Amazon Directory Service API permissions: Actions, resources, and conditions reference - Amazon Directory Service
Related Topics
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Directory Service API permissions: Actions, resources, and conditions reference

When you are setting up Access control and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the Amazon Directory Service API permissions: Actions, resources, and conditions reference table as a reference. Each API entry in the table includes the following:

  • Name of Amazon Directory Service API operation

  • The corresponding actions for which you can grant permissions to perform the action

  • The Amazon resource for which you can grant the permissions

You specify the actions in the policy's Action field and the resource value in the policy's Resource field. To specify an action, use the ds: prefix followed by the API operation name (for example, ds:CreateDirectory). Some Amazon applications may require use of nonpublic Amazon Directory Service API operations such as ds:AuthorizeApplication, ds:CheckAlias, ds:CreateIdentityPoolDirectory, ds:GetAuthorizedApplicationDetails, ds:UpdateAuthorizedApplication, and ds:UnauthorizeApplication in their policies.

Some Amazon Directory Service APIs can only be called through the Amazon Web Services Management Console. They are not public APIs, in the sense they cannot be called programmatically, and they are not provided by any SDK. They accept user credentials. These API operations include ds:DisableRoleAccess, ds:EnableRoleAccess, and ds:UpdateDirectory.

You can use Amazon global condition keys in your Amazon Directory Service policies to express conditions. For a complete list of Amazon keys, see Available Global Condition Keys in the IAM User Guide.