Actions, resources, and condition keys for Amazon AppSync - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon AppSync

Amazon AppSync (service prefix: appsync) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon AppSync

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AssociateApi Grants permission to attach a GraphQL API to a custom domain name in AppSync Write

domain*

AssociateMergedGraphqlApi Grants permission to associate a merged API to a source API Write

graphqlapi*

AssociateSourceGraphqlApi Grants permission to associate a source API to a merged API Write

graphqlapi*

CreateApi Grants permission to create an API Write

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

iam:CreateServiceLinkedRole

CreateApiCache Grants permission to create an API cache in AppSync Write
CreateApiKey Grants permission to create a unique key that you can distribute to clients who are executing your API Write
CreateChannelNamespace Grants permission to create a channel namespace Write

channelNamespace*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDataSource Grants permission to create a data source Write
CreateDomainName Grants permission to create a custom domain name in AppSync Write
CreateFunction Grants permission to create a new function Write
CreateGraphqlApi Grants permission to create a GraphQL API, which is the top level AppSync resource Write

aws:RequestTag/${TagKey}

aws:TagKeys

appsync:Visibility

iam:CreateServiceLinkedRole

CreateResolver Grants permission to create a resolver. A resolver converts incoming requests into a format that a data source can understand, and converts the data source's responses into GraphQL Write
CreateType Grants permission to create a type Write
DeleteApi Grants permission to delete a API. This will also clean up every AppSync resource below that API Write

api*

aws:ResourceTag/${TagKey}

DeleteApiCache Grants permission to delete an API cache in AppSync Write
DeleteApiKey Grants permission to delete an API key Write
DeleteChannelNamespace Grants permission to delete a channel namespace Write

channelNamespace*

aws:ResourceTag/${TagKey}

DeleteDataSource Grants permission to delete a data source Write
DeleteDomainName Grants permission to delete a custom domain name in AppSync Write

domain*

DeleteFunction Grants permission to delete a function Write
DeleteGraphqlApi Grants permission to delete a GraphQL Api. This will also clean up every AppSync resource below that API Write

graphqlapi*

aws:ResourceTag/${TagKey}

DeleteResolver Grants permission to delete a resolver Write
DeleteResourcePolicy [permission only] Grants permission to remove a resource policy Write
DeleteType Grants permission to delete a type Write
DisassociateApi Grants permission to detach a GraphQL API to a custom domain name in AppSync Write

domain*

DisassociateMergedGraphqlApi Grants permission to remove an associated source API from a merged API identified by the source API Write

mergedApiAssociation*

DisassociateSourceGraphqlApi Grants permission to remove an associated source API from a merged API identified by the merged API Write

sourceApiAssociation*

EvaluateCode Grants permission to evaluate code with a runtime and context Read
EvaluateMappingTemplate Grants permission to evaluate template mapping Read
EventConnect Grants permission to connect to an Event API Write

api*

EventPublish Grants permission to publish events to a channel namespace Write

channelNamespace*

EventSubscribe Grants permission to subscribe to a channel namespace Write

channelNamespace*

FlushApiCache Grants permission to flush an API cache in AppSync Write
GetApi Grants permission to retrieve an API Read

api*

aws:ResourceTag/${TagKey}

GetApiAssociation Grants permission to read custom domain name - GraphQL API association details in AppSync Read

domain*

GetApiCache Grants permission to read information about an API cache in AppSync Read
GetChannelNamespace Grants permission to retrieve a channel namespace Read

channelNamespace*

aws:ResourceTag/${TagKey}

GetDataSource Grants permission to retrieve a data source Read
GetDataSourceIntrospection Grants permission to retrieve a data source introspection Read
GetDomainName Grants permission to read information about a custom domain name in AppSync Read

domain*

GetFunction Grants permission to retrieve a function Read
GetGraphqlApi Grants permission to retrieve a GraphQL API Read

graphqlapi*

aws:ResourceTag/${TagKey}

GetGraphqlApiEnvironmentVariables Grants permission to retrieve the environment variables for a GraphQL API Read
GetIntrospectionSchema Grants permission to retrieve the introspection schema for a GraphQL API Read
GetResolver Grants permission to retrieve a resolver Read
GetResourcePolicy [permission only] Grants permission to read a resource policy Read
GetSchemaCreationStatus Grants permission to retrieve the current status of a schema creation operation Read
GetSourceApiAssociation Grants permission to read information about a merged API associated source API Read

sourceApiAssociation*

GetType Grants permission to retrieve a type Read
GraphQL Grants permission to send a GraphQL query to a GraphQL API Write

field*

graphqlapi*

ListApiKeys Grants permission to list the API keys for a given API List
ListApis Grants permission to list APIs List

aws:ResourceTag/${TagKey}

ListChannelNamespaces Grants permission to list channel namespace List

api*

aws:ResourceTag/${TagKey}

ListDataSources Grants permission to list the data sources for a given API List
ListDomainNames Grants permission to enumerate custom domain names in AppSync List
ListFunctions Grants permission to list the functions for a given API List
ListGraphqlApis Grants permission to list GraphQL APIs List
ListResolvers Grants permission to list the resolvers for a given API and type List
ListResolversByFunction Grants permission to list the resolvers that are associated with a specific function List
ListSourceApiAssociations Grants permission to list source APIs associated to a given merged API List
ListTagsForResource Grants permission to list the tags for a resource Read

api

channelNamespace

graphqlapi

aws:ResourceTag/${TagKey}

ListTypes Grants permission to list the types for a given API List
ListTypesByAssociation Grants permission to list the types for a given merged API and source API association List
PutGraphqlApiEnvironmentVariables Grants permission to update the environment variables for a GraphQL API Write
PutResourcePolicy [permission only] Grants permission to set a resource policy Write
SetWebACL Grants permission to set a web ACL Write
SourceGraphQL [permission only] Grants permission to send a GraphQL query to a source API of a merged API Write

field*

graphqlapi*

StartDataSourceIntrospection Grants permission to introspect a data source Write
StartSchemaCreation Grants permission to add a new schema to your GraphQL API. This operation is asynchronous - GetSchemaCreationStatus can show when it has completed Write
StartSchemaMerge Grants permission to initiate a schema merge for a given merged API and associated source API Write

sourceApiAssociation*

TagResource Grants permission to tag a resource Tagging

api*

channelNamespace*

graphqlapi*

api

channelNamespace

graphqlapi

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to untag a resource Tagging

api*

channelNamespace*

graphqlapi*

api

channelNamespace

graphqlapi

aws:TagKeys

aws:ResourceTag/${TagKey}

UpdateApi Grants permission to update an API Write

api*

iam:CreateServiceLinkedRole

aws:ResourceTag/${TagKey}

UpdateApiCache Grants permission to update an API cache in AppSync Write
UpdateApiKey Grants permission to update an API key for a given API Write
UpdateChannelNamespace Grants permission to update a channel namespace Write

channelNamespace*

aws:ResourceTag/${TagKey}

UpdateDataSource Grants permission to update a data source Write
UpdateDomainName Grants permission to update a custom domain name in AppSync Write

domain*

UpdateFunction Grants permission to update an existing function Write
UpdateGraphqlApi Grants permission to update a GraphQL API Write

graphqlapi*

iam:CreateServiceLinkedRole

aws:ResourceTag/${TagKey}

UpdateResolver Grants permission to update a resolver Write
UpdateSourceApiAssociation Grants permission to update a merged API source API association Write

sourceApiAssociation*

UpdateType Grants permission to update a type Write

Resource types defined by Amazon AppSync

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
datasource arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/datasources/${DatasourceName}
domain arn:${Partition}:appsync:${Region}:${Account}:domainnames/${DomainName}
graphqlapi arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}

aws:ResourceTag/${TagKey}

field arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/types/${TypeName}/fields/${FieldName}
type arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/types/${TypeName}
function arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/functions/${FunctionId}
sourceApiAssociation arn:${Partition}:appsync:${Region}:${Account}:apis/${MergedGraphQLAPIId}/sourceApiAssociations/${Associationid}
mergedApiAssociation arn:${Partition}:appsync:${Region}:${Account}:apis/${SourceGraphQLAPIId}/mergedApiAssociations/${Associationid}
api arn:${Partition}:appsync:${Region}:${Account}:apis/${ApiId}

aws:ResourceTag/${TagKey}

channelNamespace arn:${Partition}:appsync:${Region}:${Account}:apis/${ApiId}/channelNamespace/${ChannelNamespaceName}

aws:ResourceTag/${TagKey}

Condition keys for Amazon AppSync

Amazon AppSync defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
appsync:Visibility Filters access by the visibility of an API String
aws:RequestTag/${TagKey} Filters access by the tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access by the tag key-value pairs attached to the resource String
aws:TagKeys Filters access by the presence of tag keys in the request ArrayOfString