View a markdown version of this page

Actions, resources, and condition keys for Amazon Identity and Access Management Roles Anywhere - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon Identity and Access Management Roles Anywhere

Amazon Identity and Access Management Roles Anywhere (service prefix: rolesanywhere) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon Identity and Access Management Roles Anywhere

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

CreateProfile

rolesanywhere:CreateProfile

Write

rolesanywhere:TagResource

Tagging, Write

iam:PassRole

iam:PassedToService

rolesanywhere.amazonaws.com

Write

CreateTrustAnchor

rolesanywhere:CreateTrustAnchor

Write

rolesanywhere:TagResource

Tagging, Write

DeleteAttributeMapping

rolesanywhere:DeleteAttributeMapping

Write

DeleteCrl

rolesanywhere:DeleteCrl

Write

DeleteProfile

rolesanywhere:DeleteProfile

Write

DeleteTrustAnchor

rolesanywhere:DeleteTrustAnchor

Write

DisableCrl

rolesanywhere:DisableCrl

Write

DisableProfile

rolesanywhere:DisableProfile

Write

DisableTrustAnchor

rolesanywhere:DisableTrustAnchor

Write

EnableCrl

rolesanywhere:EnableCrl

Write

EnableProfile

rolesanywhere:EnableProfile

Write

iam:PassRole

iam:PassedToService

rolesanywhere.amazonaws.com

Write

EnableTrustAnchor

rolesanywhere:EnableTrustAnchor

Write

GetCrl

rolesanywhere:GetCrl

Read

GetProfile

rolesanywhere:GetProfile

Read

GetSubject

rolesanywhere:GetSubject

Read

GetTrustAnchor

rolesanywhere:GetTrustAnchor

Read

ImportCrl

rolesanywhere:ImportCrl

Write

rolesanywhere:TagResource

Tagging, Write

ListCrls

rolesanywhere:ListCrls

List

ListProfiles

rolesanywhere:ListProfiles

List

ListSubjects

rolesanywhere:ListSubjects

List

ListTagsForResource

rolesanywhere:ListTagsForResource

List

ListTrustAnchors

rolesanywhere:ListTrustAnchors

List

PutAttributeMapping

rolesanywhere:PutAttributeMapping

Write

PutNotificationSettings

rolesanywhere:PutNotificationSettings

Write

ResetNotificationSettings

rolesanywhere:ResetNotificationSettings

Write

TagResource

rolesanywhere:TagResource

Tagging, Write

UntagResource

rolesanywhere:UntagResource

Tagging, Write

UpdateCrl

rolesanywhere:UpdateCrl

Write

UpdateProfile

rolesanywhere:UpdateProfile

Write

iam:PassRole

iam:PassedToService

rolesanywhere.amazonaws.com

Write

UpdateTrustAnchor

rolesanywhere:UpdateTrustAnchor

Write

Actions defined by Amazon Identity and Access Management Roles Anywhere

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

CreateProfile

Grants permission to create a profile

aws:RequestTag/${TagKey}

aws:TagKeys

Write

CreateTrustAnchor

Grants permission to create a trust anchor

aws:RequestTag/${TagKey}

aws:TagKeys

Write

DeleteAttributeMapping

Grants permission to delete a mapping rule from a profile

profile*

aws:ResourceTag/${TagKey}

Write

DeleteCrl

Grants permission to delete a certificate revocation list (crl)

crl*

aws:ResourceTag/${TagKey}

Write

DeleteProfile

Grants permission to delete a profile

profile*

aws:ResourceTag/${TagKey}

Write

DeleteTrustAnchor

Grants permission to delete a trust anchor

trust-anchor*

aws:ResourceTag/${TagKey}

Write

DisableCrl

Grants permission to disable a certificate revocation list (crl)

crl*

aws:ResourceTag/${TagKey}

Write

DisableProfile

Grants permission to disable a profile

profile*

aws:ResourceTag/${TagKey}

Write

DisableTrustAnchor

Grants permission to disable a trust anchor

trust-anchor*

aws:ResourceTag/${TagKey}

Write

EnableCrl

Grants permission to enable a certificate revocation list (crl)

crl*

aws:ResourceTag/${TagKey}

Write

EnableProfile

Grants permission to enable a profile

profile*

aws:ResourceTag/${TagKey}

Write

EnableTrustAnchor

Grants permission to enable a trust anchor

trust-anchor*

aws:ResourceTag/${TagKey}

Write

GetCrl

Grants permission to get a certificate revocation list (crl)

crl*

aws:ResourceTag/${TagKey}

Read

GetProfile

Grants permission to get a profile

profile*

aws:ResourceTag/${TagKey}

Read

GetSubject

Grants permission to get a subject

subject*

aws:ResourceTag/${TagKey}

Read

GetTrustAnchor

Grants permission to get a trust anchor

trust-anchor*

aws:ResourceTag/${TagKey}

Read

ImportCrl

Grants permission to import a certificate revocation list (crl)

aws:RequestTag/${TagKey}

aws:TagKeys

Write

ListCrls

Grants permission to list certificate revocation lists (crls)

List

ListProfiles

Grants permission to list profiles

List

ListSubjects

Grants permission to list subjects

List

ListTagsForResource

Grants permission to list tags for a resource

List

ListTrustAnchors

Grants permission to list trust anchors

List

PutAttributeMapping

Grants permission to put a mapping rule into a profile

profile*

aws:ResourceTag/${TagKey}

Write

PutNotificationSettings

Grants permission to attach notification settings to a trust anchor

trust-anchor*

aws:ResourceTag/${TagKey}

Write

ResetNotificationSettings

Grants permission to reset custom notification settings to IAM Roles Anywhere defined default state

trust-anchor*

aws:ResourceTag/${TagKey}

Write

TagResource

Grants permission to tag a resource

crl

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

profile

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

subject

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

trust-anchor

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UntagResource

Grants permission to untag a resource

crl

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

profile

aws:ResourceTag/${TagKey}

aws:TagKeys

subject

aws:ResourceTag/${TagKey}

aws:TagKeys

trust-anchor

aws:ResourceTag/${TagKey}

aws:TagKeys

UpdateCrl

Grants permission to update a certificate revocation list (crl)

crl*

aws:ResourceTag/${TagKey}

Write

UpdateProfile

Grants permission to update a profile

profile*

aws:ResourceTag/${TagKey}

Write

UpdateTrustAnchor

Grants permission to update a trust anchor

trust-anchor*

aws:ResourceTag/${TagKey}

Write

Resource types defined by Amazon Identity and Access Management Roles Anywhere

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

crl

arn:${Partition}:rolesanywhere:${Region}:${Account}:crl/${CrlId}

aws:ResourceTag/${TagKey}

profile

arn:${Partition}:rolesanywhere:${Region}:${Account}:profile/${ProfileId}

aws:ResourceTag/${TagKey}

subject

arn:${Partition}:rolesanywhere:${Region}:${Account}:subject/${SubjectId}

aws:ResourceTag/${TagKey}

trust-anchor

arn:${Partition}:rolesanywhere:${Region}:${Account}:trust-anchor/${TrustAnchorId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon Identity and Access Management Roles Anywhere

Amazon Identity and Access Management Roles Anywhere defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by the tags that are passed in the request

String

aws:ResourceTag/${TagKey}

Filters access by the tags associated with the resource

String

aws:TagKeys

Filters access by the tag keys that are passed in the request

ArrayOfString