AWS Identity and Access Management
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Actions, Resources, and Condition Keys for AWS Device Farm

AWS Device Farm (service prefix: devicefarm) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Device Farm

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
CreateDevicePool Grants permission to create a device pool within a project Write

project*

CreateInstanceProfile Grants permission to create a device instance profile Write
CreateNetworkProfile Grants permission to create a network profile within a project Write

project*

CreateProject Grants permission to create a project Tagging

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRemoteAccessSession Grants permission to start a remote access session to a device instance Write

device*

project*

deviceinstance

upload

CreateUpload Grants permission to upload a new file or app within a project Write

project*

CreateVPCEConfiguration Grants permission to create an Amazon Virtual Private Cloud (VPC) endpoint configuration Write
DeleteDevicePool Grants permission to delete a user-generated device pool Write

devicepool*

DeleteInstanceProfile Grants permission to delete a user-generated instance profile Write

instanceprofile*

DeleteNetworkProfile Grants permission to delete a user-generated network profile Write

networkprofile*

DeleteProject Grants permission to delete a project Write

project*

DeleteRemoteAccessSession Grants permission to delete a completed remote access session and its results Write

session*

DeleteRun Grants permission to delete a run Write

run*

DeleteUpload Grants permission to delete a user-uploaded file Write

upload*

DeleteVPCEConfiguration Grants permission to delete an Amazon Virtual Private Cloud (VPC) endpoint configuration Write

vpceconfiguration*

GetAccountSettings Grants permission to retrieve the number of unmetered iOS and/or unmetered Android devices purchased by the account Read
GetDevice Grants permission to retrieve the information of a unique device type Read

device*

GetDeviceInstance Grants permission to retireve the information of a device instance Read

deviceinstance*

GetDevicePool Grants permission to retireve the information of a device pool Read

devicepool*

GetDevicePoolCompatibility Grants permission to retrieve information about the compatibility of a test and/or app with a device pool Read

devicepool*

upload

GetInstanceProfile Grants permission to retireve the information of an instance profile Read

instanceprofile*

GetJob Grants permission to retireve the information of a job Read

job*

GetNetworkProfile Grants permission to retireve the information of a network profile Read

networkprofile*

GetOfferingStatus Grants permission to retrieve the current status and future status of all offerings purchased by an AWS account Read
GetProject Grants permission to retrieve information about a project Read

project*

GetRemoteAccessSession Grants permission to retireve the link to a currently running remote access session Read

session*

GetRun Grants permission to retireve the information of a run Read

run*

GetSuite Grants permission to retireve the information of a testing suite Read

suite*

GetTest Grants permission to retireve the information of a test case Read

test*

GetUpload Grants permission to retireve the information of an uploaded file Read

upload*

GetVPCEConfiguration Grants permission to retireve the information of an Amazon Virtual Private Cloud (VPC) endpoint configuration Read

vpceconfiguration*

InstallToRemoteAccessSession Grants permission to install an application to a device in a remote access session Write

session*

upload*

ListArtifacts Grants permission to list the artifacts in a project List

job

run

suite

test

ListDeviceInstances Grants permission to list the information of device instances List
ListDevicePools Grants permission to list the information of device pools List

project*

ListDevices Grants permission to list the information of unique device types List
ListInstanceProfiles Grants permission to list the information of device instance profiles List
ListJobs Grants permission to list the information of jobs within a run List

run*

ListNetworkProfiles Grants permission to list the information of network profiles within a project List

project*

ListOfferingPromotions Grants permission to list the offering promotions List
ListOfferingTransactions Grants permission to list all of the historical purchases, renewals, and system renewal transactions for an AWS account List
ListOfferings Grants permission to list the products or offerings that the user can manage through the API List
ListProjects Grants permission to list the information of projects for an AWS account List
ListRemoteAccessSessions Grants permission to list the information of currently running remote access sessions List

project*

ListRuns Grants permission to list the information of runs within a project List

project*

ListSamples Grants permission to list the information of samples within a project List

job*

ListSuites Grants permission to list the information of testing suites within a job List

job*

ListTagsForResource Grants permission to list the tags of a resource List

device

deviceinstance

devicepool

instanceprofile

networkprofile

project

run

session

vpceconfiguration

ListTests Grants permission to list the information of tests within a testing suite List

suite*

ListUniqueProblems Grants permission to list the information of unique problems within a run List

run*

ListUploads Grants permission to list the information of uploads within a project List

project*

ListVPCEConfigurations Grants permission to list the information of Amazon Virtual Private Cloud (VPC) endpoint configurations List
PurchaseOffering Grants permission to purchase offerings for an AWS account Write
RenewOffering Grants permission to set the quantity of devices to renew for an offering Write
ScheduleRun Grants permission to schedule a run Write

project*

devicepool

upload

SCENARIO: Device Pool as filter

devicepool*

project*

upload

SCENARIO: Device Selection Configuration as filter

project*

upload

StopJob Grants permission to terminate a running job Write

job*

StopRemoteAccessSession Grants permission to terminate a running remote access session Write

session*

StopRun Grants permission to terminate a running test run Write

run*

TagResource Grants permission to add tags to a resource Tagging

device

deviceinstance

devicepool

instanceprofile

networkprofile

project

run

session

vpceconfiguration

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to remove tags from a resource Tagging

device

deviceinstance

devicepool

instanceprofile

networkprofile

project

run

session

vpceconfiguration

aws:TagKeys

UpdateDeviceInstance Grants permission to modify an existing device instance Write

deviceinstance*

instanceprofile

UpdateDevicePool Grants permission to modify an existing device pool Write

devicepool*

UpdateInstanceProfile Grants permission to modify an existing instance profile Write

instanceprofile*

UpdateNetworkProfile Grants permission to modify an existing network profile Write

networkprofile*

UpdateProject Grants permission to modify an existing project Write

project*

UpdateUpload Grants permission to modify an existing upload Write

upload*

UpdateVPCEConfiguration Grants permission to modify an existing Amazon Virtual Private Cloud (VPC) endpoint configuration Write

vpceconfiguration*

Resources Defined by AWS Device Farm

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
project arn:${Partition}:devicefarm:${Region}:${Account}:project:${ResourceId}

aws:ResourceTag/${TagKey}

run arn:${Partition}:devicefarm:${Region}:${Account}:run:${ResourceId}

aws:ResourceTag/${TagKey}

job arn:${Partition}:devicefarm:${Region}:${Account}:job:${ResourceId}
suite arn:${Partition}:devicefarm:${Region}:${Account}:suite:${ResourceId}
test arn:${Partition}:devicefarm:${Region}:${Account}:test:${ResourceId}
upload arn:${Partition}:devicefarm:${Region}:${Account}:upload:${ResourceId}
artifact arn:${Partition}:devicefarm:${Region}:${Account}:artifact:${ResourceId}
sample arn:${Partition}:devicefarm:${Region}:${Account}:sample:${ResourceId}
networkprofile arn:${Partition}:devicefarm:${Region}:${Account}:networkprofile:${ResourceId}

aws:ResourceTag/${TagKey}

deviceinstance arn:${Partition}:devicefarm:${Region}::deviceinstance:${ResourceId}

aws:ResourceTag/${TagKey}

session arn:${Partition}:devicefarm:${Region}:${Account}:session:${ResourceId}

aws:ResourceTag/${TagKey}

devicepool arn:${Partition}:devicefarm:${Region}:${Account}:devicepool:${ResourceId}

aws:ResourceTag/${TagKey}

device arn:${Partition}:devicefarm:${Region}::device:${ResourceId}

aws:ResourceTag/${TagKey}

instanceprofile arn:${Partition}:devicefarm:${Region}:${Account}:instanceprofile:${ResourceId}

aws:ResourceTag/${TagKey}

vpceconfiguration arn:${Partition}:devicefarm:${Region}:${Account}:vpceconfiguration:${ResourceId}

aws:ResourceTag/${TagKey}

Condition Keys for AWS Device Farm

AWS Device Farm defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the allowed set of values for each of the tags String
aws:ResourceTag/${TagKey} Filters actions based on tag-value assoicated with the resource String
aws:TagKeys Filters actions based on the presence of mandatory tags in the request String