Menu
AWS Device Farm
Developer Guide (API Version 2015-06-23)

User Access Permissions for AWS Device Farm

You can use IAM to enable IAM users in your AWS account to perform only certain actions in Device Farm. You may want to do this, for example, if you have a set of IAM users that you want to allow to list, but not create, resources in Device Farm; you may have another set of IAM users you want to allow to list and create new resources; and so on.

For example, in the Setting Up instructions, you attached an access policy to an IAM user in your AWS account that contains a policy statement similar to this:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "devicefarm:*" ], "Resource": [ "*" ] } ] }

The preceding statement allows the IAM user in your AWS account to perform actions in Device Farm to which your AWS account has access. In practice, you may not want to give the IAM users in your AWS account this much access.

The following information shows how you can attach a policy to an IAM user to restrict the actions the IAM user can perform in Device Farm.

Create and Attach a Policy to an IAM User

To create and attach an access policy to an IAM user that restricts the actions the IAM user can perform in Device Farm, do the following:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. Choose Policies, and then choose Create Policy. (If a Get Started button appears, choose it, and then choose Create Policy.)

  3. Next to Create Your Own Policy, choose Select.

  4. For Policy Name, type any value that will be easy for you to refer to later, if needed.

  5. For Policy Document, type a policy statement with the following format, and then choose Create Policy:

    Copy
    { "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "action-statement" ], "Resource" : [ "resource-statement" ] }, { "Effect" : "Allow", "Action" : [ "action-statement" ], "Resource" : [ "resource-statement" ] } ] }

    In the preceding statement, substitute action-statement as needed, and add additional statements as needed, to specify the actions in Device Farm the IAM user can perform. (By default, the IAM user will not have the desired permissions unless a corresponding Allow statement is explicitly stated.) The following section describes the format of allowed actions for Device Farm.

    Note

    Currently, the only allowed value for resource-statement in the preceding example is the asterisk character (*). This means that while you can restrict the actions an IAM user can perform in Device Farm, you cannot also restrict the Device Farm resources the IAM user can access.

  6. Choose Users.

  7. Choose the IAM user to whom you want to attach the policy.

  8. In the Permissions area, for Managed Policies, choose Attach Policy.

  9. Select the policy you just created, and then choose Attach Policy.

Action Syntax for Performing Actions in Device Farm

The following information describes the format for specifying actions an IAM user can perform in Device Farm.

Actions follow this general format:

Copy
devicefarm:action

Where action is an available Device Farm action:

  • An asterisk character (*), which represents all of the available Device Farm actions.

  • One of the available Device Farm actions, as described in the AWS Device Farm API Reference.

  • A combination of an available Device Farm action prefix and an asterisk character (*). For example, specifying List* enables the IAM user to perform all available Device Farm actions that begin with List.

Some example action statements include:

  • devicefarm:* for all Device Farm actions.

  • devicefarm:Get* for only the Device Farm actions that begin with Get.

  • devicefarm:ListProjects for just the ListProjects Device Farm action.

For example, the following policy statement gives the IAM user permission to get information about all Device Farm resources that are available to the user's AWS account:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "devicefarm:Get*", "devicefarm:List*" ], "Resource": [ "*" ] } ] }