a specific principal or target, the permission sets assigned to a target, and more. The schema outlines the various attributes of the SSO admin account assignment for you, including the instance ARN, principal type, principal ID, target type, target ID, and permission set.
Examples
Assignments for a specific permission set and account
Determine the areas in which specific permissions are assigned within a particular account. This can provide insights into how access control is structured within your AWS environment.
select permission_set_arn, target_account_id, principal_type, principal_idfrom aws_ssoadmin_account_assignmentwhere permission_set_arn = 'arn:aws:sso:::permissionSet/ssoins-0123456789abcdef/ps-0123456789abcdef' and target_account_id = '012347678910';
select permission_set_arn, target_account_id, principal_type, principal_idfrom aws_ssoadmin_account_assignmentwhere permission_set_arn = 'arn:aws:sso:::permissionSet/ssoins-0123456789abcdef/ps-0123456789abcdef' and target_account_id = '012347678910';
Assignments for a specific permission set and account, with user/group information from Identity Store
Explore which user or group has been assigned a specific permission set in an AWS account. This is useful for understanding access controls and managing permissions within your organization.
with aws_ssoadmin_principal as ( select i.arn as instance_arn, 'GROUP' as "type", g.id, g.title from aws_ssoadmin_instance i left join aws_identitystore_group g on i.identity_store_id = g.identity_store_id union select i.arn as instance_arn, 'USER' as "type", u.id, u.title from aws_ssoadmin_instance i left join aws_identitystore_user u on i.identity_store_id = u.identity_store_id)select a.target_account_id, a.principal_type, p.title as principal_titlefrom aws_ssoadmin_account_assignment a left join aws_ssoadmin_principal p on a.principal_type = p.type and a.principal_id = p.id and a.instance_arn = p.instance_arnwhere a.target_account_id = '012345678901' and a.permission_set_arn = 'arn:aws:sso:::permissionSet/ssoins-0123456789abcdef/ps-0123456789abcdef';
with aws_ssoadmin_principal as ( select i.arn as instance_arn, 'GROUP' as "type", g.id, g.title from aws_ssoadmin_instance i left join aws_identitystore_group g on i.identity_store_id = g.identity_store_id union select i.arn as instance_arn, 'USER' as "type", u.id, u.title from aws_ssoadmin_instance i left join aws_identitystore_user u on i.identity_store_id = u.identity_store_id)select a.target_account_id, a.principal_type, p.title as principal_titlefrom aws_ssoadmin_account_assignment a left join aws_ssoadmin_principal p on a.principal_type = p.type and a.instance_arn = p.instance_arnwhere a.target_account_id = '012345678901' and a.permission_set_arn = 'arn:aws:sso:::permissionSet/ssoins-0123456789abcdef/ps-0123456789abcdef';
Schema for aws_ssoadmin_account_assignment
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
instance_arn | text | = | The Amazon Resource Name (ARN) of the SSO Instance under which the operation will be executed. |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
permission_set_arn | text | = | The ARN of the permission set from which to list assignments. |
principal_id | text | An identifier for an object in IAM Identity Center, such as a user or group. | |
principal_type | text | The entity type for which the assignment will be created. | |
region | text | The AWS Region in which the resource is located. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
target_account_id | text | = | The identifier of the AWS account from which to list the assignments. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_ssoadmin_account_assignment