Amazon Cloud Map API permissions reference - Amazon Cloud Map
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Cloud Map API permissions reference

When you set up access control and write a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the following list as a reference. The list includes each Amazon Cloud Map API action and the actions that you must grant permissions access to. You specify the actions in the Action field for the policy. For details about the resource value you must specify in the Resource field or the IAM policy, see Actions, resources, and condition keys for Amazon Cloud Map in the Service Authorization Reference.

You can use Amazon Cloud Map–specific condition keys in your IAM policies for some operations. For more information, see Condition keys for Amazon Cloud Map in the Service Authorization Reference.

To specify an action, use the servicediscovery prefix followed by the API action name, for example, servicediscovery:CreatePublicDnsNamespace and route53:CreateHostedZone.

Required permissions for Amazon Cloud Map actions

CreateHttpNamespace

Required permissions (API action):

  • servicediscovery:CreateHttpNamespace

CreatePrivateDnsNamespace

Required permissions (API action):

  • servicediscovery:CreatePrivateDnsNamespace

  • route53:CreateHostedZone

  • route53:GetHostedZone

  • route53:ListHostedZonesByName

  • ec2:DescribeVpcs

  • ec2:DescribeRegions

CreatePublicDnsNamespace

Required permissions (API action):

  • servicediscovery:CreatePublicDnsNamespace

  • route53:CreateHostedZone

  • route53:GetHostedZone

  • route53:ListHostedZonesByName

CreateService

Required Permissions (API Action): servicediscovery:CreateService

DeleteNamespace

Required permissions (API action):

  • servicediscovery:DeleteNamespace

DeleteService

Required Permissions (API Action): servicediscovery:DeleteService

DeregisterInstance

Required permissions (API action):

  • servicediscovery:DeregisterInstance

  • route53:GetHealthCheck

  • route53:DeleteHealthCheck

  • route53:UpdateHealthCheck

  • route53:ChangeResourceRecordSets

DiscoverInstances

Required Permissions (API Action): servicediscovery:DiscoverInstances

GetInstance

Required Permissions (API Action): servicediscovery:GetInstance

GetInstancesHealthStatus

Required Permissions (API Action): servicediscovery:GetInstancesHealthStatus

GetNamespace

Required Permissions (API Action): servicediscovery:GetNamespace

GetOperation

Required Permissions (API Action): servicediscovery:GetOperation

GetService

Required Permissions (API Action): servicediscovery:GetService

ListInstances

Required Permissions (API Action): servicediscovery:ListInstances

ListNamespaces

Required Permissions (API Action): servicediscovery:ListNamespaces

ListOperations

Required Permissions (API Action): servicediscovery:ListOperations

ListServices

Required Permissions (API Action): servicediscovery:ListServices

ListTagsForResource

Required Permissions (API Action): servicediscovery:ListTagsForResource

RegisterInstance

Required permissions (API action):

  • servicediscovery:RegisterInstance

  • route53:GetHealthCheck

  • route53:CreateHealthCheck

  • route53:UpdateHealthCheck

  • route53:ChangeResourceRecordSets

  • ec2:DescribeInstances

TagResource

Required Permissions (API Action): servicediscovery:TagResource

UntagResource

Required Permissions (API Action): servicediscovery:UntagResource

UpdateHttpNamespace

Required Permissions (API Action): servicediscovery:UpdateHttpNamespace

UpdateInstanceCustomHealthStatus

Required Permissions (API Action): servicediscovery:UpdateInstanceCustomHealthStatus

UpdatePrivateDnsNamespace

Required permissions (API action):

  • servicediscovery:UpdatePrivateDnsNamespace

  • route53:ChangeResourceRecordSets

UpdatePublicDnsNamespace

Required permissions (API action):

  • servicediscovery:UpdatePublicDnsNamespace

  • route53:ChangeResourceRecordSets

UpdateService

Required permissions (API action):

  • servicediscovery:UpdateService

  • route53:GetHealthCheck

  • route53:CreateHealthCheck

  • route53:DeleteHealthCheck

  • route53:UpdateHealthCheck

  • route53:ChangeResourceRecordSets