Permission Sets
AWS best practices dictate that the principle of least privilege should be followed for permission assignment. What this means, in practice, is that users of AWS accounts should be granted privileges that allow them to perform only the required tasks.
Permission Sets in Stax allow for the granting of tailored levels of access for users logging in to Stax-managed AWS accounts. Each Permission Set consists of a policy document and a number of (zero or more) assignments. The policy document defines what someone utilizing the Permission Set can do, and the assignment defines who can utilize the Permission Set and where.
A policy document is a JSON-formatted IAM Policy Document that is assigned to a Permission Set. It defines levels of access using combinations of actions, resources, and conditions. Refer to AWS's Identity-based policies definitions and examples to get started with writing policy documents. The Actions, resources, and condition keys for AWS services page provides comprehensive documentation for constructing IAM Policies.
To define an IAM policy for a Permission Set in Stax, you can do so by referencing AWS Managed Policies and/or entering an inline IAM policy for adding customizations.
There is no support for Permission Sets in the Stax Python SDK at this time.
Assignments
An assignment specifies how a Permission Set is able to be utilized. It specifies, for a given Permission Set, a Groupof users, and an Account Type that those users can access using the Permission Set. A single Permission Set can have up to 100 assignments, allowing one set of permissions to be used for multiple group and Account Type combinations.