View a markdown version of this page

Actions, resources, and condition keys for Amazon Identity and Access Management (IAM) - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon Identity and Access Management (IAM)

Amazon Identity and Access Management (IAM) (service prefix: iam) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon Identity and Access Management (IAM)

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

AcceptDelegationRequest

iam:AcceptDelegationRequest

Write

AddClientIDToOpenIDConnectProvider

iam:AddClientIDToOpenIDConnectProvider

Write

AddRoleToInstanceProfile

iam:AddRoleToInstanceProfile

Write

iam:PassRole

iam:PassedToService

ec2.amazonaws.com

Write

AddUserToGroup

iam:AddUserToGroup

Write

AssociateDelegationRequest

iam:AssociateDelegationRequest

Write

AttachGroupPolicy

iam:AttachGroupPolicy

Permissions management, Write

AttachRolePolicy

iam:AttachRolePolicy

Permissions management, Write

AttachUserPolicy

iam:AttachUserPolicy

Permissions management, Write

ChangePassword

iam:ChangePassword

Write

CreateAccessKey

iam:CreateAccessKey

Write

CreateAccountAlias

iam:CreateAccountAlias

Write

CreateDelegationRequest

iam:CreateDelegationRequest

Write

CreateGroup

iam:CreateGroup

Write

CreateInstanceProfile

iam:CreateInstanceProfile

Write

iam:TagInstanceProfile

Tagging, Write

CreateLoginProfile

iam:CreateLoginProfile

Write

CreateOpenIDConnectProvider

iam:CreateOpenIDConnectProvider

Write

iam:TagOpenIDConnectProvider

Tagging, Write

CreatePolicy

iam:CreatePolicy

Permissions management, Write

iam:TagPolicy

Tagging, Write

CreatePolicyVersion

iam:CreatePolicyVersion

Permissions management, Write

CreateRole

iam:CreateRole

Write

iam:TagRole

Tagging, Write

CreateSAMLProvider

iam:CreateSAMLProvider

Write

iam:TagSAMLProvider

Tagging, Write

CreateServiceLinkedRole

iam:CreateServiceLinkedRole

Write

iam:PutRolePolicy

Permissions management, Write

CreateServiceSpecificCredential

iam:CreateServiceSpecificCredential

Write

CreateUser

iam:CreateUser

Write

iam:TagUser

Tagging, Write

CreateVirtualMFADevice

iam:CreateVirtualMFADevice

Write

iam:TagMFADevice

Tagging, Write

DeactivateMFADevice

iam:DeactivateMFADevice

Write

DeleteAccessKey

iam:DeleteAccessKey

Write

DeleteAccountAlias

iam:DeleteAccountAlias

Write

DeleteAccountPasswordPolicy

iam:DeleteAccountPasswordPolicy

Permissions management, Write

DeleteGroup

iam:DeleteGroup

Write

DeleteGroupPolicy

iam:DeleteGroupPolicy

Permissions management, Write

DeleteInstanceProfile

iam:DeleteInstanceProfile

Write

DeleteLoginProfile

iam:DeleteLoginProfile

Write

DeleteOpenIDConnectProvider

iam:DeleteOpenIDConnectProvider

Write

DeletePolicy

iam:DeletePolicy

Permissions management, Write

DeletePolicyVersion

iam:DeletePolicyVersion

Permissions management, Write

DeleteRole

iam:DeleteRole

Write

DeleteRolePermissionsBoundary

iam:DeleteRolePermissionsBoundary

Permissions management, Write

DeleteRolePolicy

iam:DeleteRolePolicy

Permissions management, Write

DeleteSAMLProvider

iam:DeleteSAMLProvider

Write

DeleteSSHPublicKey

iam:DeleteSSHPublicKey

Write

DeleteServerCertificate

iam:DeleteServerCertificate

Write

DeleteServiceLinkedRole

iam:DeleteServiceLinkedRole

Write

DeleteServiceSpecificCredential

iam:DeleteServiceSpecificCredential

Write

DeleteSigningCertificate

iam:DeleteSigningCertificate

Write

DeleteUser

iam:DeleteUser

Write

DeleteUserPermissionsBoundary

iam:DeleteUserPermissionsBoundary

Permissions management, Write

DeleteUserPolicy

iam:DeleteUserPolicy

Permissions management, Write

DeleteVirtualMFADevice

iam:DeleteVirtualMFADevice

Write

DetachGroupPolicy

iam:DetachGroupPolicy

Permissions management, Write

DetachRolePolicy

iam:DetachRolePolicy

Permissions management, Write

DetachUserPolicy

iam:DetachUserPolicy

Permissions management, Write

DisableOutboundWebIdentityFederation

iam:DisableOutboundWebIdentityFederation

Write

EnableMFADevice

iam:EnableMFADevice

Write

EnableOutboundWebIdentityFederation

iam:EnableOutboundWebIdentityFederation

Write

GenerateCredentialReport

iam:GenerateCredentialReport

Read

GenerateOrganizationsAccessReport

iam:GenerateOrganizationsAccessReport

Read

GenerateServiceLastAccessedDetails

iam:GenerateServiceLastAccessedDetails

Read

GetAccessKeyLastUsed

iam:GetAccessKeyLastUsed

Read

GetAccountAuthorizationDetails

iam:GetAccountAuthorizationDetails

Read

GetAccountPasswordPolicy

iam:GetAccountPasswordPolicy

Read

GetAccountSummary

iam:GetAccountSummary

List

GetContextKeysForCustomPolicy

iam:GetContextKeysForCustomPolicy

Read

GetContextKeysForPrincipalPolicy

iam:GetContextKeysForPrincipalPolicy

Read

GetCredentialReport

iam:GetCredentialReport

Read

GetDelegationRequest

iam:GetDelegationRequest

Read

GetGroup

iam:GetGroup

Read

GetGroupPolicy

iam:GetGroupPolicy

Read

GetHumanReadableSummary

iam:GetHumanReadableSummary

Read

GetInstanceProfile

iam:GetInstanceProfile

Read

GetLoginProfile

iam:GetLoginProfile

List

GetMFADevice

iam:GetMFADevice

Read

GetOpenIDConnectProvider

iam:GetOpenIDConnectProvider

Read

GetOrganizationsAccessReport

iam:GetOrganizationsAccessReport

Read

GetOutboundWebIdentityFederationInfo

iam:GetOutboundWebIdentityFederationInfo

Read

GetPolicy

iam:GetPolicy

Read

GetPolicyVersion

iam:GetPolicyVersion

Read

GetRole

iam:GetRole

Read

GetRolePolicy

iam:GetRolePolicy

Read

GetSAMLProvider

iam:GetSAMLProvider

Read

GetSSHPublicKey

iam:GetSSHPublicKey

Read

GetServerCertificate

iam:GetServerCertificate

Read

GetServiceLastAccessedDetails

iam:GetServiceLastAccessedDetails

Read

GetServiceLastAccessedDetailsWithEntities

iam:GetServiceLastAccessedDetailsWithEntities

Read

GetServiceLinkedRoleDeletionStatus

iam:GetServiceLinkedRoleDeletionStatus

Read

GetUser

iam:GetUser

Read

GetUserPolicy

iam:GetUserPolicy

Read

ListAccessKeys

iam:ListAccessKeys

List

ListAccountAliases

iam:ListAccountAliases

List

ListAttachedGroupPolicies

iam:ListAttachedGroupPolicies

List

ListAttachedRolePolicies

iam:ListAttachedRolePolicies

List

ListAttachedUserPolicies

iam:ListAttachedUserPolicies

List

ListDelegationRequests

iam:ListDelegationRequests

List

ListEntitiesForPolicy

iam:ListEntitiesForPolicy

List

ListGroupPolicies

iam:ListGroupPolicies

List

ListGroups

iam:ListGroups

List

ListGroupsForUser

iam:ListGroupsForUser

List

ListInstanceProfileTags

iam:ListInstanceProfileTags

List

ListInstanceProfiles

iam:ListInstanceProfiles

List

ListInstanceProfilesForRole

iam:ListInstanceProfilesForRole

List

ListMFADeviceTags

iam:ListMFADeviceTags

List

ListMFADevices

iam:ListMFADevices

List

ListOpenIDConnectProviderTags

iam:ListOpenIDConnectProviderTags

List

ListOpenIDConnectProviders

iam:ListOpenIDConnectProviders

List

ListPolicies

iam:ListPolicies

List

ListPoliciesGrantingServiceAccess

iam:ListPoliciesGrantingServiceAccess

List

ListPolicyTags

iam:ListPolicyTags

List

ListPolicyVersions

iam:ListPolicyVersions

List

ListRolePolicies

iam:ListRolePolicies

List

ListRoleTags

iam:ListRoleTags

List

ListRoles

iam:ListRoles

List

ListSAMLProviderTags

iam:ListSAMLProviderTags

List

ListSAMLProviders

iam:ListSAMLProviders

List

ListSSHPublicKeys

iam:ListSSHPublicKeys

List

ListServerCertificateTags

iam:ListServerCertificateTags

List

ListServerCertificates

iam:ListServerCertificates

List

ListServiceSpecificCredentials

iam:ListServiceSpecificCredentials

List

ListSigningCertificates

iam:ListSigningCertificates

List

ListUserPolicies

iam:ListUserPolicies

List

ListUserTags

iam:ListUserTags

List

ListUsers

iam:ListUsers

List

ListVirtualMFADevices

iam:ListVirtualMFADevices

List

PutGroupPolicy

iam:PutGroupPolicy

Permissions management, Write

PutRolePermissionsBoundary

iam:PutRolePermissionsBoundary

Permissions management, Write

PutRolePolicy

iam:PutRolePolicy

Permissions management, Write

PutUserPermissionsBoundary

iam:PutUserPermissionsBoundary

Permissions management, Write

PutUserPolicy

iam:PutUserPolicy

Permissions management, Write

RejectDelegationRequest

iam:RejectDelegationRequest

Write

RemoveClientIDFromOpenIDConnectProvider

iam:RemoveClientIDFromOpenIDConnectProvider

Write

RemoveRoleFromInstanceProfile

iam:RemoveRoleFromInstanceProfile

Write

RemoveUserFromGroup

iam:RemoveUserFromGroup

Write

ResetServiceSpecificCredential

iam:ResetServiceSpecificCredential

Write

ResyncMFADevice

iam:ResyncMFADevice

Write

SendDelegationToken

iam:SendDelegationToken

Write

SetDefaultPolicyVersion

iam:SetDefaultPolicyVersion

Permissions management, Write

SetSecurityTokenServicePreferences

iam:SetSecurityTokenServicePreferences

Write

SimulateCustomPolicy

iam:SimulateCustomPolicy

Read

SimulatePrincipalPolicy

iam:SimulatePrincipalPolicy

Read

TagInstanceProfile

iam:TagInstanceProfile

Tagging, Write

TagMFADevice

iam:TagMFADevice

Tagging, Write

TagOpenIDConnectProvider

iam:TagOpenIDConnectProvider

Tagging, Write

TagPolicy

iam:TagPolicy

Tagging, Write

TagRole

iam:TagRole

Tagging, Write

TagSAMLProvider

iam:TagSAMLProvider

Tagging, Write

TagServerCertificate

iam:TagServerCertificate

Tagging, Write

TagUser

iam:TagUser

Tagging, Write

UntagInstanceProfile

iam:UntagInstanceProfile

Tagging, Write

UntagMFADevice

iam:UntagMFADevice

Tagging, Write

UntagOpenIDConnectProvider

iam:UntagOpenIDConnectProvider

Tagging, Write

UntagPolicy

iam:UntagPolicy

Tagging, Write

UntagRole

iam:UntagRole

Tagging, Write

UntagSAMLProvider

iam:UntagSAMLProvider

Tagging, Write

UntagServerCertificate

iam:UntagServerCertificate

Tagging, Write

UntagUser

iam:UntagUser

Tagging, Write

UpdateAccessKey

iam:UpdateAccessKey

Write

UpdateAccountPasswordPolicy

iam:UpdateAccountPasswordPolicy

Write

UpdateAssumeRolePolicy

iam:UpdateAssumeRolePolicy

Permissions management, Write

UpdateGroup

iam:UpdateGroup

Write

UpdateLoginProfile

iam:UpdateLoginProfile

Write

UpdateOpenIDConnectProviderThumbprint

iam:UpdateOpenIDConnectProviderThumbprint

Write

UpdateRole

iam:UpdateRole

Write

UpdateRoleDescription

iam:UpdateRoleDescription

Write

UpdateSAMLProvider

iam:UpdateSAMLProvider

Write

UpdateSSHPublicKey

iam:UpdateSSHPublicKey

Write

UpdateServerCertificate

iam:UpdateServerCertificate

Write

UpdateServiceSpecificCredential

iam:UpdateServiceSpecificCredential

Write

UpdateSigningCertificate

iam:UpdateSigningCertificate

Write

UpdateUser

iam:UpdateUser

Write

UploadSSHPublicKey

iam:UploadSSHPublicKey

Write

UploadServerCertificate

iam:TagServerCertificate

Tagging, Write

iam:UploadServerCertificate

Write

UploadSigningCertificate

iam:UploadSigningCertificate

Write

Actions defined by Amazon Identity and Access Management (IAM)

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

AcceptDelegationRequest

Accepts a delegation request resource, granting the requested temporary access

delegation-request*

iam:DelegationRequestOwner

Write

AddClientIDToOpenIDConnectProvider

Grants permission to add a new client ID (audience) to the list of registered IDs for the specified IAM OpenID Connect (OIDC) provider resource

oidc-provider*

aws:ResourceTag/${TagKey}

Write

AddRoleToInstanceProfile

Grants permission to add an IAM role to the specified instance profile

instance-profile*

aws:ResourceTag/${TagKey}

Write

AddUserToGroup

Grants permission to add an IAM user to the specified IAM group

group*

Write

AssociateDelegationRequest

Associates a delegation request resource with the calling identity

delegation-request*

iam:DelegationRequestOwner

Write

AttachGroupPolicy

Grants permission to attach a managed policy to the specified IAM group

group*

iam:PolicyARN

Permissions management, Write

AttachRolePolicy

Grants permission to attach a managed policy to the specified IAM role

role*

aws:ResourceTag/${TagKey}

iam:PermissionsBoundary

iam:PolicyARN

iam:ResourceTag/${TagKey}

Permissions management, Write

AttachUserPolicy

Grants permission to attach a managed policy to the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:PermissionsBoundary

iam:PolicyARN

iam:ResourceTag/${TagKey}

Permissions management, Write

ChangePassword

Grants permission to an IAM user to change their own password

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Write

CreateAccessKey

Grants permission to create access key and secret access key for the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Write

CreateAccountAlias

Grants permission to create an alias for your Amazon Web Services account

Write

CreateDelegationRequest

Creates an IAM delegation request resource for temporary access delegation

delegation-request*

iam:DelegationDuration

iam:DelegationRequestOwner

iam:NotificationChannel

iam:TemplateArn

Write

CreateGroup

Grants permission to create a new group

group*

Write

CreateInstanceProfile

Grants permission to create a new instance profile

instance-profile*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateLoginProfile

Grants permission to create a password for the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Write

CreateOpenIDConnectProvider

Grants permission to create an IAM resource that describes an identity provider (IdP) that supports OpenID Connect (OIDC)

oidc-provider*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreatePolicy

Grants permission to create a new managed policy

policy*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Permissions management, Write

CreatePolicyVersion

Grants permission to create a new version of the specified managed policy

policy*

aws:ResourceTag/${TagKey}

Permissions management, Write

CreateRole

Grants permission to create a new role

role*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

iam:PermissionsBoundary

iam:ResourceTag/${TagKey}

Write

CreateSAMLProvider

Grants permission to create an IAM resource that describes an identity provider (IdP) that supports SAML 2.0

saml-provider*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateServiceLinkedRole

Grants permission to create an IAM role that allows an Amazon service to perform actions on your behalf

role*

aws:ResourceTag/${TagKey}

iam:AWSServiceName

iam:ResourceTag/${TagKey}

Write

CreateServiceSpecificCredential

Grants permission to create a new service-specific credential for an IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

iam:ServiceSpecificCredentialAgeDays

iam:ServiceSpecificCredentialServiceName

Write

CreateUser

Grants permission to create a new IAM user

user*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

iam:PermissionsBoundary

iam:ResourceTag/${TagKey}

Write

CreateVirtualMFADevice

Grants permission to create a new virtual MFA device

mfa*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

DeactivateMFADevice

Grants permission to deactivate the specified MFA device and remove its association with the IAM user for which it was originally enabled

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Write

DeleteAccessKey

Grants permission to delete the access key pair that is associated with the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Write

DeleteAccountAlias

Grants permission to delete the specified Amazon Web Services account alias

Write

DeleteAccountPasswordPolicy

Grants permission to delete the password policy for the Amazon Web Services account

Permissions management, Write

DeleteCloudFrontPublicKey

Grants permission to delete an existing CloudFront public key

Write

DeleteGroup

Grants permission to delete the specified IAM group

group*

Write

DeleteGroupPolicy

Grants permission to delete the specified inline policy from its group

group*

Permissions management, Write

DeleteInstanceProfile

Grants permission to delete the specified instance profile

instance-profile*

aws:ResourceTag/${TagKey}

Write

DeleteLoginProfile

Grants permission to delete the password for the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Write

DeleteOpenIDConnectProvider

Grants permission to delete an OpenID Connect identity provider (IdP) resource object in IAM

oidc-provider*

aws:ResourceTag/${TagKey}

Write

DeletePolicy

Grants permission to delete the specified managed policy and remove it from any IAM entities (users, groups, or roles) to which it is attached

policy*

aws:ResourceTag/${TagKey}

Permissions management, Write

DeletePolicyVersion

Grants permission to delete a version from the specified managed policy

policy*

aws:ResourceTag/${TagKey}

Permissions management, Write

DeleteRole

Grants permission to delete the specified role

role*

aws:ResourceTag/${TagKey}

iam:PermissionsBoundary

iam:ResourceTag/${TagKey}

Write

DeleteRolePermissionsBoundary

Grants permission to remove the permissions boundary from a role

role*

aws:ResourceTag/${TagKey}

iam:PermissionsBoundary

iam:ResourceTag/${TagKey}

Permissions management, Write

DeleteRolePolicy

Grants permission to delete the specified inline policy from the specified role

role*

aws:ResourceTag/${TagKey}

iam:PermissionsBoundary

iam:ResourceTag/${TagKey}

Permissions management, Write

DeleteSAMLProvider

Grants permission to delete a SAML provider resource in IAM

saml-provider*

aws:ResourceTag/${TagKey}

Write

DeleteSSHPublicKey

Grants permission to delete the specified SSH public key

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Write

DeleteServerCertificate

Grants permission to delete the specified server certificate

server-certificate*

aws:ResourceTag/${TagKey}

Write

DeleteServiceLinkedRole

Grants permission to delete an IAM role that is linked to a specific Amazon service, if the service is no longer using it

role*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Write

DeleteServiceSpecificCredential

Grants permission to delete the specified service-specific credential for an IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

iam:ServiceSpecificCredentialServiceName

Write

DeleteSigningCertificate

Grants permission to delete a signing certificate that is associated with the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Write

DeleteUser

Grants permission to delete the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Write

DeleteUserPermissionsBoundary

Grants permission to remove the permissions boundary from the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:PermissionsBoundary

iam:ResourceTag/${TagKey}

Permissions management, Write

DeleteUserPolicy

Grants permission to delete the specified inline policy from an IAM user

user*

aws:ResourceTag/${TagKey}

iam:PermissionsBoundary

iam:ResourceTag/${TagKey}

Permissions management, Write

DeleteVirtualMFADevice

Grants permission to delete a virtual MFA device

mfa

aws:ResourceTag/${TagKey}

Write

sms-mfa

DetachGroupPolicy

Grants permission to detach a managed policy from the specified IAM group

group*

iam:PolicyARN

Permissions management, Write

DetachRolePolicy

Grants permission to detach a managed policy from the specified role

role*

aws:ResourceTag/${TagKey}

iam:PermissionsBoundary

iam:PolicyARN

iam:ResourceTag/${TagKey}

Permissions management, Write

DetachUserPolicy

Grants permission to detach a managed policy from the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:PermissionsBoundary

iam:PolicyARN

iam:ResourceTag/${TagKey}

Permissions management, Write

DisableOrganizationsRootCredentialsManagement

Grants permission to disable the management of member account root user credentials for an organization managed under the current account

Write

DisableOrganizationsRootSessions

Grants permission to disable privileged root actions in member accounts for an organization managed under the current account

Write

DisableOutboundWebIdentityFederation

Disables the outbound identity federation feature for the callers account

Write

EnableMFADevice

Grants permission to enable an MFA device and associate it with the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:FIDO-certification

iam:FIDO-FIPS-140-2-certification

iam:FIDO-FIPS-140-3-certification

iam:RegisterSecurityKey

iam:ResourceTag/${TagKey}

Write

EnableOrganizationsRootCredentialsManagement

Grants permission to enable the management of member account root user credentials for an organization managed under the current account

Write

EnableOrganizationsRootSessions

Grants permission to enable privileged root actions in member accounts for an organization managed under the current account

Write

EnableOutboundWebIdentityFederation

Enables the outbound identity federation feature for the callers account

Write

GenerateCredentialReport

Grants permission to generate a credential report for the Amazon Web Services account

Read

GenerateOrganizationsAccessReport

Grants permission to generate an access report for an Amazon Organizations entity

access-report*

iam:OrganizationsPolicyId

Read

GenerateServiceLastAccessedDetails

Grants permission to generate a service last accessed data report for an IAM resource

group*

Read

policy*

aws:ResourceTag/${TagKey}

role*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

GetAccessKeyLastUsed

Grants permission to retrieve information about when the specified access key was last used

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Read

GetAccountAuthorizationDetails

Grants permission to retrieve information about all IAM users, groups, roles, and policies in your Amazon Web Services account, including their relationships to one another

Read

GetAccountEmailAddress

Grants permission to retrieve the email address that is associated with the account

Read

GetAccountName

Grants permission to retrieve the account name that is associated with the account

Read

GetAccountPasswordPolicy

Grants permission to retrieve the password policy for the Amazon Web Services account

Read

GetAccountSummary

Grants permission to retrieve information about IAM entity usage and IAM quotas in the Amazon Web Services account

List

GetCloudFrontPublicKey

Grants permission to retrieve information about the specified CloudFront public key

Read

GetContextKeysForCustomPolicy

Grants permission to retrieve a list of all of the context keys that are referenced in the specified policy

Read

GetContextKeysForPrincipalPolicy

Grants permission to retrieve a list of all context keys that are referenced in all IAM policies that are attached to the specified IAM identity (user, group, or role)

group

Read

role

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

user

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

GetCredentialReport

Grants permission to retrieve a credential report for the Amazon Web Services account

Read

GetDelegationRequest

Retrieves information about a specific delegation request

delegation-request*

iam:DelegationRequestOwner

Read

GetGroup

Grants permission to retrieve a list of IAM users in the specified IAM group

group*

Read

GetGroupPolicy

Grants permission to retrieve an inline policy document that is embedded in the specified IAM group

group*

Read

GetHumanReadableSummary

Retrieves a human readable summary for a given entity. At this time, only delegation request are supported

delegation-request*

iam:DelegationRequestOwner

Read

GetInstanceProfile

Grants permission to retrieve information about the specified instance profile, including the instance profile's path, GUID, ARN, and role

instance-profile*

aws:ResourceTag/${TagKey}

Read

GetLoginProfile

Grants permission to retrieve the user name and password creation date for the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

List

GetMFADevice

Grants permission to retrieve information about an MFA device for the specified user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Read

GetOpenIDConnectProvider

Grants permission to retrieve information about the specified OpenID Connect (OIDC) provider resource in IAM

oidc-provider*

aws:ResourceTag/${TagKey}

Read

GetOrganizationsAccessReport

Grants permission to retrieve an Amazon Organizations access report

Read

GetOutboundWebIdentityFederationInfo

Retrieves the configuration information for the outbound identity federation feature for the callers account

Read

GetPolicy

Grants permission to retrieve information about the specified managed policy, including the policy's default version and the total number of identities to which the policy is attached

policy*

aws:ResourceTag/${TagKey}

Read

GetPolicyVersion

Grants permission to retrieve information about a version of the specified managed policy, including the policy document

policy*

aws:ResourceTag/${TagKey}

Read

GetRole

Grants permission to retrieve information about the specified role, including the role's path, GUID, ARN, and the role's trust policy

role*

aws:ResourceTag/${TagKey}

iam:PermissionsBoundary

iam:ResourceTag/${TagKey}

Read

GetRolePolicy

Grants permission to retrieve an inline policy document that is embedded with the specified IAM role

role*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Read

GetSAMLProvider

Grants permission to retrieve the SAML provider metadocument that was uploaded when the IAM SAML provider resource was created or updated

saml-provider*

aws:ResourceTag/${TagKey}

Read

GetSSHPublicKey

Grants permission to retrieve the specified SSH public key, including metadata about the key

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Read

GetServerCertificate

Grants permission to retrieve information about the specified server certificate stored in IAM

server-certificate*

aws:ResourceTag/${TagKey}

Read

GetServiceLastAccessedDetails

Grants permission to retrieve information about the service last accessed data report

Read

GetServiceLastAccessedDetailsWithEntities

Grants permission to retrieve information about the entities from the service last accessed data report

Read

GetServiceLinkedRoleDeletionStatus

Grants permission to retrieve an IAM service-linked role deletion status

role*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Read

GetUser

Grants permission to retrieve information about the specified IAM user, including the user's creation date, path, unique ID, and ARN

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Read

GetUserPolicy

Grants permission to retrieve an inline policy document that is embedded in the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Read

ListAccessKeys

Grants permission to list information about the access key IDs that are associated with the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

List

ListAccountAliases

Grants permission to list the account alias that is associated with the Amazon Web Services account

List

ListAttachedGroupPolicies

Grants permission to list all managed policies that are attached to the specified IAM group

group*

List

ListAttachedRolePolicies

Grants permission to list all managed policies that are attached to the specified IAM role

role*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

List

ListAttachedUserPolicies

Grants permission to list all managed policies that are attached to the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

List

ListCloudFrontPublicKeys

Grants permission to list all current CloudFront public keys for the account

List

ListDelegationRequests

Lists delegation requests based on the specified criteria

iam:DelegationRequestOwner

List

ListEntitiesForPolicy

Grants permission to list all IAM identities to which the specified managed policy is attached

policy*

aws:ResourceTag/${TagKey}

List

ListGroupPolicies

Grants permission to list the names of the inline policies that are embedded in the specified IAM group

group*

List

ListGroups

Grants permission to list the IAM groups that have the specified path prefix

List

ListGroupsForUser

Grants permission to list the IAM groups that the specified IAM user belongs to

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

List

ListInstanceProfileTags

Grants permission to list the tags that are attached to the specified instance profile

instance-profile*

aws:ResourceTag/${TagKey}

List

ListInstanceProfiles

Grants permission to list the instance profiles that have the specified path prefix

List

ListInstanceProfilesForRole

Grants permission to list the instance profiles that have the specified associated IAM role

role*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

List

ListMFADeviceTags

Grants permission to list the tags that are attached to the specified virtual mfa device

mfa*

aws:ResourceTag/${TagKey}

List

ListMFADevices

Grants permission to list the MFA devices for an IAM user

user

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

List

ListOpenIDConnectProviderTags

Grants permission to list the tags that are attached to the specified OpenID Connect provider

oidc-provider*

aws:ResourceTag/${TagKey}

List

ListOpenIDConnectProviders

Grants permission to list information about the IAM OpenID Connect (OIDC) provider resource objects that are defined in the Amazon Web Services account

List

ListOrganizationsFeatures

Grants permission to list the centralized root access features enabled for your organization

List

ListPolicies

Grants permission to list all managed policies

List

ListPoliciesGrantingServiceAccess

Grants permission to list information about the policies that grant an entity access to a specific service

group*

List

role*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

ListPolicyTags

Grants permission to list the tags that are attached to the specified managed policy

policy*

aws:ResourceTag/${TagKey}

List

ListPolicyVersions

Grants permission to list information about the versions of the specified managed policy, including the version that is currently set as the policy's default version

policy*

aws:ResourceTag/${TagKey}

List

ListRolePolicies

Grants permission to list the names of the inline policies that are embedded in the specified IAM role

role*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

List

ListRoleTags

Grants permission to list the tags that are attached to the specified IAM role

role*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

List

ListRoles

Grants permission to list the IAM roles that have the specified path prefix

List

ListSAMLProviderTags

Grants permission to list the tags that are attached to the specified SAML provider

saml-provider*

aws:ResourceTag/${TagKey}

List

ListSAMLProviders

Grants permission to list the SAML provider resources in IAM

List

ListSSHPublicKeys

Grants permission to list information about the SSH public keys that are associated with the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

List

ListSTSRegionalEndpointsStatus

Grants permission to list the status of all active STS regional endpoints

List

ListServerCertificateTags

Grants permission to list the tags that are attached to the specified server certificate

server-certificate*

aws:ResourceTag/${TagKey}

List

ListServerCertificates

Grants permission to list the server certificates that have the specified path prefix

List

ListServiceSpecificCredentials

Grants permission to list the service-specific credentials that are associated with the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

List

ListSigningCertificates

Grants permission to list information about the signing certificates that are associated with the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

List

ListUserPolicies

Grants permission to list the names of the inline policies that are embedded in the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

List

ListUserTags

Grants permission to list the tags that are attached to the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

List

ListUsers

Grants permission to list the IAM users that have the specified path prefix

List

ListVirtualMFADevices

Grants permission to list virtual MFA devices by assignment status

List

PutGroupPolicy

Grants permission to create or update an inline policy document that is embedded in the specified IAM group

group*

Permissions management, Write

PutRolePermissionsBoundary

Grants permission to set a managed policy as a permissions boundary for a role

role*

aws:ResourceTag/${TagKey}

iam:PermissionsBoundary

iam:ResourceTag/${TagKey}

Permissions management, Write

PutRolePolicy

Grants permission to create or update an inline policy document that is embedded in the specified IAM role

role*

aws:ResourceTag/${TagKey}

iam:PermissionsBoundary

iam:ResourceTag/${TagKey}

Permissions management, Write

PutUserPermissionsBoundary

Grants permission to set a managed policy as a permissions boundary for an IAM user

user*

aws:ResourceTag/${TagKey}

iam:PermissionsBoundary

iam:ResourceTag/${TagKey}

Permissions management, Write

PutUserPolicy

Grants permission to create or update an inline policy document that is embedded in the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:PermissionsBoundary

iam:ResourceTag/${TagKey}

Permissions management, Write

RejectDelegationRequest

Rejects a delegation request, denying the requested temporary access

delegation-request*

iam:DelegationRequestOwner

Write

RemoveClientIDFromOpenIDConnectProvider

Grants permission to remove the client ID (audience) from the list of client IDs in the specified IAM OpenID Connect (OIDC) provider resource

oidc-provider*

aws:ResourceTag/${TagKey}

Write

RemoveRoleFromInstanceProfile

Grants permission to remove an IAM role from the specified EC2 instance profile

instance-profile*

aws:ResourceTag/${TagKey}

Write

RemoveUserFromGroup

Grants permission to remove an IAM user from the specified group

group*

Write

ResetServiceSpecificCredential

Grants permission to reset the password for an existing service-specific credential for an IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

iam:ServiceSpecificCredentialServiceName

Write

ResyncMFADevice

Grants permission to synchronize the specified MFA device with its IAM entity (user or role)

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Write

SendDelegationToken

Sends the exchange token for an accepted delegation request

delegation-request*

iam:DelegationRequestOwner

Write

SetDefaultPolicyVersion

Grants permission to set the version of the specified policy as the policy's default version

policy*

aws:ResourceTag/${TagKey}

Permissions management, Write

SetSTSRegionalEndpointStatus

Grants permission to activate or deactivate an STS regional endpoint

Write

SetSecurityTokenServicePreferences

Grants permission to set the STS global endpoint token version

Write

SimulateCustomPolicy

Grants permission to simulate whether an identity-based policy or resource-based policy provides permissions for specific API operations and resources

Read

SimulatePrincipalPolicy

Grants permission to simulate whether an identity-based policy that is attached to a specified IAM entity (user or role) provides permissions for specific API operations and resources

group

Read

role

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

user

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

TagInstanceProfile

Grants permission to add tags to an instance profile

instance-profile*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

TagMFADevice

Grants permission to add tags to a virtual mfa device

mfa*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

TagOpenIDConnectProvider

Grants permission to add tags to an OpenID Connect provider

oidc-provider*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

TagPolicy

Grants permission to add tags to a managed policy

policy*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

TagRole

Grants permission to add tags to an IAM role

role*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

iam:ResourceTag/${TagKey}

Tagging, Write

TagSAMLProvider

Grants permission to add tags to a SAML Provider

saml-provider*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

TagServerCertificate

Grants permission to add tags to a server certificate

server-certificate*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

TagUser

Grants permission to add tags to an IAM user

user*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

iam:ResourceTag/${TagKey}

Tagging, Write

UntagInstanceProfile

Grants permission to remove the specified tags from the instance profile

instance-profile*

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UntagMFADevice

Grants permission to remove the specified tags from the virtual mfa device

mfa*

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UntagOpenIDConnectProvider

Grants permission to remove the specified tags from the OpenID Connect provider

oidc-provider*

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UntagPolicy

Grants permission to remove the specified tags from the managed policy

policy*

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UntagRole

Grants permission to remove the specified tags from the role

role*

aws:ResourceTag/${TagKey}

aws:TagKeys

iam:ResourceTag/${TagKey}

Tagging, Write

UntagSAMLProvider

Grants permission to remove the specified tags from the SAML Provider

saml-provider*

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UntagServerCertificate

Grants permission to remove the specified tags from the server certificate

server-certificate*

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UntagUser

Grants permission to remove the specified tags from the user

user*

aws:ResourceTag/${TagKey}

aws:TagKeys

iam:ResourceTag/${TagKey}

Tagging, Write

UpdateAccessKey

Grants permission to update the status of the specified access key as Active or Inactive

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Write

UpdateAccountEmailAddress

Grants permission to update the email address that is associated with the account

Write

UpdateAccountName

Grants permission to update the account name that is associated with the account

Write

UpdateAccountPasswordPolicy

Grants permission to update the password policy settings for the Amazon Web Services account

Write

UpdateAssumeRolePolicy

Grants permission to update the policy that grants an IAM entity permission to assume a role

role*

aws:ResourceTag/${TagKey}

iam:PermissionsBoundary

iam:ResourceTag/${TagKey}

Permissions management, Write

UpdateCloudFrontPublicKey

Grants permission to update an existing CloudFront public key

Write

UpdateGroup

Grants permission to update the name or path of the specified IAM group

group*

Write

UpdateLoginProfile

Grants permission to change the password for the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Write

UpdateOpenIDConnectProviderThumbprint

Grants permission to update the entire list of server certificate thumbprints that are associated with an OpenID Connect (OIDC) provider resource

oidc-provider*

aws:ResourceTag/${TagKey}

Write

UpdateRole

Grants permission to update the description or maximum session duration setting of a role

role*

aws:ResourceTag/${TagKey}

iam:PermissionsBoundary

iam:ResourceTag/${TagKey}

Write

UpdateRoleDescription

Grants permission to update only the description of a role

role*

aws:ResourceTag/${TagKey}

iam:PermissionsBoundary

iam:ResourceTag/${TagKey}

Write

UpdateSAMLProvider

Grants permission to update the metadata document for an existing SAML provider resource

saml-provider*

aws:ResourceTag/${TagKey}

Write

UpdateSSHPublicKey

Grants permission to update the status of an IAM user's SSH public key to active or inactive

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Write

UpdateServerCertificate

Grants permission to update the name or the path of the specified server certificate stored in IAM

server-certificate*

aws:ResourceTag/${TagKey}

Write

UpdateServiceSpecificCredential

Grants permission to update the status of a service-specific credential to active or inactive for an IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

iam:ServiceSpecificCredentialServiceName

Write

UpdateSigningCertificate

Grants permission to update the status of the specified user signing certificate to active or disabled

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Write

UpdateUser

Grants permission to update the name or the path of the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Write

UploadCloudFrontPublicKey

Grants permission to upload a CloudFront public key

Write

UploadSSHPublicKey

Grants permission to upload an SSH public key and associate it with the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Write

UploadServerCertificate

Grants permission to upload a server certificate entity for the Amazon Web Services account

server-certificate*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

UploadSigningCertificate

Grants permission to upload an X.509 signing certificate and associate it with the specified IAM user

user*

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Write

Permission-only actions for Amazon Identity and Access Management (IAM)

The following actions are defined by Amazon Identity and Access Management (IAM) but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.

Actions Description Resource types (*required) Condition keys Access level

PassRole

Grants permission to pass a role to a service

role*

aws:ResourceTag/${TagKey}

iam:AssociatedResourceArn

iam:PassedToService

iam:ResourceTag/${TagKey}

Write

Resource types defined by Amazon Identity and Access Management (IAM)

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

access-report

arn:${Partition}:iam::${Account}:access-report/${EntityPath}

assumed-role

arn:${Partition}:iam::${Account}:assumed-role/${RoleName}/${RoleSessionName}

delegation-request

arn:${Partition}:iam::${Account}:delegation-request/${DelegationRequestId}

iam:DelegationRequestOwner

federated-user

arn:${Partition}:iam::${Account}:federated-user/${UserName}

group

arn:${Partition}:iam::${Account}:group/${GroupNameWithPath}

instance-profile

arn:${Partition}:iam::${Account}:instance-profile/${InstanceProfileNameWithPath}

aws:ResourceTag/${TagKey}

mfa

arn:${Partition}:iam::${Account}:mfa/${MfaTokenIdWithPath}

aws:ResourceTag/${TagKey}

oidc-provider

arn:${Partition}:iam::${Account}:oidc-provider/${OidcProviderName}

aws:ResourceTag/${TagKey}

policy

arn:${Partition}:iam::${Account}:policy/${PolicyNameWithPath}

aws:ResourceTag/${TagKey}

role

arn:${Partition}:iam::${Account}:role/${RoleNameWithPath}

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

saml-provider

arn:${Partition}:iam::${Account}:saml-provider/${SamlProviderName}

aws:ResourceTag/${TagKey}

server-certificate

arn:${Partition}:iam::${Account}:server-certificate/${CertificateNameWithPath}

aws:ResourceTag/${TagKey}

sms-mfa

arn:${Partition}:iam::${Account}:sms-mfa/${MfaTokenIdWithPath}

user

arn:${Partition}:iam::${Account}:user/${UserNameWithPath}

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

Condition keys for Amazon Identity and Access Management (IAM)

Amazon Identity and Access Management (IAM) defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access based on the tags that are passed in the request

String

aws:ResourceTag/${TagKey}

Filters access based on the tags associated with the resource

String

aws:TagKeys

Filters access based on the tag keys that are passed in the request

ArrayOfString

iam:AWSServiceName

Filters access by the Amazon service to which this role is attached

String

iam:AssociatedResourceArn

Filters access by the resource that the role will be used on behalf of

ARN

iam:DelegationDuration

Filters access based on the requested delegation duration

String

iam:DelegationRequestOwner

Filters access based on the delegation request owner

ARN

iam:FIDO-FIPS-140-2-certification

Filters access by the MFA device FIPS-140-2 validation certification level at the time of registration of a FIDO security key

String

iam:FIDO-FIPS-140-3-certification

Filters access by the MFA device FIPS-140-3 validation certification level at the time of registration of a FIDO security key

String

iam:FIDO-certification

Filters access by the MFA device FIDO certification level at the time of registration of a FIDO security key

String

iam:NotificationChannel

Filters access based on the requested notification channel

String

iam:OrganizationsPolicyId

Filters access by the ID of an Amazon Organizations policy

String

iam:PassedToService

Filters access by the Amazon service to which this role is passed

String

iam:PermissionsBoundary

Filters access if the specified policy is set as the permissions boundary on the IAM entity (user or role)

ARN

iam:PolicyARN

Filters access by the ARN of an IAM policy

ARN

iam:RegisterSecurityKey

Filters access by the current state of MFA device enablement

String

iam:ResourceTag/${TagKey}

Filters access by the tags attached to an IAM entity (user or role)

String

iam:ServiceSpecificCredentialAgeDays

Filters access by the duration until the credential's expiration

Numeric

iam:ServiceSpecificCredentialServiceName

Filters access by the service associated with the credential

String

iam:TemplateArn

Filters access based on the requested template ARN

ARN