Supported resource-level permissions for Amazon Batch API actions

The term resource-level permissions refers to the ability to specify the resources that users are allowed to perform actions on. Amazon Batch has partial support for resource-level permissions. For some Amazon Batch actions, you can control when users are allowed to use those actions based on conditions that must be met. You can also control based on the specific resources that users are allowed to use. For example, you can grant users permissions to submit jobs, but only to a specific job queue and only with a specific job definition.

The following list describes the Amazon Batch API actions that currently support resource-level permissions. The list also describes the supported resources, resource ARNs, and condition keys for each action.

Important

If an Amazon Batch API action isn't listed in this list, then it doesn't support resource-level permissions. If an Amazon Batch API action doesn't support resource-level permissions, you can grant users permission to use the action. However, you must include a wildcard (*) for the resource element of your policy statement.

Actions: CancelJob, CreateComputeEnvironment, CreateJobQueue, CreateSchedulingPolicy, DeleteComputeEnvironment, DeleteJobQueue, DeleteSchedulingPolicy, DeregisterJobDefinition, ListTagsForResource, RegisterJobDefinition, SubmitJob, TagResource, TerminateJob, UntagResource, UpdateComputeEnvironment, UpdateSchedulingPolicy, UpdateJobQueue

CancelJob

Cancels a job in an Amazon Batch queue.

Resource

Job

arn:aws-cn:batch:region:account:job/jobId

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

CreateComputeEnvironment

Creates an Amazon Batch compute environment.

Resource

Compute Environment

arn:aws-cn:batch:region:account:compute-environment/compute-environment-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Condition keys

aws:RequestTag/${TagKey} (String): Filters actions based on the tags that are passed in the request.
aws:TagKeys (String): Filters actions based on the tag keys that are passed in the request.

CreateJobQueue

Creates an Amazon Batch job queue.

Resource

Compute Environment

arn:aws-cn:batch:region:account:compute-environment/compute-environment-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Job Queue

arn:aws-cn:batch:region:account:job-queue/queue-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Scheduling Policy

arn:aws-cn:batch:region:account:scheduling-policy/scheduling-policy-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Condition keys

aws:RequestTag/${TagKey} (String): Filters actions based on the tags that are passed in the request.
aws:TagKeys (String): Filters actions based on the tag keys that are passed in the request.

DeleteComputeEnvironment

Deletes an Amazon Batch compute environment.

Resource

Compute Environment

arn:aws-cn:batch:region:account:compute-environment/compute-environment-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

CreateSchedulingPolicy

Creates an Amazon Batch scheduling policy.

Resource

Scheduling Policy

arn:aws-cn:batch:region:account:scheduling-policy/scheduling-policy-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Condition keys

aws:RequestTag/${TagKey} (String): Filters actions based on the tags that are passed in the request.
aws:TagKeys (String): Filters actions based on the tag keys that are passed in the request.

DeleteJobQueue

Deletes the specified job queue. Deleting the job queue eventually deletes all of the jobs in the queue. Jobs are deleted at a rate of about 16 jobs each second.

Resource

Job Queue

arn:aws-cn:batch:region:account:job-queue/queue-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

DeleteSchedulingPolicy

Deletes the specified scheduling policy.

Resource

Scheduling Policy

arn:aws-cn:batch:region:account:scheduling-policy/scheduling-policy-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

DeregisterJobDefinition

Deregisters an Amazon Batch job definition.

Resource

Job Definition

arn:aws-cn:batch:region:account:job-definition/definition-name:revision

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

ListTagsForResource

Lists the tags for the specified resource.

Resource

Compute Environment

arn:aws-cn:batch:region:account:compute-environment/compute-environment-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Job

arn:aws-cn:batch:region:account:job/jobId

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Job Definition

arn:aws-cn:batch:region:account:job-definition/definition-name:revision

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Job Queue

arn:aws-cn:batch:region:account:job-queue/queue-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Scheduling Policy

arn:aws-cn:batch:region:account:scheduling-policy/scheduling-policy-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

RegisterJobDefinition

Registers an Amazon Batch definition.

Resource

Job Definition: arn:aws-cn:batch:region:account:job-definition/definition-name

Condition keys

batch:AWSLogsCreateGroup (Boolean): When this parameter is true, the awslogs-group is created for the logs.
batch:AWSLogsGroup (String): The awslogs group where the logs are located.
batch:AWSLogsRegion (String): The Region where the logs are sent to.
batch:AWSLogsStreamPrefix (String): The awslogs log stream prefix.
batch:Image (String): The Docker image used to start a job.
batch:LogDriver (String): The log driver used for the job.
batch:Privileged (Boolean): When this parameter is true, the container for the job is given elevated permissions on the host container instance.
batch:User (String): The user name or numeric uid to use inside the container for the job.
aws:RequestTag/${TagKey} (String): Filters actions based on the tags that are passed in the request.
aws:TagKeys (String): Filters actions based on the tag keys that are passed in the request.

SubmitJob

Submits an Amazon Batch job from a job definition.

Resource

Job

arn:aws-cn:batch:region:account:job/jobId

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Job Definition

arn:aws-cn:batch:region:account:job-definition/definition-name[:revision]

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Note
This key can only be used when the job definition Amazon Resource Name (ARN) is in the format arn:aws:batch:region:account_number:job-definition/definition-name:revision.

Job Queue

arn:aws-cn:batch:region:account:job-queue/queue-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

TagResource

Tags the specified resource.

Resource

Compute Environment

arn:aws-cn:batch:region:account:compute-environment/compute-environment-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Job

arn:aws-cn:batch:region:account:job/jobId

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Job Definition

arn:aws-cn:batch:region:account:job-definition/definition-name:revision

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Job Queue

arn:aws-cn:batch:region:account:job-queue/queue-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Scheduling Policy

arn:aws-cn:batch:region:account:scheduling-policy/scheduling-policy-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Condition keys

aws:RequestTag/${TagKey} (String): Filters actions based on the tags that are passed in the request.
aws:TagKeys (String): Filters actions based on the tag keys that are passed in the request.

TerminateJob

Terminates a job in an Amazon Batch job queue.

Resource

Job

arn:aws-cn:batch:region:account:job/jobId

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

UntagResource

Untags the resource that's specified.

Resource

Compute Environment

arn:aws-cn:batch:region:account:compute-environment/compute-environment-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Job

arn:aws-cn:batch:region:account:job/jobId

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Job Definition

arn:aws-cn:batch:region:account:job-definition/definition-name:revision

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Job Queue

arn:aws-cn:batch:region:account:job-queue/queue-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Scheduling Policy

arn:aws-cn:batch:region:account:scheduling-policy/scheduling-policy-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Condition keys

aws:TagKeys (String): Filters actions based on the tag keys that are passed in the request.

UpdateComputeEnvironment

Updates an Amazon Batch compute environment.

Resource

Compute Environment

arn:aws-cn:batch:region:account:compute-environment/compute-environment-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

UpdateJobQueue

Updates a job queue.

Resource

Job Queue

arn:aws-cn:batch:region:account:job-queue/queue-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Scheduling Policy

arn:aws-cn:batch:region:account:scheduling-policy/scheduling-policy-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

UpdateSchedulingPolicy

Updates a scheduling policy.

Resource

Scheduling Policy

arn:aws-cn:batch:region:account:scheduling-policy/scheduling-policy-name

Condition keys

aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.

Condition keys for Amazon Batch API actions

Amazon Batch defines the following condition keys that are used in the Condition element of an IAM policy. You can use these keys to refine the conditions that the policy statement applies to. To view the global condition keys that are available to all services, see available global condition keys in the IAM User Guide.

batch:AWSLogsCreateGroup (Boolean): When this parameter is true, the awslogs-group is created for the logs.
batch:AWSLogsGroup (String): The awslogs group where the logs are located.
batch:AWSLogsRegion (String): The Amazon Web Services Region where the logs are sent to.
batch:AWSLogsStreamPrefix (String): The awslogs log stream prefix.
batch:Image (String): The Docker image used to start a job.
batch:LogDriver (String): The log driver used for the job.
batch:Privileged (Boolean): When this parameter is true, the container for the job is given elevated permissions on the host container instance (similar to the root user).
aws:ResourceTag/${TagKey} (String): Filters actions based on the tags that are associated with the resource.
aws:RequestTag/${TagKey} (String): Filters actions based on the tags that are passed in the request.
batch:ShareIdentifier (String): Filters actions based on the shareIdentifier parameter sent to SubmitJob.
aws:TagKeys (String): Filters actions based on the tag keys that are passed in the request.
batch:User (String): The user name or numeric user ID (uid) to use inside the container for the job.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Policy structure

Example policies

Supported resource-level permissions for Amazon Batch API actions

Important

Note

Condition keys for Amazon Batch API actions