Amazon Directory Service API permissions: Actions, resources, and conditions reference
When you are setting up Access control and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the Amazon Directory Service API permissions: Actions, resources, and conditions reference table as a reference. Each API entry in the table includes the following:
-
The name of each API operation
-
Each API operation's corresponding action or actions in which you can grant permissions to perform the action
-
The Amazon resource in which you can grant the permissions
You specify the actions in the policy's Action
field and the resource value
in the policy's Resource
field. To specify an action, use the
ds:
prefix followed by the API operation name (for example,
ds:CreateDirectory
). Some Amazon applications may require use of
nonpublic Amazon Directory Service API operations such as ds:AuthorizeApplication
,
ds:CheckAlias
, ds:CreateIdentityPoolDirectory
,
ds:GetAuthorizedApplicationDetails
,
ds:UpdateAuthorizedApplication
, and
ds:UnauthorizeApplication
in their policies.
Some Amazon Directory Service APIs can only be called through the Amazon Web Services Management Console. They are not public APIs, in
the sense they cannot be called programmatically, and they are not provided by any SDK.
They accept user credentials. These API operations include
ds:DisableRoleAccess
, ds:EnableRoleAccess
, and
ds:UpdateDirectory
.
You can use Amazon global condition keys in your Amazon Directory Service and Directory Service Data policies to express conditions. For a complete list of Amazon keys, see Available Global Condition Keys in the IAM User Guide.
Amazon Directory Service API and required permissions for actions
Amazon Directory Service Data API and required permissions for actions
Note
To specify an action, use the ds-data:
prefix followed by the
name of the API operation (for example, ds-data:AddGroupMember
).
Directory Service Data API Operations | Required Permissions (API Actions) | Resources |
---|---|---|
AddGroupMember |
|
* |
CreateGroup |
|
* |
CreateUser |
|
* |
DeleteGroup |
|
* |
DeleteUser |
|
* |
DescribeGroup |
|
* |
DescribeUser |
|
* |
DisableUser |
|
* |
ListGroupMembers |
|
* |
ListGroupsForMember |
|
* |
ListUsers |
|
* |
RemoveGroupMember |
|
* |
SearchGroups |
|
* |
SearchUsers |
|
* |
UpdateGroup |
|
* |
UpdateUser |
|
* |