Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Customer Managed Policy
Examples
In this section, you can find example user policies that grant permissions for
various Amazon Snowball Edge job management actions. These policies work when you are using
Amazon SDKs or the Amazon CLI. When you are using the console, you need to grant
additional permissions specific to the console, which is discussed in Permissions Required to
Use the Amazon Snowball Edge Console.
All examples use the us-west-2 region and contain fictitious account
IDs.
Example 1: Role Policy That
Allows a User to Create a Job to order a Snowball Edge device with the API
The following permissions policy is a necessary component of any policy that
is used to grant job or cluster creation permission using the job management
API. The statement is needed as a Trust Relationship policy statement for the
Snowball IAM role.
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "importexport.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Example 2: Role Policy for Creating
Import Jobs
You use the following role trust policy for creating import jobs for
Snowball Edge that use Amazon Lambda powered by Amazon IoT Greengrass functions.
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketPolicy",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucket",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:PutObjectAcl",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"snowball:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iot:AttachPrincipalPolicy",
"iot:AttachThingPrincipal",
"iot:CreateKeysAndCertificate",
"iot:CreatePolicy",
"iot:CreateThing",
"iot:DescribeEndpoint",
"iot:GetPolicy"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:GetFunction"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"greengrass:CreateCoreDefinition",
"greengrass:CreateDeployment",
"greengrass:CreateDeviceDefinition",
"greengrass:CreateFunctionDefinition",
"greengrass:CreateGroup",
"greengrass:CreateGroupVersion",
"greengrass:CreateLoggerDefinition",
"greengrass:CreateSubscriptionDefinition",
"greengrass:GetDeploymentStatus",
"greengrass:UpdateGroupCertificateConfiguration",
"greengrass:CreateGroupCertificateAuthority",
"greengrass:GetGroupCertificateAuthority",
"greengrass:ListGroupCertificateAuthorities",
"greengrass:ListDeployments",
"greengrass:GetGroup",
"greengrass:GetGroupVersion",
"greengrass:GetCoreDefinitionVersion"
],
"Resource": [
"*"
]
}
]
}
Example 3: Role Policy for Creating
Export Jobs
You use the following role trust policy for creating export jobs for
Snowball Edge that use Amazon Lambda powered by Amazon IoT Greengrass functions.
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"snowball:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iot:AttachPrincipalPolicy",
"iot:AttachThingPrincipal",
"iot:CreateKeysAndCertificate",
"iot:CreatePolicy",
"iot:CreateThing",
"iot:DescribeEndpoint",
"iot:GetPolicy"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:GetFunction"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"greengrass:CreateCoreDefinition",
"greengrass:CreateDeployment",
"greengrass:CreateDeviceDefinition",
"greengrass:CreateFunctionDefinition",
"greengrass:CreateGroup",
"greengrass:CreateGroupVersion",
"greengrass:CreateLoggerDefinition",
"greengrass:CreateSubscriptionDefinition",
"greengrass:GetDeploymentStatus",
"greengrass:UpdateGroupCertificateConfiguration",
"greengrass:CreateGroupCertificateAuthority",
"greengrass:GetGroupCertificateAuthority",
"greengrass:ListGroupCertificateAuthorities",
"greengrass:ListDeployments",
"greengrass:GetGroup",
"greengrass:GetGroupVersion",
"greengrass:GetCoreDefinitionVersion"
],
"Resource": [
"*"
]
}
]
}
Example 4: Expected
Role Permissions and Trust Policy
The following expected role permissions policy is a necessary for an existing
service role to use. It is a one time set up.
- JSON
-
-
{
"Version": "2012-10-17",
"Statement":
[
{
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": ["arn:aws:sns:region:111122223333:topic-name"]
},
{
"Effect": "Allow",
"Action":
[
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData",
"cloudwatch:PutMetricData"
],
"Resource":
[
"*"
],
"Condition": {
"StringEquals": {
"cloudwatch:namespace": "AWS/SnowFamily"
}
}
}
]
}
The following expected role trust policy is a necessary for an existing
service role to use. It is a one time set up.
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "importexport.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Amazon Snowball Edge API Permissions: Actions,
Resources, and Conditions Reference
When you are setting up Access Control in the Amazon Web Services Cloud and writing a permissions policy that you can attach to an IAM identity
(identity-based policies), you can use the following table
as a reference. The table following
each Amazon Snowball Edge job management API
operation and the corresponding actions for which you can grant permissions to perform
the action. It also includes for each API operation the Amazon resource for which you can
grant the permissions. You specify the actions in the policy's Action
field, and you specify the resource value in the policy's Resource field.
You can use Amazon-wide condition keys in your Amazon Snowball Edge policies to express
conditions. For a complete list of Amazon-wide keys, see Available
Keys in the IAM User Guide.
To specify an action, use the snowball: prefix followed by the API
operation name (for example, snowball:CreateJob).
If you see an expand arrow (↗) in the upper-right corner of the table, you can open the table in a new
window. To close the window, choose the close button (X) in the lower-right corner.