Amazon Directory Service API permissions: Actions, resources, and conditions reference - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Directory Service API permissions: Actions, resources, and conditions reference

When you are setting up Access control and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the Amazon Directory Service API permissions: Actions, resources, and conditions reference table as a reference. Each API entry in the table includes the following:

  • The name of each API operation

  • Each API operation's corresponding action or actions in which you can grant permissions to perform the action

  • The Amazon resource in which you can grant the permissions

You specify the actions in the policy's Action field and the resource value in the policy's Resource field. To specify an action, use the ds: prefix followed by the API operation name (for example, ds:CreateDirectory). Some Amazon applications may require use of nonpublic Amazon Directory Service API operations such as ds:AuthorizeApplication, ds:CheckAlias, ds:CreateIdentityPoolDirectory, ds:GetAuthorizedApplicationDetails, ds:UpdateAuthorizedApplication, and ds:UnauthorizeApplication in their policies.

Some Amazon Directory Service APIs can only be called through the Amazon Web Services Management Console. They are not public APIs, in the sense they cannot be called programmatically, and they are not provided by any SDK. They accept user credentials. These API operations include ds:DisableRoleAccess, ds:EnableRoleAccess, and ds:UpdateDirectory.

You can use Amazon global condition keys in your Amazon Directory Service and Directory Service Data policies to express conditions. For a complete list of Amazon keys, see Available Global Condition Keys in the IAM User Guide.

Amazon Directory Service Data API and required permissions for actions

Note

To specify an action, use the ds-data: prefix followed by the name of the API operation (for example, ds-data:AddGroupMember).

Directory Service Data API Operations Required Permissions (API Actions) Resources
AddGroupMember

ds-data:AddGroupMember

*

CreateGroup

ds-data:CreateGroup

*

CreateUser

ds-data:CreateUser

*

DeleteGroup

ds-data:DeleteGroup

*

DeleteUser

ds-data:DeleteUser

*

DescribeGroup

ds-data:DescribeGroup

*

DescribeUser

ds-data:DescribeUser

*

DisableUser

ds-data:DisableUser

*

ListGroupMembers

ds-data:ListGroupMembers

*

ListGroupsForMember

ds-data:ListGroupsForMember

*

ListUsers

ds-data:ListUsers

*

RemoveGroupMember

ds-data:RemoveGroupMember

*

SearchGroups

ds-data:DescribeGroup

ds-data:SearchGroups

*

SearchUsers

ds-data:DescribeUser

ds-data:SearchUsers

*

UpdateGroup

ds-data:UpdateGroup

*

UpdateUser

ds-data:UpdateUser

*