API Summary
This section briefly describes how you can use IAM policies to control how an actor can use each API and pseudo API to access Amazon SWF resources.
-
For all actions except
RegisterDomain
andListDomains
, you can allow or deny access to any or all of an account's domains by expressing permissions for the domain resource. -
You can allow or deny permission for any member of the regular API and, if you grant permission to call
RespondDecisionTaskCompleted
, any member of the pseudo API. -
You can use a Condition to constrain some parameters' allowable values.
The following sections list the parameters that can be constrained for each member of the regular and pseudo API and provide the associated key, and note any limitations on how you can control domain access.
Regular API
This section lists the regular API members, and briefly describes the parameters that can be constrained and the associated keys. It also notes any limitations on how you can control domain access.
-
tagFilter.tag
– String constraint. The key isswf:tagFilter.tag
-
typeFilter.name
– String constraint. The key isswf:typeFilter.name
. -
typeFilter.version
– String constraint. The key isswf:typeFilter.version
.
Note
CountClosedWorkflowExecutions
requires typeFilter
and
tagFilter
to be mutually exclusive.
-
tagFilter.tag
– String constraint. The key isswf:tagFilter.tag
-
typeFilter.name
– String constraint. The key isswf:typeFilter.name
. -
typeFilter.version
– String constraint. The key isswf:typeFilter.version
.
Note
CountOpenWorkflowExecutions
requires typeFilter
and
tagFilter
to be mutually exclusive.
-
taskList.name
– String constraint. The key isswf:taskList.name
.
-
taskList.name
– String constraint. The key isswf:taskList.name
.
-
activityType.name
– String constraint. The key isswf:activityType.name
. -
activityType.version
– String constraint. The key isswf:activityType.version
.
-
activityType.name
– String constraint. The key isswf:activityType.name
. -
activityType.version
– String constraint. The key isswf:activityType.version
.
-
You can't constrain this action's parameters.
-
workflowType.name
– String constraint. The key isswf:workflowType.name
. -
workflowType.version
– String constraint. The key isswf:workflowType.version
.
-
workflowType.name
– String constraint. The key isswf:workflowType.name
. -
workflowType.version
– String constraint. The key isswf:workflowType.version
.
-
activityType.name
– String constraint. The key isswf:activityType.name
. -
activityType.version
– String constraint. The key isswf:activityType.version
.
-
You can't constrain this action's parameters.
-
You can't constrain this action's parameters.
-
workflowType.name
– String constraint. The key isswf:workflowType.name
. -
workflowType.version
– String constraint. The key isswf:workflowType.version
.
-
You can't constrain this action's parameters.
-
You can't constrain this action's parameters.
-
tagFilter.tag
– String constraint. The key isswf:tagFilter.tag
-
typeFilter.name
– String constraint. The key isswf:typeFilter.name
. -
typeFilter.version
– String constraint. The key isswf:typeFilter.version
.
Note
ListClosedWorkflowExecutions
requires typeFilter
and
tagFilter
to be mutually exclusive.
-
You can't constrain this action's parameters.
-
tagFilter.tag
– String constraint. The key isswf:tagFilter.tag
-
typeFilter.name
– String constraint. The key isswf:typeFilter.name
. -
typeFilter.version
– String constraint. The key isswf:typeFilter.version
.
Note
ListOpenWorkflowExecutions
requires typeFilter
and
tagFilter
to be mutually exclusive.
-
You can't constrain this action's parameters.
-
taskList.name
– String constraint. The key isswf:taskList.name
.
-
taskList.name
– String constraint. The key isswf:taskList.name
.
-
You can't constrain this action's parameters.
-
defaultTaskList.name
– String constraint. The key isswf:defaultTaskList.name
. -
name
– String constraint. The key isswf:name
. -
version
– String constraint. The key isswf:version
.
-
name
– The name of the domain being registered is available as the resource of this action.
-
defaultTaskList.name
– String constraint. The key isswf:defaultTaskList.name
. -
name
– String constraint. The key isswf:name
. -
version
– String constraint. The key isswf:version
.
RequestCancelWorkflowExecution
-
You can't constrain this action's parameters.
-
You can't constrain this action's parameters.
-
You can't constrain this action's parameters.
-
You can't constrain this action's parameters.
-
decisions.member.N
– Restricted indirectly through pseudo API permissions. For details, see Pseudo API.
-
You can't constrain this action's parameters.
-
tagList.member.0
– String constraint. The key isswf:tagList.member.0
-
tagList.member.1
– String constraint. The key isswf:tagList.member.1
-
tagList.member.2
– String constraint. The key isswf:tagList.member.2
-
tagList.member.3
– String constraint. The key isswf:tagList.member.3
-
tagList.member.4
– String constraint. The key isswf:tagList.member.4
-
taskList.name
– String constraint. The key isswf:taskList.name
. -
workflowType.name
– String constraint. The key isswf:workflowType.name
. -
workflowType.version
– String constraint. The key isswf:workflowType.version
.
Note
You can't constrain more than five tags.
-
You can't constrain this action's parameters.
Pseudo API
This section lists the members of the pseudo API, which represent the decisions
included in RespondDecisionTaskCompleted
. If you have granted permission to
use RespondDecisionTaskCompleted
, your policy can express permissions for
the members of this API in the same way as the regular API. You can further restrict
some members of the pseudo-API by setting conditions on one or more parameters. This
section lists the pseudo API members, and briefly describes the parameters that can be
constrained and the associated keys.
Note
The aws:SourceIP
, aws:UserAgent
, and
aws:SecureTransport
keys are not available for the pseudo API. If
your intended security policy requires these keys to control access to the pseudo
API, you can use them with the RespondDecisionTaskCompleted
action.
CancelTimer
-
You can't constrain this action's parameters.
CancelWorkflowExecution
-
You can't constrain this action's parameters.
CompleteWorkflowExecution
-
You can't constrain this action's parameters.
ContinueAsNewWorkflowExecution
-
tagList.member.0
– String constraint. The key isswf:tagList.member.0
-
tagList.member.1
– String constraint. The key isswf:tagList.member.1
-
tagList.member.2
– String constraint. The key isswf:tagList.member.2
-
tagList.member.3
– String constraint. The key isswf:tagList.member.3
-
tagList.member.4
– String constraint. The key isswf:tagList.member.4
-
taskList.name
– String constraint. The key isswf:taskList.name
. -
workflowTypeVersion
– String constraint. The key isswf:workflowTypeVersion
.
Note
You can't constrain more than five tags.
FailWorkflowExecution
-
You can't constrain this action's parameters.
RecordMarker
-
You can't constrain this action's parameters.
RequestCancelActivityTask
-
You can't constrain this action's parameters.
RequestCancelExternalWorkflowExecution
-
You can't constrain this action's parameters.
ScheduleActivityTask
-
activityType.name
– String constraint. The key isswf:activityType.name
. -
activityType.version
– String constraint. The key isswf:activityType.version
. -
taskList.name
– String constraint. The key isswf:taskList.name
.
SignalExternalWorkflowExecution
-
You can't constrain this action's parameters.
StartChildWorkflowExecution
-
tagList.member.0
– String constraint. The key isswf:tagList.member.0
-
tagList.member.1
– String constraint. The key isswf:tagList.member.1
-
tagList.member.2
– String constraint. The key isswf:tagList.member.2
-
tagList.member.3
– String constraint. The key isswf:tagList.member.3
-
tagList.member.4
– String constraint. The key isswf:tagList.member.4
-
taskList.name
– String constraint. The key isswf:taskList.name
. -
workflowType.name
– String constraint. The key isswf:workflowType.name
. -
workflowType.version
– String constraint. The key isswf:workflowType.version
.
Note
You can't constrain more than five tags.
StartTimer
-
You can't constrain this action's parameters.