Actions, resources, and condition keys for Amazon Resource Access Manager (RAM) - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon Resource Access Manager (RAM)

Amazon Resource Access Manager (RAM) (service prefix: ram) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Resource Access Manager (RAM)

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AcceptResourceShareInvitation Grants permission to accept the specified resource share invitation Write

resource-share-invitation*

ram:ShareOwnerAccountId

AssociateResourceShare Grants permission to associate resource(s) and/or principal(s) to a resource share Write

resource-share*

aws:ResourceTag/${TagKey}

ram:ResourceTag/${TagKey}

ram:ResourceShareName

ram:AllowsExternalPrincipals

ram:Principal

ram:RequestedResourceType

ram:ResourceArn

AssociateResourceSharePermission Grants permission to associate a Permission with a Resource Share Write

customer-managed-permission*

permission*

resource-share*

CreatePermission Grants permission to create a Permission that can be associated to a Resource Share Write

ram:PermissionArn

ram:PermissionResourceType

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ram:TagResource

CreatePermissionVersion Grants permission to create a new version of a Permission that can be associated to a Resource Share Write

customer-managed-permission*

ram:PermissionArn

ram:PermissionResourceType

CreateResourceShare Grants permission to create a resource share with provided resource(s) and/or principal(s) Write

aws:RequestTag/${TagKey}

aws:TagKeys

ram:RequestedResourceType

ram:ResourceArn

ram:RequestedAllowsExternalPrincipals

ram:Principal

DeletePermission Grants permission to delete a specified Permission Write

customer-managed-permission*

aws:ResourceTag/${TagKey}

ram:PermissionArn

ram:PermissionResourceType

DeletePermissionVersion Grants permission to delete a specified version of a permission Write

customer-managed-permission*

ram:PermissionArn

ram:PermissionResourceType

DeleteResourceShare Grants permission to delete resource share Write

resource-share*

aws:ResourceTag/${TagKey}

ram:ResourceTag/${TagKey}

ram:ResourceShareName

ram:AllowsExternalPrincipals

DisassociateResourceShare Grants permission to disassociate resource(s) and/or principal(s) from a resource share Write

resource-share*

aws:ResourceTag/${TagKey}

ram:ResourceTag/${TagKey}

ram:ResourceShareName

ram:AllowsExternalPrincipals

ram:Principal

ram:RequestedResourceType

ram:ResourceArn

DisassociateResourceSharePermission Grants permission to disassociate a Permission from a Resource Share Write

customer-managed-permission*

permission*

resource-share*

EnableSharingWithAwsOrganization Grants permission to access customer's organization and create a SLR in the customer's account Permissions management

iam:CreateServiceLinkedRole

organizations:DescribeOrganization

organizations:EnableAWSServiceAccess

GetPermission Grants permission to get the contents of an Amazon RAM permission Read

customer-managed-permission*

permission*

ram:PermissionArn

GetResourcePolicies Grants permission to get the policies for the specified resources that you own and have shared Read
GetResourceShareAssociations Grants permission to get a set of resource share associations from a provided list or with a specified status of the specified type Read
GetResourceShareInvitations Grants permission to get resource share invitations by the specified invitation arn or those for the resource share Read
GetResourceShares Grants permission to get a set of resource shares from a provided list or with a specified status Read

aws:RequestTag/${TagKey}

aws:TagKeys

ListPendingInvitationResources Grants permission to list the resources in a resource share that is shared with you but that the invitation is still pending for Read

resource-share-invitation*

ListPermissionAssociations Grants permission to list information about the permission and any associations List

customer-managed-permission*

permission*

ram:PermissionArn

ram:PermissionResourceType

ListPermissionVersions Grants permission to list the versions of an Amazon RAM permission List
ListPermissions Grants permission to list the Amazon RAM permissions List
ListPrincipals Grants permission to list the principals that you have shared resources with or that have shared resources with you List
ListReplacePermissionAssociationsWork Grants permission to retrieve the status of the asynchronous permission replacement List
ListResourceSharePermissions Grants permission to list the Permissions associated with a Resource Share List

resource-share*

aws:ResourceTag/${TagKey}

ram:ResourceShareName

ram:AllowsExternalPrincipals

ListResourceTypes Grants permission to list the shareable resource types supported by Amazon RAM List
ListResources Grants permission to list the resources that you added to resource shares or the resources that are shared with you List
PromotePermissionCreatedFromPolicy Grants permission to create a separate, fully manageable customer managed permission Write

customer-managed-permission*

ram:PermissionArn

ram:PermissionResourceType

PromoteResourceShareCreatedFromPolicy Grants permission to promote the specified resource share Write

resource-share*

RejectResourceShareInvitation Grants permission to reject the specified resource share invitation Write

resource-share-invitation*

ram:ShareOwnerAccountId

ReplacePermissionAssociations Grants permission to update all resource shares to a new permission Write

customer-managed-permission*

permission*

ram:PermissionArn

ram:PermissionResourceType

SetDefaultPermissionVersion Grants permission to specify a version number as the default version for the respective customer managed permission Write

customer-managed-permission*

ram:PermissionArn

ram:PermissionResourceType

TagResource Grants permission to tag the specified resource share or permission Tagging

customer-managed-permission

resource-share

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to untag the specified resource share or permission Tagging

customer-managed-permission

resource-share

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateResourceShare Grants permission to update attributes of the resource share Write

resource-share*

aws:ResourceTag/${TagKey}

ram:ResourceTag/${TagKey}

ram:ResourceShareName

ram:AllowsExternalPrincipals

ram:RequestedAllowsExternalPrincipals

Resource types defined by Amazon Resource Access Manager (RAM)

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
resource-share arn:${Partition}:ram:${Region}:${Account}:resource-share/${ResourcePath}

aws:ResourceTag/${TagKey}

ram:AllowsExternalPrincipals

ram:ResourceShareName

resource-share-invitation arn:${Partition}:ram:${Region}:${Account}:resource-share-invitation/${ResourcePath}

ram:ShareOwnerAccountId

permission arn:${Partition}:ram::${Account}:permission/${ResourcePath}

ram:PermissionArn

ram:PermissionResourceType

customer-managed-permission arn:${Partition}:ram:${Region}:${Account}:permission/${ResourcePath}

aws:ResourceTag/${TagKey}

ram:PermissionArn

ram:PermissionResourceType

Condition keys for Amazon Resource Access Manager (RAM)

Amazon Resource Access Manager (RAM) defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the tags that are passed in the request when creating or tagging a resource share. If users don't pass these specific tags, or if they don't specify tags at all, the request fails String
aws:ResourceTag/${TagKey} Filters access by the tags associated with the resource String
aws:TagKeys Filters access by the tag keys that are passed when creating or tagging a resource share ArrayOfString
ram:AllowsExternalPrincipals Filters access by resource shares that allow or deny sharing with external principals. For example, specify true if the action can only be performed on resource shares that allow sharing with external principals. External principals are Amazon accounts that are outside of its Amazon organization Bool
ram:PermissionArn Filters access by the specified Permission ARN ARN
ram:PermissionResourceType Filters access by permissions of specified resource type String
ram:Principal Filters access by format of the specified principal String
ram:RequestedAllowsExternalPrincipals Filters access by the specified value for 'allowExternalPrincipals'. External principals are Amazon accounts that are outside of its Amazon Organization Bool
ram:RequestedResourceType Filters access by the specified resource type String
ram:ResourceArn Filters access by the specified ARN ARN
ram:ResourceShareName Filters access by a resource share with the specified name String
ram:ResourceTag/${TagKey} Filters access by the tags associated with the resource String
ram:ShareOwnerAccountId Filters access by resource shares owned by a specific account. For example, you can use this condition key to specify which resource share invitations can be accepted or rejected based on the resource share owner’s account ID String