sso:CreateApplicationAssignment is a Write access-level action in the sso service. Grants permission to create an application assignment
ARNs that sso:CreateApplicationAssignment can be scoped to in an IAM policy.
Keys you can use in the Condition block of a policy that grants sso:CreateApplicationAssignment.
Filters access by the tags associated with the resource
Filters access by the account which creates the application. This condition key is not supported for customer managed SAML applications
Filters access by the primary region of the IAM Identity Center instance
To use sso:CreateApplicationAssignment you may also need to grant:
A minimal policy that allows sso:CreateApplicationAssignment. Replace "Resource": "*" with a specific ARN to follow least privilege.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSsoCreateApplicationAssignment",
"Effect": "Allow",
"Action": "sso:CreateApplicationAssignment",
"Resource": "*"
}
]
}