View a markdown version of this page

Actions, resources, and condition keys for Amazon EventBridge Pipes - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon EventBridge Pipes

Amazon EventBridge Pipes (service prefix: pipes) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon EventBridge Pipes

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

CreatePipe

pipes:CreatePipe

Write

pipes:TagResource

Tagging, Write

iam:PassRole

iam:PassedToService

pipes.amazonaws.com

Write

DeletePipe

pipes:DeletePipe

Write

DescribePipe

pipes:DescribePipe

Read

ListPipes

pipes:ListPipes

List

ListTagsForResource

pipes:ListTagsForResource

Read

StartPipe

pipes:StartPipe

Write

StopPipe

pipes:StopPipe

Write

TagResource

pipes:TagResource

Tagging, Write

UntagResource

pipes:UntagResource

Tagging, Write

UpdatePipe

pipes:UpdatePipe

Write

iam:PassRole

iam:PassedToService

pipes.amazonaws.com

Write

Actions defined by Amazon EventBridge Pipes

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

CreatePipe

Grants permission to create a pipe

pipe*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

DeletePipe

Grants permission to delete a pipe

pipe*

aws:ResourceTag/${TagKey}

Write

DescribePipe

Grants permission to describe a pipe

pipe*

aws:ResourceTag/${TagKey}

Read

ListPipes

Grants permission to list all pipes in your account

List

ListTagsForResource

Grants permission to list the tags for a resource

pipe*

aws:ResourceTag/${TagKey}

Read

StartPipe

Grants permission to start a pipe

pipe*

aws:ResourceTag/${TagKey}

Write

StopPipe

Grants permission to stop a pipe

pipe*

aws:ResourceTag/${TagKey}

Write

TagResource

Grants permission to add tags to a resource

pipe*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UntagResource

Grants permission to remove tags from a resource

pipe*

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UpdatePipe

Grants permission to update a pipe

pipe*

aws:ResourceTag/${TagKey}

Write

Resource types defined by Amazon EventBridge Pipes

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

pipe

arn:${Partition}:pipes:${Region}:${Account}:pipe/${Name}

aws:ResourceTag/${TagKey}

Condition keys for Amazon EventBridge Pipes

Amazon EventBridge Pipes defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by allowed set of values for each of the tags

String

aws:ResourceTag/${TagKey}

Filters access by tag-value associated with the resource

String

aws:TagKeys

Filters access by the presence of mandatory tags in the request

ArrayOfString