Skip to content

SSO Admin

SSO Admin is a service provided by Amazon Web Services (AWS) that enables you to manage your AWS Single Sign-On (AWS SSO) resources. It allows you to create, update, and delete AWS SSO resources such as directories, groups, and users.

LocalStack provides a mock implementation of the SSO Admin API that allows you to create and manage your AWS SSO resources. The supported APIs are available on our API Coverage section, which provides information on the extent of SSO Admin’s integration with LocalStack.

This guide is designed for users new to SSO Admin and assumes basic knowledge of the AWS CLI and our awslocal wrapper script.

Start your LocalStack container using your preferred method. We will demonstrate how to create a permission set, add tags to a permission set, and list permission sets.

You can create a permission set using the CreatePermissionSet API.

Terminal window
awslocal sso-admin create-permission-set \
--name my-permission-set \
--description "My permission set" \
--instance-arn arn:aws:sso:::instance/d-1234567890 \
--tags Key=Name,Value=my-permission-set
Output
{
"PermissionSet": {
"CreatedDate": "2025-07-02T12:15:33.352631+05:30",
"Description": "My permission set",
"Name": "my-permission-set",
"PermissionSetArn": "arn:aws:sso:::instance/d-1234567890/ps-lm0rshcjz3tikab8",
"SessionDuration": 3600
}
}

You can list permission sets using the ListPermissionSets API.

Terminal window
awslocal sso-admin list-permission-sets --instance-arn arn:aws:sso:::instance/d-1234567890
Output
{
"PermissionSets": [
"arn:aws:sso:::instance/d-1234567890/ps-lm0rshcjz3tikab8"
]
}

You can list tags for a permission set using the ListTagsForResource API.

Terminal window
awslocal sso-admin list-tags-for-resource --resource-arn arn:aws:sso:::instance/d-1234567890/ps-lm0rshcjz3tikab8 --instance-arn arn:aws:sso:::instance/d-1234567890
Output
{
"Tags": [
{
"Key": "Name",
"Value": "my-permission-set"
}
]
}
OperationImplementedImage
Page 1 of 0