Identity-based policies for Amazon AppSync
By default, users and roles don't have permission to create or modify Amazon AppSync resources. They also can't perform tasks by using the Amazon Web Services Management Console, Amazon Command Line Interface (Amazon CLI), or Amazon API. To grant users permission to perform actions on the resources that they need, an IAM administrator can create IAM policies. The administrator can then add the IAM policies to roles, and users can assume the roles.
To learn how to create an IAM identity-based policy by using these example JSON policy documents, see Creating IAM policies in the IAM User Guide.
For details about actions and resource types defined by Amazon AppSync, including the format of the ARNs for each of the resource types, see Actions, resources, and condition keys for Amazon AppSync in the Service Authorization Reference.
To learn the best practices for creating and configuring IAM identity-based policies, see IAM policy best practices.
For a list of IAM identity-based policies for Amazon AppSync, see Amazon managed policies for Amazon AppSync.
Topics
Using the Amazon AppSync console
To access the Amazon AppSync console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the Amazon AppSync resources in your Amazon Web Services account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (users or roles) with that policy.
You don't need to allow minimum console permissions for users that are making calls only to the Amazon CLI or the Amazon API. Instead, allow access to only the actions that match the API operation that they're trying to perform.
To ensure that
IAM
users and roles can still use the Amazon AppSync console, also attach the
Amazon AppSync ConsoleAccess or ReadOnly Amazon managed policy to
the entities. For more information, see Adding permissions to a user in the
IAM User Guide.
Allow users to view their own permissions
This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the Amazon CLI or Amazon API.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": ["arn:aws-cn:iam::*:user/${aws:username}"] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] }
Accessing one Amazon S3 bucket
In this example, you want to grant an IAM user in your Amazon account access to one
of your Amazon S3 buckets, examplebucket. You also want to allow the user to
add, update, and delete objects.
In addition to granting the s3:PutObject, s3:GetObject, and
s3:DeleteObject permissions to the user, the policy also grants the
s3:ListAllMyBuckets, s3:GetBucketLocation, and
s3:ListBucket permissions. These are the additional permissions required
by the console. Also, the s3:PutObjectAcl and the
s3:GetObjectAcl actions are required to be able to copy, cut, and paste
objects in the console. For an example walkthrough that grants permissions to users and
tests them using the console, see An example
walkthrough: Using user policies to control access to your bucket.
{ "Version":"2012-10-17", "Statement":[ { "Sid":"ListBucketsInConsole", "Effect":"Allow", "Action":[ "s3:ListAllMyBuckets" ], "Resource":"arn:aws-cn:s3:::*" }, { "Sid":"ViewSpecificBucketInfo", "Effect":"Allow", "Action":[ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource":"arn:aws-cn:s3:::examplebucket" }, { "Sid":"ManageBucketContents", "Effect":"Allow", "Action":[ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl", "s3:DeleteObject" ], "Resource":"arn:aws-cn:s3:::examplebucket/*" } ] }
Viewing
Amazon AppSync widgets based on tags
You can use conditions in your identity-based policy to control access to Amazon AppSync
resources based on tags. This example shows how you might create a policy that allows
viewing a widget. However, permission is granted only if the
widget tag Owner has the value of that user's
user name. This policy also grants the permissions necessary to complete this action on
the console.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ListWidgetsInConsole", "Effect": "Allow", "Action": "appsync:ListWidgets", "Resource": "*" }, { "Sid": "ViewWidgetIfOwner", "Effect": "Allow", "Action": "appsync:GetWidget", "Resource": "arn:aws-cn:appsync:*:*:widget/*", "Condition": { "StringEquals": {"aws:ResourceTag/Owner": "${aws:username}"} } } ] }
You can attach this policy to the IAM users in your account. If a user named
richard-roe attempts to view an Amazon AppSync
widget, the widget must be
tagged Owner=richard-roe or owner=richard-roe. Otherwise he is
denied access. The condition tag key Owner matches both Owner
and owner because condition key names are not case-sensitive. For more
information, see IAM JSON policy elements: Condition in the IAM User Guide.