View a markdown version of this page

Actions, resources, and condition keys for Amazon Verified Permissions - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon Verified Permissions

Amazon Verified Permissions (service prefix: verifiedpermissions) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

Actions defined by Amazon Verified Permissions

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

CreateIdentitySource

Grants permission to create a reference to an external identity provider (IdP) that is compatible with OpenID Connect (OIDC) authentication protocol, such as Amazon Cognito

policy-store*

aws:ResourceTag/${TagKey}

Write

CreatePolicy

Grants permission to create a Cedar policy and save it in the specified policy store

policy-store*

aws:ResourceTag/${TagKey}

Write

CreatePolicyStore

Grants permission to create a Cedar policy and save it in the specified policy store

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreatePolicyStoreAlias

Grants permission to create an alias against a policy store

policy-store*

aws:ResourceTag/${TagKey}

Write

policy-store-alias*

CreatePolicyTemplate

Grants permission to create a policy template

policy-store*

aws:ResourceTag/${TagKey}

Write

DeleteIdentitySource

Grants permission to delete an identity source that references an identity provider (IdP) such as Amazon Cognito

policy-store*

aws:ResourceTag/${TagKey}

Write

DeletePolicy

Grants permission to delete the specified policy from the policy store

policy-store*

aws:ResourceTag/${TagKey}

Write

DeletePolicyStore

Grants permission to delete the specified policy store

policy-store*

aws:ResourceTag/${TagKey}

Write

DeletePolicyStoreAlias

Grants permission to delete an alias for a policy store

policy-store-alias*

Write

DeletePolicyTemplate

Grants permission to delete the specified policy template from the policy store

policy-store*

aws:ResourceTag/${TagKey}

Write

GetIdentitySource

Grants permission to retrieve the details about the specified identity source

policy-store*

aws:ResourceTag/${TagKey}

Read

GetPolicy

Grants permission to retrieve information about the specified policy

policy-store*

aws:ResourceTag/${TagKey}

Read

GetPolicyStore

Grants permission to retrieve details about a policy store

policy-store*

aws:ResourceTag/${TagKey}

Read

GetPolicyStoreAlias

Grants permission to retrieve details about an alias for a policy store

policy-store-alias*

Read

GetPolicyTemplate

Grants permission to retrieve the details for the specified policy template in the specified policy store

policy-store*

aws:ResourceTag/${TagKey}

Read

GetSchema

Grants permission to retrieve the details for the specified schema in the specified policy store

policy-store*

aws:ResourceTag/${TagKey}

Read

IsAuthorized

Grants permission to make an authorization decision about a service request described in the parameters

policy-store*

aws:ResourceTag/${TagKey}

Read

IsAuthorizedWithToken

Grants permission to make an authorization decision about a service request described in the parameters. The principal in this request comes from an external identity source

policy-store*

aws:ResourceTag/${TagKey}

Read

ListIdentitySources

Grants permission to return a paginated list of all of the identity sources defined in the specified policy store

policy-store*

aws:ResourceTag/${TagKey}

List

ListPolicies

Grants permission to return a paginated list of all policies stored in the specified policy store

policy-store*

aws:ResourceTag/${TagKey}

List

ListPolicyStoreAliases

Grants permission to return a paginated list of all policy store aliases

List

ListPolicyStores

Grants permission to return a paginated list of all policy stores in the calling Amazon Web Services account

List

ListPolicyTemplates

Grants permission to return a paginated list of all policy templates in the specified policy store

policy-store*

aws:ResourceTag/${TagKey}

List

ListTagsForResource

Grants permission to view a list of resource tags for the specified policy store

policy-store*

aws:ResourceTag/${TagKey}

Read

PutSchema

Grants permission to create or update the policy schema in the specified policy store

policy-store*

aws:ResourceTag/${TagKey}

Write

TagResource

Grants permission to add tags to the specified policy store

policy-store*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UntagResource

Grants permission to remove tags from the specified policy store

policy-store*

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UpdateIdentitySource

Grants permission to update the specified identity source to use a new identity provider (IdP) source, or to change the mapping of identities from the IdP to a different principal entity type

policy-store*

aws:ResourceTag/${TagKey}

Write

UpdatePolicy

Grants permission to modify the specified Cedar static policy in the specified policy store

policy-store*

aws:ResourceTag/${TagKey}

Write

UpdatePolicyStore

Grants permission to modify the validation setting for a policy store

policy-store*

aws:ResourceTag/${TagKey}

Write

UpdatePolicyTemplate

Grants permission to update the specified policy template

policy-store*

aws:ResourceTag/${TagKey}

Write

Resource types defined by Amazon Verified Permissions

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

policy-store

arn:${Partition}:verifiedpermissions::${Account}:policy-store/${PolicyStoreId}

aws:ResourceTag/${TagKey}

policy-store-alias

arn:${Partition}:verifiedpermissions:${Region}:${Account}:policy-store-alias/${AliasName}

Condition keys for Amazon Verified Permissions

Amazon Verified Permissions defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by a tag key and value pair that is allowed in the request

String

aws:ResourceTag/${TagKey}

Filters access by a tag key and value pair of a resource

String

aws:TagKeys

Filters access by a list of tag keys that are allowed in the request

ArrayOfString