sso-oauth:RevokeTokenWithIAM

Write

sso-oauth:RevokeTokenWithIAM is a Write access-level action in the sso-oauth service. Grants permission to revoke OAuth 2.0 access tokens and refresh tokens, invalidating them before their normal expiration. This permission is used only by AWS managed applications and is not documented in the IAM Identity Center OIDC API Reference

Resource types

ARNs that sso-oauth:RevokeTokenWithIAM can be scoped to in an IAM policy.

arn:${Partition}:sso::${AccountId}:application/${InstanceId}/${ApplicationId}
Application

Condition keys

No condition keys are documented for this action.

Dependent actions

To use sso-oauth:RevokeTokenWithIAM you may also need to grant:

Example IAM policy

A minimal policy that allows sso-oauth:RevokeTokenWithIAM. Replace "Resource": "*" with a specific ARN to follow least privilege.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSsooauthRevokeTokenWithIAM",
      "Effect": "Allow",
      "Action": "sso-oauth:RevokeTokenWithIAM",
      "Resource": "*"
    }
  ]
}

Related actions in sso-oauth

View all sso-oauth actions →