Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Greengrass

AWS Greengrass (service prefix: greengrass) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Greengrass

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AssociateRoleToGroup Associates a role with a group

Write

AssociateServiceRoleToAccount Associates a role with the account. AWS Greengrass uses the role to access your Lambda functions and AWS IoT resources.

Permissions management

CreateCoreDefinition Creates a core definition.

Write

CreateCoreDefinitionVersion Creates a version of a core definition that has already been defined. AWS Greengrass Groups must each contain exactly 1 AWS Greengrass Core.

Write

CreateDeployment Creates a deployment.

Write

CreateDeviceDefinition Creates a device definition.

Write

CreateDeviceDefinitionVersion Creates a version of a device definition that has already been defined.

Write

CreateFunctionDefinition Creates a Lambda function definition which contains a list of Lambda functions and their configurations to be used in a group.

Write

CreateFunctionDefinitionVersion Create a version of a Lambda function definition that has already been defined.

Write

CreateGroup Creates a group. You may provide the group configuration data now or use CreateGroupVersion later

Write

CreateGroupCertificateAuthority Creates a CA for the group. If a CA already exists, it will rotate the existing CA.

Write

CreateGroupVersion Creates a version of a group which has already been defined.

Write

CreateLoggerDefinition Creates a logger definition.

Write

CreateLoggerDefinitionVersion Creates a version of a logger definition that has already been defined.

Write

CreateResourceDefinition Creates a resource definition which contains a list of resources to be used in a group. You can create an initial version of the definition by providing a list of resources now, or use ``CreateResourceDefinitionVersion`` later.

Write

CreateResourceDefinitionVersion Create a version of a resource definition that has already been defined.

Write

CreateSoftwareUpdateJob Creates an Iot Job that will trigger your Greengrass Cores to update the software they are running.

Write

CreateSubscriptionDefinition Creates a subscription definition.

Write

CreateSubscriptionDefinitionVersion Creates a version of a subscription definition which has already been defined.

Write

DeleteCoreDefinition Deletes a core definition. The core definition must not have been used in a deployment.

Write

DeleteDeviceDefinition Deletes a device definition. The device definition must not have been used in a deployment.

Write

DeleteFunctionDefinition Deletes a Lambda function definition. The Lambda function definition must not have been used in a deployment.

Write

DeleteGroup Deletes a group. The group must not have been used in deployment.

Write

DeleteLoggerDefinition Deletes a logger definition. The logger definition must not have been used in a deployment.

Write

DeleteResourceDefinition Deletes a resource definition.

Write

DeleteSubscriptionDefinition Deletes a subscription definition. The subscription definition must not have been used in a deployment.

Write

DisassociateRoleFromGroup Disassociates the role from a group.

Write

DisassociateServiceRoleFromAccount Disassociates the service role from the account. Without a service role, deployments will not work.

Write

GetAssociatedRole Retrieves the role associated with a particular group.

Read

GetConnectivityInfo Retrieves the connectivity information for a core.

Read

GetCoreDefinition Retrieves information about a core definition version.

Read

GetCoreDefinitionVersion Retrieves information about a core definition version.

Read

GetDeploymentStatus Returns the status of a deployment.

Read

GetDeviceDefinition Retrieves information about a device definition.

Read

GetDeviceDefinitionVersion Retrieves information about a device definition.

Read

GetFunctionDefinition Retrieves information about a Lambda function definition, such as its creation time and latest version.

Read

GetFunctionDefinitionVersion Retrieves information about a Lambda function definition version, such as which Lambda functions are included in the version and their configurations.

Read

GetGroup Retrieves information about a group.

Read

GetGroupCertificateAuthority Retreives the CA associated with a group. Returns the public key of the CA.

Read

GetGroupCertificateConfiguration Retrieves the current configuration for the CA used by the group.

Read

GetGroupVersion Retrieves information about a group version.

Read

GetLoggerDefinition Retrieves information about a logger definition.

Read

GetLoggerDefinitionVersion Retrieves information about a logger definition version

Read

GetResourceDefinition Retrieves information about a resource definition, such as its creation time and latest version.

Read

GetResourceDefinitionVersion Retrieves information about a resource definition version, such as which resources are included in the version.

Read

GetServiceRoleForAccount Retrieves the service role that is attached to the account.

Read

GetSubscriptionDefinition Retrieves information about a subscription definition.

Read

GetSubscriptionDefinitionVersion Retrieves information about a subscription definition version.

Read

ListCoreDefinitionVersions Lists versions of a core definition.

List

ListCoreDefinitions Retrieves a list of core definitions.

List

ListDeployments Returns a history of deployments for the group.

List

ListDeviceDefinitionVersions Lists the versions of a device definition.

List

ListDeviceDefinitions Retrieves a list of device definitions.

List

ListFunctionDefinitionVersions Lists the versions of a Lambda function definition.

List

ListFunctionDefinitions Retrieves a list of Lambda function definitions.

List

ListGroupCertificateAuthorities Retrieves the current CAs for a group.

List

ListGroupVersions Lists the versions of a group.

List

ListGroups Retrieves a list of groups.

List

ListLoggerDefinitionVersions Lists the versions of a logger definition.

List

ListLoggerDefinitions Retrieves a list of logger definitions.

List

ListResourceDefinitionVersions Lists the versions of a resource definition.

List

ListResourceDefinitions Retrieves a list of resource definitions.

List

ListSubscriptionDefinitionVersions Lists the versions of a subscription definition.

List

ListSubscriptionDefinitions Retrieves a list of subscription definitions.

List

ResetDeployments Resets a group's deployments.

Write

UpdateConnectivityInfo Updates the connectivity information for the core. Any devices that belong to the group which has this core will receive this information in order to find the location of the core and connect to it.

Write

UpdateCoreDefinition Updates a core definition.

Write

UpdateDeviceDefinition Updates a device definition.

Write

UpdateFunctionDefinition Updates a Lambda function definition.

Write

UpdateGroup Updates a group.

Write

UpdateGroupCertificateConfiguration Updates the Certificate expiry time for a group.

Write

UpdateLoggerDefinition Updates a logger definition.

Write

UpdateResourceDefinition Updates a resource definition.

Write

UpdateSubscriptionDefinition Updates a subscription definition.

Write

Resources Defined by Greengrass

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
artifact arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}/deployments/${DeploymentId}/artifacts/lambda/${ArtifactId}
certficateAuthority arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}/certificateauthorities/${CertificateAuthorityId}
definition arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/${DefinitionName}/${DefinitionId}
definitionVersion arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/${DefinitionName}/${DefinitionId}/versions/${VersionId}
deployment arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}/deployments/${DeploymentId}
group arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}
groupVersion arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}/versions/${VersionId}
resourceDefinition arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/resources/${ResourceDefinitionId}
resourceDefinitionVersion arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/resources/${ResourceDefinitionId}/versions/${VersionId}

Condition Keys for AWS Greengrass

Greengrass has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.