Actions, resources, and condition keys for Amazon Web Services Cloud Map
Amazon Web Services Cloud Map (service prefix: servicediscovery) provides the following
service-specific operations, resources, actions, and condition keys for use in IAM permission
policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
-
View the programmatic service authorization reference
for this service.
Topics
API operations defined by Amazon Web Services Cloud Map
The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.
| Operation | IAM action | Condition key | Possible value(s) | Access level |
|---|---|---|---|---|
|
CreateHttpNamespace |
Write |
|||
Tagging, Write |
||||
|
CreatePrivateDnsNamespace |
Write |
|||
Tagging, Write |
||||
|
CreatePublicDnsNamespace |
Write |
|||
Tagging, Write |
||||
|
CreateService |
Write |
|||
Tagging, Write |
||||
|
DeleteNamespace |
Write |
|||
|
DeleteService |
Write |
|||
|
DeleteServiceAttributes |
Write |
|||
|
DeregisterInstance |
Write |
|||
|
DiscoverInstances |
Read |
|||
|
DiscoverInstancesRevision |
Read |
|||
|
GetInstance |
Read |
|||
|
GetInstancesHealthStatus |
Read |
|||
|
GetNamespace |
Read |
|||
|
GetOperation |
Read |
|||
|
GetService |
Read |
|||
|
GetServiceAttributes |
Read |
|||
|
ListInstances |
Read |
|||
|
ListNamespaces |
Read |
|||
|
ListOperations |
List |
|||
|
ListServices |
Read |
|||
|
ListTagsForResource |
Read |
|||
|
RegisterInstance |
Write |
|||
|
TagResource |
Tagging, Write |
|||
|
UntagResource |
Tagging, Write |
|||
|
UpdateHttpNamespace |
Write |
|||
|
UpdateInstanceCustomHealthStatus |
Write |
|||
|
UpdatePrivateDnsNamespace |
Write |
|||
|
UpdatePublicDnsNamespace |
Write |
|||
|
UpdateService |
Write |
|||
|
UpdateServiceAttributes |
Write |
Actions defined by Amazon Web Services Cloud Map
You can specify the following actions in the Action element of an IAM
policy statement. Use policies to grant permissions to perform an operation in Amazon. When
you use an action in a policy, you usually allow or deny access to the API operation or CLI
command with the same name. However, in some cases, a single action controls access to more
than one operation. Alternatively, some operations require several different actions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to create an HTTP namespace |
Write |
|||
Grants permission to create a private namespace based on DNS, which will be visible only inside a specified Amazon VPC |
Write |
|||
Grants permission to create a public namespace based on DNS, which will be visible on the internet |
Write |
|||
Grants permission to create a service |
Write |
|||
Grants permission to delete a specified namespace |
Write |
|||
Grants permission to delete a specified service |
Write |
|||
Grants permission to delete specified attributes from a service |
Write |
|||
Grants permission to delete the records and the health check, if any, that Amazon Route 53 created for the specified instance |
Write |
|||
Grants permission to discover registered instances for a specified namespace and service |
Read |
|||
Grants permission to discover the revision of the instances for a specified namespace and service |
Read |
|||
Grants permission to get information about a specified instance |
Read |
|||
Grants permission to get the current health status (Healthy, Unhealthy, or Unknown) of one or more instances |
Read |
|||
Grants permission to get information about a namespace |
Read |
|||
Grants permission to get information about a specific operation |
Read |
|||
Grants permission to get the settings for a specified service |
Read |
|||
Grants permission to get the attributes for a specified service |
Read |
|||
Grants permission to get summary information about the instances that were registered with a specified service |
Read |
|||
Grants permission to get information about the namespaces |
Read |
|||
Grants permission to list operations that match the criteria that you specify |
List |
|||
Grants permission to get settings for all the services that match specified filters |
Read |
|||
Grants permission to lists tags for the specified resource |
Read |
|||
Grants permission to register an instance based on the settings in a specified service |
Write |
|||
Grants permission to add one or more tags to the specified resource |
Tagging, Write |
|||
Grants permission to remove one or more tags from the specified resource |
Tagging, Write |
|||
Grants permission to update the settings for a HTTP namespace |
Write |
|||
Grants permission to update the current health status for an instance that has a custom health check |
Write |
|||
Grants permission to update the settings for a private DNS namespace |
Write |
|||
Grants permission to update the settings for a public DNS namespace |
Write |
|||
Grants permission to update the settings in a specified service |
Write |
|||
Grants permission to update the attributes in a specified service |
Write |
Permission-only actions for Amazon Web Services Cloud Map
The following actions are defined by Amazon Web Services Cloud Map but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to delete the RAM access control policy for a namespace |
Write |
|||
Grants permission to read the RAM access control policy for a namespace |
Read |
|||
Grants permission to define the RAM access control policy for a namespace |
Write |
Resource types defined by Amazon Web Services Cloud Map
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements.
| Resource types | ARN | Condition keys |
|---|---|---|
arn:${Partition}:servicediscovery:${Region}:${Account}:namespace/${NamespaceId} |
||
arn:${Partition}:servicediscovery:${Region}:${Account}:service/${ServiceId} |
Condition keys for Amazon Web Services Cloud Map
Amazon Web Services Cloud Map defines the following condition keys that can be used in the
Condition element of an IAM policy.
| Condition keys | Description | Type |
|---|---|---|
Filters actions based on the tags that are passed in the request |
String |
|
Filters actions based on the tags associated with the resource |
String |
|
Filters actions based on the tag keys that are passed in the request |
ArrayOfString |
|
Filters access by specifying the Amazon Resource Name (ARN) for the related namespace |
ARN |
|
Filters access by specifying the name of the related namespace |
String |
|
Filters access by specifying the Amazon Resource Name (ARN) for the related service |
ARN |
|
Filters access by specifying the account id of the related service creator |
String |
|
Filters access by specifying the name of the related service |
String |