Supported resource-level permissions for Amazon Batch API actions
The term resource-level permissions refers to the ability to specify the resources that users are allowed to perform actions on. Amazon Batch has partial support for resource-level permissions. For some Amazon Batch actions, you can control when users are allowed to use those actions based on conditions that must be met. You can also control based on the specific resources that users are allowed to use. For example, you can grant users permissions to submit jobs, but only to a specific job queue and only with a specific job definition.
The following list describes the Amazon Batch API actions that currently support resource-level permissions. The list also describes the supported resources, resource ARNs, and condition keys for each action.
Important
If an Amazon Batch API action isn't listed in this list, then it doesn't support resource-level permissions. If an Amazon Batch API action doesn't support resource-level permissions, you can grant users permission to use the action. However, you must include a wildcard (*) for the resource element of your policy statement.
- Actions
-
CancelJob, CreateComputeEnvironment, CreateJobQueue, CreateSchedulingPolicy, DeleteComputeEnvironment, DeleteJobQueue, DeleteSchedulingPolicy, DeregisterJobDefinition, ListTagsForResource, RegisterJobDefinition, SubmitJob, TagResource, TerminateJob, UntagResource, UpdateComputeEnvironment, UpdateSchedulingPolicy, UpdateJobQueue
- CancelJob
-
Cancels a job in an Amazon Batch queue.
- Resource
-
- Job
-
arn:aws-cn:batch:
region
:account
:job/jobId
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- CreateComputeEnvironment
-
Creates an Amazon Batch compute environment.
- Resource
-
- Compute Environment
-
arn:aws-cn:batch:
region
:account
:compute-environment/compute-environment-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Condition keys
-
aws:RequestTag/${TagKey}
(String)-
Filters actions based on the tags that are passed in the request.
aws:TagKeys
(String)-
Filters actions based on the tag keys that are passed in the request.
- CreateJobQueue
-
Creates an Amazon Batch job queue.
- Resource
-
- Compute Environment
-
arn:aws-cn:batch:
region
:account
:compute-environment/compute-environment-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Job Queue
-
arn:aws-cn:batch:
region
:account
:job-queue/queue-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Scheduling Policy
-
arn:aws-cn:batch:
region
:account
:scheduling-policy/scheduling-policy-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Condition keys
-
aws:RequestTag/${TagKey}
(String)-
Filters actions based on the tags that are passed in the request.
aws:TagKeys
(String)-
Filters actions based on the tag keys that are passed in the request.
- DeleteComputeEnvironment
-
Deletes an Amazon Batch compute environment.
- Resource
-
- Compute Environment
-
arn:aws-cn:batch:
region
:account
:compute-environment/compute-environment-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- CreateSchedulingPolicy
-
Creates an Amazon Batch scheduling policy.
- Resource
-
- Scheduling Policy
-
arn:aws-cn:batch:
region
:account
:scheduling-policy/scheduling-policy-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Condition keys
-
aws:RequestTag/${TagKey}
(String)-
Filters actions based on the tags that are passed in the request.
aws:TagKeys
(String)-
Filters actions based on the tag keys that are passed in the request.
- DeleteJobQueue
-
Deletes the specified job queue. Deleting the job queue eventually deletes all of the jobs in the queue. Jobs are deleted at a rate of about 16 jobs each second.
- Resource
-
- Job Queue
-
arn:aws-cn:batch:
region
:account
:job-queue/queue-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- DeleteSchedulingPolicy
-
Deletes the specified scheduling policy.
- Resource
-
- Scheduling Policy
-
arn:aws-cn:batch:
region
:account
:scheduling-policy/scheduling-policy-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- DeregisterJobDefinition
-
Deregisters an Amazon Batch job definition.
- Resource
-
- Job Definition
-
arn:aws-cn:batch:
region
:account
:job-definition/definition-name
:revision
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
-
Lists the tags for the specified resource.
- Resource
-
- Compute Environment
-
arn:aws-cn:batch:
region
:account
:compute-environment/compute-environment-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Job
-
arn:aws-cn:batch:
region
:account
:job/jobId
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Job Definition
-
arn:aws-cn:batch:
region
:account
:job-definition/definition-name
:revision
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Job Queue
-
arn:aws-cn:batch:
region
:account
:job-queue/queue-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Scheduling Policy
-
arn:aws-cn:batch:
region
:account
:scheduling-policy/scheduling-policy-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- RegisterJobDefinition
-
Registers an Amazon Batch definition.
- Resource
-
- Job Definition
-
arn:aws-cn:batch:
region
:account
:job-definition/definition-name
- Condition keys
-
batch:AWSLogsCreateGroup
(Boolean)-
When this parameter is true, the
awslogs-group
is created for the logs. batch:AWSLogsGroup
(String)-
The
awslogs
group where the logs are located. batch:AWSLogsRegion
(String)-
The Region where the logs are sent to.
batch:AWSLogsStreamPrefix
(String)-
The
awslogs
log stream prefix. batch:Image
(String)-
The Docker image used to start a job.
batch:LogDriver
(String)-
The log driver used for the job.
batch:Privileged
(Boolean)-
When this parameter is true, the container for the job is given elevated permissions on the host container instance.
batch:User
(String)-
The user name or numeric uid to use inside the container for the job.
aws:RequestTag/${TagKey}
(String)-
Filters actions based on the tags that are passed in the request.
aws:TagKeys
(String)-
Filters actions based on the tag keys that are passed in the request.
- SubmitJob
-
Submits an Amazon Batch job from a job definition.
- Resource
-
- Job
-
arn:aws-cn:batch:
region
:account
:job/jobId
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Job Definition
-
arn:aws-cn:batch:
region
:account
:job-definition/definition-name
[:revision
]- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
Note
This key can only be used when the job definition Amazon Resource Name (ARN) is in the format
arn:aws:batch:
region
:account_number
:job-definition/definition-name
:revision
.
- Job Queue
-
arn:aws-cn:batch:
region
:account
:job-queue/queue-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- TagResource
-
Tags the specified resource.
- Resource
-
- Compute Environment
-
arn:aws-cn:batch:
region
:account
:compute-environment/compute-environment-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Job
-
arn:aws-cn:batch:
region
:account
:job/jobId
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Job Definition
-
arn:aws-cn:batch:
region
:account
:job-definition/definition-name
:revision
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Job Queue
-
arn:aws-cn:batch:
region
:account
:job-queue/queue-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Scheduling Policy
-
arn:aws-cn:batch:
region
:account
:scheduling-policy/scheduling-policy-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Condition keys
-
aws:RequestTag/${TagKey}
(String)-
Filters actions based on the tags that are passed in the request.
aws:TagKeys
(String)-
Filters actions based on the tag keys that are passed in the request.
- TerminateJob
-
Terminates a job in an Amazon Batch job queue.
- Resource
-
- Job
-
arn:aws-cn:batch:
region
:account
:job/jobId
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- UntagResource
-
Untags the resource that's specified.
- Resource
-
- Compute Environment
-
arn:aws-cn:batch:
region
:account
:compute-environment/compute-environment-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Job
-
arn:aws-cn:batch:
region
:account
:job/jobId
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Job Definition
-
arn:aws-cn:batch:
region
:account
:job-definition/definition-name
:revision
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Job Queue
-
arn:aws-cn:batch:
region
:account
:job-queue/queue-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Scheduling Policy
-
arn:aws-cn:batch:
region
:account
:scheduling-policy/scheduling-policy-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Condition keys
-
aws:TagKeys
(String)-
Filters actions based on the tag keys that are passed in the request.
- UpdateComputeEnvironment
-
Updates an Amazon Batch compute environment.
- Resource
-
- Compute Environment
-
arn:aws-cn:batch:
region
:account
:compute-environment/compute-environment-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- UpdateJobQueue
-
Updates a job queue.
- Resource
-
- Job Queue
-
arn:aws-cn:batch:
region
:account
:job-queue/queue-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- Scheduling Policy
-
arn:aws-cn:batch:
region
:account
:scheduling-policy/scheduling-policy-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
- UpdateSchedulingPolicy
-
Updates a scheduling policy.
- Resource
-
- Scheduling Policy
-
arn:aws-cn:batch:
region
:account
:scheduling-policy/scheduling-policy-name
- Condition keys
-
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
Condition keys for Amazon Batch API actions
Amazon Batch defines the following condition keys that are used in the Condition
element of an IAM policy. You can use these keys to refine the conditions that the policy
statement applies to. To view the global condition keys that are available to all services, see
available
global condition keys in the IAM User Guide.
batch:AWSLogsCreateGroup
(Boolean)-
When this parameter is true, the
awslogs-group
is created for the logs. batch:AWSLogsGroup
(String)-
The
awslogs
group where the logs are located. batch:AWSLogsRegion
(String)-
The Amazon Web Services Region where the logs are sent to.
batch:AWSLogsStreamPrefix
(String)-
The
awslogs
log stream prefix. batch:Image
(String)-
The Docker image used to start a job.
batch:LogDriver
(String)-
The log driver used for the job.
batch:Privileged
(Boolean)-
When this parameter is true, the container for the job is given elevated permissions on the host container instance (similar to the root user).
aws:ResourceTag/${TagKey}
(String)-
Filters actions based on the tags that are associated with the resource.
aws:RequestTag/${TagKey}
(String)-
Filters actions based on the tags that are passed in the request.
-
Filters actions based on the
shareIdentifier
parameter sent to SubmitJob. aws:TagKeys
(String)-
Filters actions based on the tag keys that are passed in the request.
batch:User
(String)-
The user name or numeric user ID (uid) to use inside the container for the job.