API Permissions Reference - Amazon S3 Glacier
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

This page is only for existing customers of the S3 Glacier service using Vaults and the original REST API from 2012.

If you're looking for archival storage solutions we suggest using the S3 Glacier storage classes in Amazon S3, S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval, and S3 Glacier Deep Archive. To learn more about these storage options, see S3 Glacier storage classes and Long-term data storage using S3 Glacier storage classes in the Amazon S3 User Guide. These storage classes use the Amazon S3 API, are available in all regions, and can be managed within the Amazon S3 console. They offer features like Storage Cost Analysis, Storage Lens, advanced optional encryption features, and more.

API Permissions Reference

When you are setting up How Amazon S3 Glacier works with IAM and writing a permissions policy that you can attach to an IAM identity (identity-based policies) or a resource (resource-based policies), you can use the following table as a reference. The table lists each S3 Glacier API operation, the corresponding actions for which you can grant permissions to perform the action, and the Amazon resource for which you can grant the permissions.

You specify the actions in the policy's Action element, and you specify the resource value in the policy's Resource element. Also, you can use the IAM policy language Condition element to specify when a policy should take effect.

To specify an action, use the glacier: prefix followed by the API operation name (for example, glacier:CreateVault). For most S3 Glacier actions, Resource is the vault on which you want to grant the permissions. You specify a vault as the Resource value by using the vault ARN. To express conditions, you use predefined condition keys. For more information, see Resource-based policies within S3 Glacier.

The following table lists actions that can be used with identity-based policies and resource-based policies.

Note

Some actions can only be used with identity-based policies. These actions are marked by an asterisk (*) after the name of the API operation in the first column.

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.