Menu
Amazon Lex
Developer Guide

Amazon Lex API Permissions: Actions, Resources, and Conditions Reference

Use the following table as a reference when setting up Access Control and writing a permissions policy that you can attach to an IAM identity (an identity-based policy). The list includes each Amazon Lex API operation, the corresponding action for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.

To express conditions, you can use AWS-wide condition keys in your Amazon Lex policies. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

Note

To specify an action, use the lex: prefix followed by the API operation name, for example, lex:PostText.

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

Amazon Lex API and Required Permissions for Actions

Amazon Lex API Operations Required Permissions (API Actions) Resources

CreateBotVersion

lex:CreateBotVersion

arn:aws:lex:region:account-id:bot:bot-name:$LATEST

CreateIntentVersion

lex:CreateIntentVersion

arn:aws:lex:region:account-id:intent:intent-name:$LATEST

CreateSlotTypeVersion

lex:CreateSlotTypeVersion

arn:aws:lex:region:account-id:slottype:slottype-name:$LATEST

DeleteBot

lex:DeleteBot

arn:aws:lex:region:account-id:bot:bot-name:*

DeleteBotAlias

lex:DeleteBotAlias

arn:aws:lex:region:account-id:bot:bot-name:alias-name

DeleteBotChannelAssociation

lex:DeleteBotChannelAssociation

arn:aws:lex:region:account-id:bot-channel:bot-name:alias-name:channel-name

DeleteBotVersion

lex:DeleteBotVersion

arn:aws:lex:region:account-id:bot:bot-name:version

DeleteIntent

lex:DeleteIntent

arn:aws:lex:region:account-id:intent:intent-name:*

DeleteIntentVersion

lex:DeleteIntentVersion

arn:aws:lex:region:account-id:intent:intent-name:version

DeleteSlotType

lex:DeleteSlotType

arn:aws:lex:region:account-id:slottype:slottype-name:*

DeleteSlotTypeVersion

lex:DeleteSlotTypeVersion

arn:aws:lex:region:account-id:slottype:slottype-name:version

DeleteUtterances

lex:DeleteUtterances

arn:aws:lex:region:account-id:bot:bot-name:*

GetBot

lex:GetBot

arn:aws:lex:region:account-id:bot:bot-name:version

GetBotAlias

lex:GetBotAlias

arn:aws:lex:region:account-id:bot:bot-name:alias-name

GetBotAliases

lex:GetBotAliases

arn:aws:lex:region:account-id:bot:bot-name:*

GetBotChannelAssociation

lex:GetBotChannelAssociation

arn:aws:lex:region:account-id:bot-channel:bot-name:alias-name:channel-name

GetBotChannelAssociations

lex:GetBotChannelAssociations arn:aws:lex:region:account-id:bot-channel:bot-name:alias-name:*

GetBots

lex:GetBots

arn:aws:lex:region:account-id:bot:*

GetBotVersions

lex:GetBotVersions

arn:aws:lex:region:account-id:bot:bot-name:*

GetBuiltinIntent

lex:GetBuiltinIntent

*

GetBuiltinIntents

lex:GetBuiltinIntents

*

GetBuiltinSlotTypes

lex:GetBuiltinSlotTypes

*

GetExport (see note)

lex:GetExport

arn:aws:lex:region:account-id:bot:bot-name:bot-version

GetIntent

lex:GetIntent

arn:aws:lex:region:account-id:intent:intent-name:version

GetIntents

lex:GetIntents

arn:aws:lex:region:account-id:intent:*

GetIntentVersions

lex:GetIntentVersions

arn:aws:lex:region:account-id:intent:intent-name:*

GetSlotType

lex:GetSlotType

arn:aws:lex:region:account-id:slottype:slottype-name:version

GetSlotTypes

lex:GetSlotTypes

arn:aws:lex:region:account-id:slottype:*

GetSlotTypeVersions

lex:GetSlotTypeVersions

arn:aws:lex:region:account-id:slottype:slottype-name:*

GetUtterancesView

lex:GetUtterancesView

arn:aws:lex:region:account-id:bot:bot-name:version

lex:PostContent

arn:aws:lex:region:account-id:bot:bot-name:alias

lex:PostText

arn:aws:lex:region:account-id:bot:bot-name:alias-name

PutBot

lex:PutBot

arn:aws:lex:region:account-id:bot:bot-name:$LATEST

PutBotAlias

lex:PutBotAlias

arn:aws:lex:region:account-id:bot:bot-name:alias-name

PutIntent

lex:PutIntent

arn:aws:lex:region:account-id:intent:intent-name:$LATEST

PutSlotType

lex:PutSlotType

arn:aws:lex:region:account-id:slottype:slottype-name:$LATEST

Note

The GetExport function checks permission at the bot level and, if authorized, exports all relevant intent and slot type information associated with the specified bot. GetExport does not check intent-level and slot type-level permissions.