AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon Storage Gateway

Amazon Storage Gateway (service prefix: storagegateway) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon Storage Gateway

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
ActivateGateway This operation activates the gateway you previously deployed on your host. Write
AddCache This operation configures one or more gateway local disks as cache for a cached-volume gateway. Write

gateway*

AddTagsToResource This operation adds one or more tags to the specified resource. Tagging

gateway

tape

volume

AddUploadBuffer This operation configures one or more gateway local disks as upload buffer for a specified gateway. Write

gateway*

AddWorkingStorage This operation configures one or more gateway local disks as working storage for a gateway. Write

gateway*

CancelArchival Cancels archiving of a virtual tape to the virtual tape shelf (VTS) after the archiving process is initiated. Write

tape*

CancelRetrieval Cancels retrieval of a virtual tape from the virtual tape shelf (VTS) to a gateway after the retrieval process is initiated. Write

tape*

CreateCachediSCSIVolume This operation creates a cached volume on a specified cached gateway. This operation is supported only for the gateway-cached volume architecture. Write

gateway*

CreateNFSFileShare This operation creates a file share on an existing file gateway. Write

gateway*

CreateSnapshot This operation initiates a snapshot of a volume. Write

volume*

CreateSnapshotFromVolumeRecoveryPoint This operation initiates a snapshot of a gateway from a volume recovery point. Write

volume*

CreateStorediSCSIVolume This operation creates a volume on a specified gateway. Write

gateway*

CreateTapeWithBarcode Creates a virtual tape by using your own barcode. Write
CreateTapes Creates one or more virtual tapes. You write data to the virtual tapes and then archive the tapes. Write

gateway*

DeleteBandwidthRateLimit This operation deletes the bandwidth rate limits of a gateway. Write

gateway*

DeleteChapCredentials This operation deletes Challenge-Handshake Authentication Protocol (CHAP) credentials for a specified iSCSI target and initiator pair. Write

target*

DeleteFileShare This operation deletes a file share from a file gateway. Write

share*

DeleteGateway This operation deletes a gateway. Write

gateway*

DeleteSnapshotSchedule This operation deletes a snapshot of a volume. Write

volume*

DeleteTape Deletes the specified virtual tape. Write

gateway*

DeleteTapeArchive Deletes the specified virtual tape from the virtual tape shelf (VTS). Write
DeleteVolume This operation deletes the specified gateway volume that you previously created using the CreateCachediSCSIVolume or CreateStorediSCSIVolume API. Write

volume*

DescribeBandwidthRateLimit This operation returns the bandwidth rate limits of a gateway. Read

gateway*

DescribeCache This operation returns information about the cache of a gateway. This operation is supported only for the gateway-cached volume architecture. Read

gateway*

DescribeCachediSCSIVolumes This operation returns a description of the gateway volumes specified in the request. This operation is supported only for the gateway-cached volume architecture. Read

volume*

DescribeChapCredentials This operation returns an array of Challenge-Handshake Authentication Protocol (CHAP) credentials information for a specified iSCSI target, one for each target-initiator pair. Read

target*

DescribeGatewayInformation This operation returns metadata about a gateway such as its name, network interfaces, configured time zone, and the state (whether the gateway is running or not). Read

gateway*

DescribeMaintenanceStartTime This operation returns your gateway's weekly maintenance start time including the day and time of the week. Read

gateway*

DescribeNFSFileShares This operation gets a description for one or more file shares from a file gateway. Read

share*

DescribeSMBFileShares This operation gets a description for one or more file shares from a file gateway. Read

share*

DescribeSMBSettings This operation gets a description of a Server Message Block (SMB) file share settings from a file gateway. Read

gateway*

DescribeSnapshotSchedule This operation describes the snapshot schedule for the specified gateway volume. Read

volume*

DescribeStorediSCSIVolumes This operation returns the description of the gateway volumes specified in the request. Read

volume*

DescribeTapeArchives Returns a description of specified virtual tapes in the virtual tape shelf (VTS). Read
DescribeTapeRecoveryPoints Returns a list of virtual tape recovery points that are available for the specified gateway-VTL. Read

gateway*

DescribeTapes Returns a description of the specified Amazon Resource Name (ARN) of virtual tapes. Read

gateway*

DescribeUploadBuffer This operation returns information about the upload buffer of a gateway. Read

gateway*

DescribeVTLDevices Returns a description of virtual tape library (VTL) devices for the specified gateway. Read

gateway*

DescribeWorkingStorage This operation returns information about the working storage of a gateway. Read

gateway*

DisableGateway Disables a gateway when the gateway is no longer functioning. Write

gateway*

ListFileShares This operation gets a list of the file shares for a specific file gateway, or the list of file shares that belong to the calling user account. List

gateway*

ListGateways This operation lists gateways owned by an AWS account in a region specified in the request. The returned list is ordered by gateway Amazon Resource Name (ARN). List
ListLocalDisks This operation returns a list of the gateway's local disks. List

gateway*

ListTagsForResource This operation lists the tags that have been added to the specified resource. Read

gateway

tape

volume

ListTapes Lists virtual tapes in your virtual tape library (VTL) and your virtual tape shelf (VTS). Read

tape*

ListVolumeInitiators This operation lists iSCSI initiators that are connected to a volume. Read

volume*

ListVolumeRecoveryPoints This operation lists the recovery points for a specified gateway. List

gateway*

ListVolumes This operation lists the iSCSI stored volumes of a gateway. List

gateway*

RefreshCache This operation refreshes the cache for the specified file share. Write

share*

RemoveTagsFromResource This operation removes one or more tags from the specified resource. Tagging

gateway

tape

volume

ResetCache This operation resets all cache disks that have encountered a error and makes the disks available for reconfiguration as cache storage. Write

gateway*

RetrieveTapeArchive Retrieves an archived virtual tape from the virtual tape shelf (VTS) to a gateway-VTL. Write

gateway*

RetrieveTapeRecoveryPoint Retrieves the recovery point for the specified virtual tape. Write

gateway*

SetLocalConsolePassword Sets the password for your VM local console. Write

gateway*

ShutdownGateway This operation shuts down a gateway. Write

gateway*

StartGateway This operation starts a gateway that you previously shut down. Write

gateway*

UpdateBandwidthRateLimit This operation updates the bandwidth rate limits of a gateway. Write

gateway*

UpdateChapCredentials This operation updates the Challenge-Handshake Authentication Protocol (CHAP) credentials for a specified iSCSI target. Write

target*

UpdateGatewayInformation This operation updates a gateway's metadata, which includes the gateway's name and time zone. Write

gateway*

UpdateGatewaySoftwareNow This operation updates the gateway virtual machine (VM) software. Write

gateway*

UpdateMaintenanceStartTime This operation updates a gateway's weekly maintenance start time information, including day and time of the week. The maintenance time is the time in your gateway's time zone. Write

gateway*

UpdateNFSFileShare This operation updates a file share. Write

share*

UpdateSnapshotSchedule This operation updates a snapshot schedule configured for a gateway volume. Write

volume*

UpdateVTLDeviceType This operation updates the type of medium changer in a gateway-VTL. Write

device*

Resources Defined by Storage Gateway

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
device arn:${Partition}:storagegateway:${Region}:${Account}:gateway/${GatewayId}/device/${Vtldevice}
gateway arn:${Partition}:storagegateway:${Region}:${Account}:gateway/${GatewayId}
share arn:${Partition}:storagegateway:${Region}:${Account}:share/${ShareId}
tape arn:${Partition}:storagegateway:${Region}:${Account}:gateway/${TapeBarcode}
target arn:${Partition}:storagegateway:${Region}:${Account}:gateway/${GatewayId}/target/${IscsiTarget}
volume arn:${Partition}:storagegateway:${Region}:${Account}:gateway/${GatewayId}/volume/${VolumeId}

Condition Keys for Amazon Storage Gateway

Storage Gateway has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.