Amazon Cloud Map API Permissions: Actions, Resources, and Conditions Reference
When you set up Access Control and write
a permissions policy that you can attach to an IAM identity (identity-based policies), you
can use the following lists as a reference. The lists include each Amazon Cloud Map API action, the
actions that you must grant permissions access to, and the Amazon resource that you must grant
access to. You specify the actions in the Action field for the policy, and you
specify the resource value in the Resource field for the policy.
You can use Amazon Cloud Map–specific condition keys in your IAM policies for some operations. For more information, see Amazon Cloud Map Condition Keys Reference. You can also use Amazon wide condition keys. For a complete list of Amazon wide keys, see Available Keys in the IAM User Guide.
To specify an action, use the servicediscovery prefix followed by the API
action name, for example, servicediscovery:CreatePublicDnsNamespace and
route53:CreateHostedZone.
Required Permissions for Amazon Cloud Map Actions
- CreateHttpNamespace
-
Required Permissions (API Action):
-
servicediscovery:CreateHttpNamespace
Resources:
* -
- CreatePrivateDnsNamespace
-
Required Permissions (API Action):
-
servicediscovery:CreatePrivateDnsNamespace -
route53:CreateHostedZone -
route53:GetHostedZone -
route53:ListHostedZonesByName -
ec2:DescribeVpcs -
ec2:DescribeRegions
Resources:
* -
- CreatePublicDnsNamespace
-
Required Permissions (API Action):
-
servicediscovery:CreatePublicDnsNamespace -
route53:CreateHostedZone -
route53:GetHostedZone -
route53:ListHostedZonesByName
Resources:
* -
- CreateService
-
Required Permissions (API Action):
servicediscovery:CreateServiceResources:
* - DeleteNamespace
-
Required Permissions (API Action):
-
servicediscovery:DeleteNamespace
Resources:
*,arn:aws-cn:servicediscovery:region:account-id:namespace/namespace-id -
- DeleteService
-
Required Permissions (API Action):
servicediscovery:DeleteServiceResources:
*,arn:aws-cn:servicediscovery:region:account-id:service/service-id - DeregisterInstance
-
Required Permissions (API Action):
-
servicediscovery:DeregisterInstance -
route53:GetHealthCheck -
route53:DeleteHealthCheck -
route53:UpdateHealthCheck -
route53:ChangeResourceRecordSets
Resources:
* -
- DiscoverInstances
-
Required Permissions (API Action):
servicediscovery:DiscoverInstancesResources:
* - GetInstance
-
Required Permissions (API Action):
servicediscovery:GetInstanceResources:
* - GetInstancesHealthStatus
-
Required Permissions (API Action):
servicediscovery:GetInstancesHealthStatusResources:
* - GetNamespace
-
Required Permissions (API Action):
servicediscovery:GetNamespaceResources:
*,arn:aws-cn:servicediscovery:region:account-id:namespace/namespace-id - GetOperation
-
Required Permissions (API Action):
servicediscovery:GetOperationResources:
* - GetService
-
Required Permissions (API Action):
servicediscovery:GetServiceResources:
*,arn:aws-cn:servicediscovery:region:account-id:service/service-id - ListInstances
-
Required Permissions (API Action):
servicediscovery:ListInstancesResources:
* - ListNamespaces
-
Required Permissions (API Action):
servicediscovery:ListNamespacesResources:
* - ListOperations
-
Required Permissions (API Action):
servicediscovery:ListOperationsResources:
* - ListServices
-
Required Permissions (API Action):
servicediscovery:ListServicesResources:
* - ListTagsForResource
-
Required Permissions (API Action):
servicediscovery:ListTagsForResourceResources:
* - RegisterInstance
-
Required Permissions (API Action):
-
servicediscovery:RegisterInstance -
route53:GetHealthCheck -
route53:CreateHealthCheck -
route53:UpdateHealthCheck -
route53:ChangeResourceRecordSets -
ec2:DescribeInstances
Resources:
* -
- TagResource
-
Required Permissions (API Action):
servicediscovery:TagResourceResources:
* - UntagResource
-
Required Permissions (API Action):
servicediscovery:UntagResourceResources:
* - UpdateHttpNamespace
-
Required Permissions (API Action):
servicediscovery:UpdateHttpNamespaceResources:
*,arn:aws-cn:servicediscovery:region:account-id:namespace/namespace-id - UpdateInstanceCustomHealthStatus
-
Required Permissions (API Action):
servicediscovery:UpdateInstanceCustomHealthStatusResources:
* - UpdatePrivateDnsNamespace
-
Required Permissions (API Action):
-
servicediscovery:UpdatePrivateDnsNamespace -
route53:ChangeResourceRecordSets
Resources:
*,arn:aws-cn:servicediscovery:region:account-id:namespace/namespace-id -
- UpdatePublicDnsNamespace
-
Required Permissions (API Action):
-
servicediscovery:UpdatePublicDnsNamespace -
route53:ChangeResourceRecordSets
Resources:
*,arn:aws-cn:servicediscovery:region:account-id:namespace/namespace-id -
- UpdateService
-
Required Permissions (API Action):
-
servicediscovery:UpdateService -
route53:GetHealthCheck -
route53:CreateHealthCheck -
route53:DeleteHealthCheck -
route53:UpdateHealthCheck -
route53:ChangeResourceRecordSets
Resources:
*,arn:aws-cn:servicediscovery:region:account-id:service/service-id -
Amazon Cloud Map Condition Keys Reference
Amazon Cloud Map defines the following condition keys that can be used in the
Condition element of an IAM policy for specific Amazon Cloud Map actions. You can use
these keys to further refine the conditions under which the policy statement applies. For
details on which Amazon Cloud Map actions accept these condition keys, see Actions defined by
Amazon Cloud Map. For more information about condition keys in general, see Specifying Conditions in an IAM Policy.
servicediscovery:NamespaceArn-
A filter that lets you get objects by specifying the Amazon Resource Name (ARN) for the related namespace.
servicediscovery:NamespaceName-
A filter that lets you get objects by specifying the name of the related namespace.
servicediscovery:ServiceArn-
A filter that lets you get objects by specifying the Amazon Resource Name (ARN) for the related service.
servicediscovery:ServiceName-
A filter that lets you get objects by specifying the name of the related service.