Actions, resources, and condition keys for Amazon AppSync
Amazon AppSync (service prefix: appsync) provides the following
service-specific operations, resources, actions, and condition keys for use in IAM permission
policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
-
View the programmatic service authorization reference
for this service.
Topics
API operations defined by Amazon AppSync
The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.
| Operation | IAM action | Condition key | Possible value(s) | Access level |
|---|---|---|---|---|
|
AssociateApi |
Write |
|||
|
AssociateMergedGraphqlApi |
Write |
|||
Write |
||||
|
AssociateSourceGraphqlApi |
Write |
|||
Write |
||||
|
CreateApi |
Write |
|||
Tagging, Write |
||||
iam:PassedToService |
appsync.amazonaws.com |
Write |
||
|
CreateApiCache |
Write |
|||
|
CreateApiKey |
Write |
|||
|
CreateChannelNamespace |
Write |
|||
Tagging, Write |
||||
|
CreateDataSource |
Write |
|||
iam:PassedToService |
appsync.amazonaws.com |
Write |
||
|
CreateDomainName |
Write |
|||
Tagging, Write |
||||
|
CreateFunction |
Write |
|||
|
CreateGraphqlApi |
Write |
|||
Tagging, Write |
||||
iam:PassedToService |
appsync.amazonaws.com |
Write |
||
|
CreateResolver |
Write |
|||
|
CreateType |
Write |
|||
|
DeleteApi |
Write |
|||
|
DeleteApiCache |
Write |
|||
|
DeleteApiKey |
Write |
|||
|
DeleteChannelNamespace |
Write |
|||
|
DeleteDataSource |
Write |
|||
|
DeleteDomainName |
Write |
|||
|
DeleteFunction |
Write |
|||
|
DeleteGraphqlApi |
Write |
|||
|
DeleteResolver |
Write |
|||
|
DeleteType |
Write |
|||
|
DisassociateApi |
Write |
|||
|
DisassociateMergedGraphqlApi |
Write |
|||
|
DisassociateSourceGraphqlApi |
Write |
|||
|
EvaluateCode |
Read |
|||
|
EvaluateMappingTemplate |
Read |
|||
|
FlushApiCache |
Write |
|||
|
GetApi |
Read |
|||
|
GetApiAssociation |
Read |
|||
|
GetApiCache |
Read |
|||
|
GetChannelNamespace |
Read |
|||
|
GetDataSource |
Read |
|||
|
GetDataSourceIntrospection |
Read |
|||
|
GetDomainName |
Read |
|||
|
GetFunction |
Read |
|||
|
GetGraphqlApi |
Read |
|||
|
GetGraphqlApiEnvironmentVariables |
Read |
|||
|
GetIntrospectionSchema |
Read |
|||
|
GetResolver |
Read |
|||
|
GetSchemaCreationStatus |
Read |
|||
|
GetSourceApiAssociation |
Read |
|||
|
GetType |
Read |
|||
|
ListApiKeys |
List |
|||
|
ListApis |
List |
|||
|
ListChannelNamespaces |
List |
|||
|
ListDataSources |
List |
|||
|
ListDomainNames |
List |
|||
|
ListFunctions |
List |
|||
|
ListGraphqlApis |
List |
|||
|
ListResolvers |
List |
|||
|
ListResolversByFunction |
List |
|||
|
ListSourceApiAssociations |
List |
|||
|
ListTagsForResource |
Read |
|||
|
ListTypes |
List |
|||
|
ListTypesByAssociation |
List |
|||
|
PutGraphqlApiEnvironmentVariables |
Write |
|||
|
StartDataSourceIntrospection |
Write |
|||
|
StartSchemaCreation |
Write |
|||
|
StartSchemaMerge |
Write |
|||
|
TagResource |
Tagging, Write |
|||
|
UntagResource |
Tagging, Write |
|||
|
UpdateApi |
Write |
|||
iam:PassedToService |
appsync.amazonaws.com |
Write |
||
|
UpdateApiCache |
Write |
|||
|
UpdateApiKey |
Write |
|||
|
UpdateChannelNamespace |
Write |
|||
|
UpdateDataSource |
Write |
|||
iam:PassedToService |
appsync.amazonaws.com |
Write |
||
|
UpdateDomainName |
Write |
|||
|
UpdateFunction |
Write |
|||
|
UpdateGraphqlApi |
Write |
|||
iam:PassedToService |
appsync.amazonaws.com |
Write |
||
|
UpdateResolver |
Write |
|||
|
UpdateSourceApiAssociation |
Write |
|||
|
UpdateType |
Write |
Actions defined by Amazon AppSync
You can specify the following actions in the Action element of an IAM
policy statement. Use policies to grant permissions to perform an operation in Amazon. When
you use an action in a policy, you usually allow or deny access to the API operation or CLI
command with the same name. However, in some cases, a single action controls access to more
than one operation. Alternatively, some operations require several different actions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to attach a GraphQL API to a custom domain name in AppSync |
Write |
|||
Grants permission to associate a merged API to a source API |
Write |
|||
Grants permission to associate a source API to a merged API |
Write |
|||
Grants permission to create an API |
Write |
|||
Grants permission to create an API cache in AppSync |
Write |
|||
Grants permission to create a unique key that you can distribute to clients who are executing your API |
Write |
|||
Grants permission to create a channel namespace |
Write |
|||
Grants permission to create a data source |
Write |
|||
Grants permission to create a custom domain name in AppSync |
Write |
|||
Grants permission to create a new function |
Write |
|||
Grants permission to create a GraphQL API, which is the top level AppSync resource |
Write |
|||
Grants permission to create a resolver. A resolver converts incoming requests into a format that a data source can understand, and converts the data source's responses into GraphQL |
Write |
|||
Grants permission to create a type |
Write |
|||
Grants permission to delete a API. This will also clean up every AppSync resource below that API |
Write |
|||
Grants permission to delete an API cache in AppSync |
Write |
|||
Grants permission to delete an API key |
Write |
|||
Grants permission to delete a channel namespace |
Write |
|||
Grants permission to delete a data source |
Write |
|||
Grants permission to delete a custom domain name in AppSync |
Write |
|||
Grants permission to delete a function |
Write |
|||
Grants permission to delete a GraphQL Api. This will also clean up every AppSync resource below that API |
Write |
|||
Grants permission to delete a resolver |
Write |
|||
Grants permission to delete a type |
Write |
|||
Grants permission to detach a GraphQL API to a custom domain name in AppSync |
Write |
|||
Grants permission to remove an associated source API from a merged API identified by the source API |
Write |
|||
Grants permission to remove an associated source API from a merged API identified by the merged API |
Write |
|||
Grants permission to evaluate code with a runtime and context |
Read |
|||
Grants permission to evaluate template mapping |
Read |
|||
Grants permission to connect to an Event API |
Write |
|||
Grants permission to publish events to a channel namespace |
Write |
|||
Grants permission to subscribe to a channel namespace |
Write |
|||
Grants permission to flush an API cache in AppSync |
Write |
|||
Grants permission to retrieve an API |
Read |
|||
Grants permission to read custom domain name - GraphQL API association details in AppSync |
Read |
|||
Grants permission to read information about an API cache in AppSync |
Read |
|||
Grants permission to retrieve a channel namespace |
Read |
|||
Grants permission to retrieve a data source |
Read |
|||
Grants permission to retrieve a data source introspection |
Read |
|||
Grants permission to read information about a custom domain name in AppSync |
Read |
|||
Grants permission to retrieve a function |
Read |
|||
Grants permission to retrieve a GraphQL API |
Read |
|||
Grants permission to retrieve the environment variables for a GraphQL API |
Read |
|||
Grants permission to retrieve the introspection schema for a GraphQL API |
Read |
|||
Grants permission to retrieve a resolver |
Read |
|||
Grants permission to retrieve the current status of a schema creation operation |
Read |
|||
Grants permission to read information about a merged API associated source API |
Read |
|||
Grants permission to retrieve a type |
Read |
|||
Grants permission to list the API keys for a given API |
List |
|||
Grants permission to list APIs |
List |
|||
Grants permission to list channel namespace |
List |
|||
Grants permission to list the data sources for a given API |
List |
|||
Grants permission to enumerate custom domain names in AppSync |
List |
|||
Grants permission to list the functions for a given API |
List |
|||
Grants permission to list GraphQL APIs |
List |
|||
Grants permission to list the resolvers for a given API and type |
List |
|||
Grants permission to list the resolvers that are associated with a specific function |
List |
|||
Grants permission to list source APIs associated to a given merged API |
List |
|||
Grants permission to list the tags for a resource |
Read |
|||
Grants permission to list the types for a given API |
List |
|||
Grants permission to list the types for a given merged API and source API association |
List |
|||
Grants permission to update the environment variables for a GraphQL API |
Write |
|||
Grants permission to set a web ACL |
Permissions management, Write |
|||
Grants permission to introspect a data source |
Write |
|||
Grants permission to add a new schema to your GraphQL API. This operation is asynchronous - GetSchemaCreationStatus can show when it has completed |
Write |
|||
Grants permission to initiate a schema merge for a given merged API and associated source API |
Write |
|||
Grants permission to tag a resource |
Tagging, Write |
|||
Grants permission to untag a resource |
Tagging, Write |
|||
Grants permission to update an API |
Write |
|||
Grants permission to update an API cache in AppSync |
Write |
|||
Grants permission to update an API key for a given API |
Write |
|||
Grants permission to update a channel namespace |
Write |
|||
Grants permission to update a data source |
Write |
|||
Grants permission to update a custom domain name in AppSync |
Write |
|||
Grants permission to update an existing function |
Write |
|||
Grants permission to update a GraphQL API |
Write |
|||
Grants permission to update a resolver |
Write |
|||
Grants permission to update a merged API source API association |
Write |
|||
Grants permission to update a type |
Write |
Permission-only actions for Amazon AppSync
The following actions are defined by Amazon AppSync but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to associate a web ACL and a resource |
Write |
|||
Grants permission to remove a resource policy |
Write |
|||
Grants permission to disassociate a web ACL and a resource |
Write |
|||
Grants permission to read a resource policy |
Read |
|||
Grants permission to get associated web ACLs for a resource |
Read |
|||
Grants permission to send a GraphQL query to a GraphQL API |
Write |
|||
Grants permission to get associated resources for a web ACL |
List |
|||
Grants permission to set a resource policy |
Write |
|||
Grants permission to send a GraphQL query to a source API of a merged API |
Write |
|||
Resource types defined by Amazon AppSync
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements.
| Resource types | ARN | Condition keys |
|---|---|---|
arn:${Partition}:appsync:${Region}:${Account}:apis/${ApiId} |
||
arn:${Partition}:appsync:${Region}:${Account}:apis/${ApiId}/channelNamespace/${ChannelNamespaceName} |
||
arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/datasources/${DatasourceName} |
||
arn:${Partition}:appsync:${Region}:${Account}:domainnames/${DomainName} |
||
arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/types/${TypeName}/fields/${FieldName} |
||
arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/functions/${FunctionId} |
||
arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId} |
||
arn:${Partition}:appsync:${Region}:${Account}:apis/${SourceGraphQLAPIId}/mergedApiAssociations/${Associationid} |
||
arn:${Partition}:appsync:${Region}:${Account}:apis/${MergedGraphQLAPIId}/sourceApiAssociations/${Associationid} |
||
arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/types/${TypeName} |
Condition keys for Amazon AppSync
Amazon AppSync defines the following condition keys that can be used in the
Condition element of an IAM policy.
| Condition keys | Description | Type |
|---|---|---|
Filters access by the visibility of an API |
String |
|
Filters access by the tag key-value pairs in the request |
String |
|
Filters access by the tag key-value pairs attached to the resource |
String |
|
Filters access by the presence of tag keys in the request |
ArrayOfString |