Actions, resources, and condition keys for Amazon Redshift Serverless

Amazon Redshift Serverless (service prefix: redshift-serverless) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by Amazon Redshift Serverless
Resource types defined by Amazon Redshift Serverless
Condition keys for Amazon Redshift Serverless

Actions defined by Amazon Redshift Serverless

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
ConvertRecoveryPointToSnapshot	Grants permission to convert a recovery point to a snapshot	Write	recoveryPoint*
			snapshot*
				aws:RequestTag/${TagKey} aws:TagKeys
CreateCustomDomainAssociation	Grants permission to create a custom domain association in Amazon Redshift Serverless	Write	workgroup*		acm:DescribeCertificate
CreateEndpointAccess	Grants permission to create an Amazon Redshift Serverless managed VPC endpoint	Write	endpointAccess*
CreateNamespace	Grants permission to create an Amazon Redshift Serverless namespace	Write	namespace*
CreateNamespace		Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateScheduledAction	Grants permission to create a scheduled action for a specified Amazon Redshift Serverless namespace	Write	namespace*
CreateSnapshot	Grants permission to create a snapshot of all databases in a namespace	Write	snapshot*
CreateSnapshot		Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateSnapshotCopyConfiguration	Grants permission to create a snapshot copy configuration for a specified Amazon Redshift Serverless namespace	Write	namespace*
CreateUsageLimit	Grants permission to create a usage limit for a specified Amazon Redshift Serverless usage type	Write
CreateWorkgroup	Grants permission to create a workgroup in Amazon Redshift Serverless	Write	workgroup*
CreateWorkgroup		Write		aws:RequestTag/${TagKey} aws:TagKeys
DeleteCustomDomainAssociation	Grants permission to delete a custom domain association	Write	workgroup*
DeleteEndpointAccess	Grants permission to delete an Amazon Redshift Serverless managed VPC endpoint	Write	endpointAccess*
DeleteNamespace	Grants permission to delete a namespace from Amazon Redshift Serverless	Write	namespace*
DeleteResourcePolicy	Grants permission to delete the specified resource policy	Write
DeleteScheduledAction	Grants permission to delete a scheduled action from Amazon Redshift Serverless	Write
DeleteSnapshot	Grants permission to delete a snapshot from Amazon Redshift Serverless	Write	snapshot*
DeleteSnapshotCopyConfiguration	Grants permission to delete a snapshot copy configuration for a Amazon Redshift Serverless namespace	Write
DeleteUsageLimit	Grants permission to delete a usage limit from Amazon Redshift Serverless	Write
DeleteWorkgroup	Grants permission to delete a workgroup	Write	workgroup*
DescribeOneTimeCredit [permission only]	Grants permission to see on the Amazon Redshift Serverless console the remaining number of free trial credits and their expiration date	Read
GetCredentials	Grants permission to get a database user name and temporary password with temporary authorization to log on to Amazon Redshift Serverless	Write	workgroup*
GetCustomDomainAssociation	Grants permission to get information about a specific custom domain association	Read	workgroup*
GetEndpointAccess	Grants permission to create an Amazon Redshift Serverless managed VPC endpoint	Read	endpointAccess*
GetNamespace	Grants permission to get information about a namespace in Amazon Redshift Serverless	Read	namespace*
GetRecoveryPoint	Grants permission to get information about a recovery point	Read	recoveryPoint*
GetResourcePolicy	Grants permission to get a resource policy	Read
GetScheduledAction	Grants permission to get information about a specific scheduled action	Read
GetSnapshot	Grants permission to get information about a specific snapshot	Read	snapshot*
GetTableRestoreStatus	Grants permission to get table restore status about a specific snapshot	Read
GetUsageLimit	Grants permission to get information about a usage limit in Amazon Redshift Serverless	Read
GetWorkgroup	Grants permission to get information about a specific workgroup	Read	workgroup*
ListCustomDomainAssociations	Grants permission to list custom domain associations in Amazon Redshift Serverless	List
ListEndpointAccess	Grants permission to list EndpointAccess objects and relevant information	List	endpointAccess*
ListNamespaces	Grants permission to list namespaces in Amazon Redshift Serverless	List
ListRecoveryPoints	Grants permission to list an array of recovery points	List	namespace
ListScheduledActions	Grants permission to list scheduled actions	List
ListSnapshotCopyConfigurations	Grants permission to list SnapshotCopyConfiguration objects and relevant information	List	namespace
ListSnapshots	Grants permission to list snapshots	List	snapshot*
ListTableRestoreStatus	Grants permission to list table restore status	List
ListTagsForResource	Grants permission to list the tags assigned to a resource	List	namespace
			workgroup
				aws:ResourceTag/${TagKey}
ListUsageLimits	Grants permission to list all usage limits within Amazon Redshift Serverless	List
ListWorkgroups	Grants permission to list workgroups in Amazon Redshift Serverless	List
PutResourcePolicy	Grants permission to create or update a resource policy	Write
RestoreFromRecoveryPoint	Grants permission to restore the data from a recovery point	Write	recoveryPoint*
RestoreFromSnapshot	Grants permission to restore a namespace from a snapshot	Write	snapshot*
RestoreTableFromRecoveryPoint	Grants permission to restore a table from a recovery point	Write	namespace*
RestoreTableFromRecoveryPoint	Grants permission to restore a table from a recovery point	Write	recoveryPoint*
RestoreTableFromSnapshot	Grants permission to restore a table from a snapshot	Write	namespace*
RestoreTableFromSnapshot	Grants permission to restore a table from a snapshot	Write	snapshot*
TagResource	Grants permission to assign one or more tags to a resource	Tagging	namespace
			recoveryPoint
			snapshot
			workgroup
				aws:TagKeys aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey}
UntagResource	Grants permission to remove a tag or set of tags from a resource	Tagging	namespace
			recoveryPoint
			snapshot
			workgroup
				aws:TagKeys
UpdateCustomDomainAssociation	Grants permission to update a certificate associated with a custom domain	Write	workgroup*		acm:DescribeCertificate
UpdateEndpointAccess	Grants permission to update an Amazon Redshift Serverless managed VPC endpoint	Write	endpointAccess*
UpdateNamespace	Grants permission to update a namespace with the specified configuration settings	Write	namespace*
UpdateScheduledAction	Grants permission to update a scheduled action	Write
UpdateSnapshot	Grants permission to update a snapshot	Write	snapshot*
UpdateSnapshotCopyConfiguration	Grants permission to update a snapshot copy configuration for a Amazon Redshift Serverless namespace	Write
UpdateUsageLimit	Grants permission to update a usage limit in Amazon Redshift Serverless	Write
UpdateWorkgroup	Grants permission to update an Amazon Redshift Serverless workgroup with the specified configuration settings	Write	workgroup*

Resource types defined by Amazon Redshift Serverless

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types	ARN	Condition keys
namespace	`arn:${Partition}:redshift-serverless:${Region}:${Account}:namespace/${NamespaceId}`	aws:ResourceTag/${TagKey}
snapshot	`arn:${Partition}:redshift-serverless:${Region}:${Account}:snapshot/${SnapshotId}`	aws:ResourceTag/${TagKey}
workgroup	`arn:${Partition}:redshift-serverless:${Region}:${Account}:workgroup/${WorkgroupId}`	aws:ResourceTag/${TagKey}
recoveryPoint	`arn:${Partition}:redshift-serverless:${Region}:${Account}:recoverypoint/${RecoveryPointId}`	aws:ResourceTag/${TagKey}
endpointAccess	`arn:${Partition}:redshift-serverless:${Region}:${Account}:managedvpcendpoint/${EndpointAccessId}`

Condition keys for Amazon Redshift Serverless

Amazon Redshift Serverless defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters access by the tags that are passed in the request	String
aws:ResourceTag/${TagKey}	Filters access by the tags associated with the resource	String
aws:TagKeys	Filters access by the tag keys that are passed in the request	ArrayOfString
redshift-serverless:endpointAccessId	Filters access by the endpoint access identifier	String
redshift-serverless:namespaceId	Filters access by the namespace identifier	String
redshift-serverless:recoveryPointId	Filters access by the recovery point identifier	String
redshift-serverless:snapshotId	Filters access by the snapshot identifier	String
redshift-serverless:tableRestoreRequestId	Filters access by the table restore request identifier	String
redshift-serverless:workgroupId	Filters access by the workgroup identifier	String

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Amazon Redshift Data API

Amazon Resource Access Manager (RAM)