Actions, resources, and condition keys for Amazon Cloud Directory - Service Authorization Reference

Actions, resources, and condition keys for Amazon Cloud Directory

Amazon Cloud Directory (service prefix: clouddirectory) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Cloud Directory

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AddFacetToObject Grants permission to add a new Facet to an object Write

directory*

ApplySchema Grants permission to copy input published schema into Directory with same name and version as that of published schema Write

directory*

publishedSchema*

AttachObject Grants permission to attach an existing object to another existing object Write

directory*

AttachPolicy Grants permission to attach a policy object to any other object Write

directory*

AttachToIndex Grants permission to attach the specified object to the specified index Write

directory*

Grants permission to attach a typed link b/w a source & target object reference Write

directory*

BatchRead Grants permission to perform all the read operations in a batch. Each individual operation inside BatchRead needs to be granted permissions explicitly Read

directory*

BatchWrite Grants permission to perform all the write operations in a batch. Each individual operation inside BatchWrite needs to be granted permissions explicitly Write

directory*

CreateDirectory Grants permission to create a Directory by copying the published schema into the directory Write

publishedSchema*

CreateFacet Grants permission to create a new Facet in a schema Write

appliedSchema*

developmentSchema*

CreateIndex Grants permission to create an index object Write

directory*

CreateObject Grants permission to create an object in a Directory Write

directory*

CreateSchema Grants permission to create a new schema in a development state Write
CreateTypedLinkFacet Grants permission to create a new Typed Link facet in a schema Write

appliedSchema*

developmentSchema*

DeleteDirectory Grants permission to delete a directory. Only disabled directories can be deleted Write

directory*

DeleteFacet Grants permission to delete a given Facet. All attributes and Rules associated with the facet will be deleted Write

developmentSchema*

DeleteObject Grants permission to delete an object and its associated attributes Write

directory*

DeleteSchema Grants permission to delete a given schema Write

developmentSchema*

publishedSchema*

DeleteTypedLinkFacet Grants permission to delete a given TypedLink Facet. All attributes and Rules associated with the facet will be deleted Write

developmentSchema*

DetachFromIndex Grants permission to detach the specified object from the specified index Write

directory*

DetachObject Grants permission to detach a given object from the parent object Write

directory*

DetachPolicy Grants permission to detach a policy from an object Write

directory*

Grants permission to detach a given typed link b/w given source and target object reference Write

directory*

DisableDirectory Grants permission to disable the specified directory Write

directory*

EnableDirectory Grants permission to enable the specified directory Write

directory*

GetAppliedSchemaVersion Grants permission to return current applied schema version ARN, including the minor version in use Read

appliedSchema*

GetDirectory Grants permission to retrieve metadata about a directory Read

directory*

GetFacet Grants permission to get details of the Facet, such as Facet Name, Attributes, Rules, or ObjectType Read

appliedSchema*

developmentSchema*

publishedSchema*

GetLinkAttributes Grants permission to retrieve attributes that are associated with a typed link Read

directory*

GetObjectAttributes Grants permission to retrieve attributes within a facet that are associated with an object Read

directory*

GetObjectInformation Grants permission to retrieve metadata about an object Read

directory*

GetSchemaAsJson Grants permission to retrieve a JSON representation of the schema Read

appliedSchema*

developmentSchema*

publishedSchema*

GetTypedLinkFacetInformation Grants permission to return identity attributes order information associated with a given typed link facet Read

appliedSchema*

developmentSchema*

publishedSchema*

ListAppliedSchemaArns Grants permission to list schemas applied to a directory List

directory*

ListAttachedIndices Grants permission to list indices attached to an object Read

directory*

ListDevelopmentSchemaArns Grants permission to retrieve the ARNs of schemas in the development state List
ListDirectories Grants permission to list directories created within an account List
ListFacetAttributes Grants permission to retrieve attributes attached to the facet Read

appliedSchema*

developmentSchema*

publishedSchema*

ListFacetNames Grants permission to retrieve the names of facets that exist in a schema Read

appliedSchema*

developmentSchema*

publishedSchema*

Grants permission to return a paginated list of all incoming TypedLinks for a given object Read

directory*

ListIndex Grants permission to list objects attached to the specified index Read

directory*

ListManagedSchemaArns Grants permission to list the major version families of each managed schema. If a major version ARN is provided as SchemaArn, the minor version revisions in that family are listed instead List
ListObjectAttributes Grants permission to list all attributes associated with an object Read

directory*

ListObjectChildren Grants permission to return a paginated list of child objects associated with a given object Read

directory*

ListObjectParentPaths Grants permission to retrieve all available parent paths for any object type such as node, leaf node, policy node, and index node objects Read

directory*

ListObjectParents Grants permission to list parent objects associated with a given object in pagination fashion Read

directory*

ListObjectPolicies Grants permission to return policies attached to an object in pagination fashion Read

directory*

Grants permission to return a paginated list of all outgoing TypedLinks for a given object Read

directory*

ListPolicyAttachments Grants permission to return all of the ObjectIdentifiers to which a given policy is attached Read

directory*

ListPublishedSchemaArns Grants permission to retrieve published schema ARNs List
ListTagsForResource Grants permission to return tags for a resource Read

directory*

ListTypedLinkFacetAttributes Grants permission to return a paginated list of attributes associated with typed link facet Read

appliedSchema*

developmentSchema*

publishedSchema*

ListTypedLinkFacetNames Grants permission to return a paginated list of typed link facet names that exist in a schema Read

appliedSchema*

developmentSchema*

publishedSchema*

LookupPolicy Grants permission to list all policies from the root of the Directory to the object specified Read

directory*

PublishSchema Grants permission to publish a development schema with a version Write

developmentSchema*

PutSchemaFromJson Grants permission to update a schema using JSON upload. Only available for development schemas Write
RemoveFacetFromObject Grants permission to remove the specified facet from the specified object Write

directory*

TagResource Grants permission to add tags to a resource Tagging

directory*

UntagResource Grants permission to remove tags from a resource Tagging

directory*

UpdateFacet Grants permission to add/update/delete existing Attributes, Rules, or ObjectType of a Facet Write

appliedSchema*

developmentSchema*

UpdateLinkAttributes Grants permission to update a given typed link’s attributes. Attributes to be updated must not contribute to the typed link’s identity, as defined by its IdentityAttributeOrder Write

directory*

UpdateObjectAttributes Grants permission to update a given object's attributes Write

directory*

UpdateSchema Grants permission to update the schema name with a new name Write

developmentSchema*

UpdateTypedLinkFacet Grants permission to add/update/delete existing Attributes, Rules, identity attribute order of a TypedLink Facet Write

developmentSchema*

UpgradeAppliedSchema Grants permission to upgrade a single directory in-place using the PublishedSchemaArn with schema updates found in MinorVersion. Backwards-compatible minor version upgrades are instantaneously available for readers on all objects in the directory Write

directory*

publishedSchema*

UpgradePublishedSchema Grants permission to upgrade a published schema under a new minor version revision using the current contents of DevelopmentSchemaArn Write

developmentSchema*

publishedSchema*

Resource types defined by Amazon Cloud Directory

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
appliedSchema arn:${Partition}:clouddirectory:${Region}:${Account}:directory/${DirectoryId}/schema/${SchemaName}/${Version}
developmentSchema arn:${Partition}:clouddirectory:${Region}:${Account}:schema/development/${SchemaName}
directory arn:${Partition}:clouddirectory:${Region}:${Account}:directory/${DirectoryId}
publishedSchema arn:${Partition}:clouddirectory:${Region}:${Account}:schema/published/${SchemaName}/${Version}

Condition keys for Amazon Cloud Directory

Cloud Directory has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available keys for conditions.