I have created AWS SSO permission sets through CloudFormation and users are successfully assuming roles in downstream accounts. The issue I am seeing here is when a new change gets added to the code, let's say IAM inline policy gets edited with some extra permissions, I need to login into the account and manually provision the changes from main account to the downstream accounts.
I found provision-permission-set AWS CLI call but it doesn't look like there is a CloudFormation option.
I am considering having this step as a part of my deployment pipeline and if I don't have to create a custom script that is going to use AWS CLI to do that job that would be awesome.
Thanks y'all
You can use AWS::SSO::Assignment to join the permission set, principal and account.