AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Greengrass

AWS Greengrass (service prefix: greengrass) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Greengrass

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AssociateRoleToGroup Associates a role with a group Write
AssociateServiceRoleToAccount Associates a role with the account. AWS Greengrass uses the role to access your Lambda functions and AWS IoT resources. Permissions management
CreateCoreDefinition Creates a core definition. Write
CreateCoreDefinitionVersion Creates a version of a core definition that has already been defined. AWS Greengrass Groups must each contain exactly 1 AWS Greengrass Core. Write
CreateDeployment Creates a deployment. Write
CreateDeviceDefinition Creates a device definition. Write
CreateDeviceDefinitionVersion Creates a version of a device definition that has already been defined. Write
CreateFunctionDefinition Creates a Lambda function definition which contains a list of Lambda functions and their configurations to be used in a group. Write
CreateFunctionDefinitionVersion Create a version of a Lambda function definition that has already been defined. Write
CreateGroup Creates a group. You may provide the group configuration data now or use CreateGroupVersion later Write
CreateGroupCertificateAuthority Creates a CA for the group. If a CA already exists, it will rotate the existing CA. Write
CreateGroupVersion Creates a version of a group which has already been defined. Write
CreateLoggerDefinition Creates a logger definition. Write
CreateLoggerDefinitionVersion Creates a version of a logger definition that has already been defined. Write
CreateResourceDefinition Creates a resource definition which contains a list of resources to be used in a group. You can create an initial version of the definition by providing a list of resources now, or use ``CreateResourceDefinitionVersion`` later. Write
CreateResourceDefinitionVersion Create a version of a resource definition that has already been defined. Write
CreateSoftwareUpdateJob Creates an Iot Job that will trigger your Greengrass Cores to update the software they are running. Write
CreateSubscriptionDefinition Creates a subscription definition. Write
CreateSubscriptionDefinitionVersion Creates a version of a subscription definition which has already been defined. Write
DeleteCoreDefinition Deletes a core definition. The core definition must not have been used in a deployment. Write
DeleteDeviceDefinition Deletes a device definition. The device definition must not have been used in a deployment. Write
DeleteFunctionDefinition Deletes a Lambda function definition. The Lambda function definition must not have been used in a deployment. Write
DeleteGroup Deletes a group. The group must not have been used in deployment. Write
DeleteLoggerDefinition Deletes a logger definition. The logger definition must not have been used in a deployment. Write
DeleteResourceDefinition Deletes a resource definition. Write
DeleteSubscriptionDefinition Deletes a subscription definition. The subscription definition must not have been used in a deployment. Write
DisassociateRoleFromGroup Disassociates the role from a group. Write
DisassociateServiceRoleFromAccount Disassociates the service role from the account. Without a service role, deployments will not work. Write
GetAssociatedRole Retrieves the role associated with a particular group. Read
GetConnectivityInfo Retrieves the connectivity information for a core. Read
GetCoreDefinition Retrieves information about a core definition version. Read
GetCoreDefinitionVersion Retrieves information about a core definition version. Read
GetDeploymentStatus Returns the status of a deployment. Read
GetDeviceDefinition Retrieves information about a device definition. Read
GetDeviceDefinitionVersion Retrieves information about a device definition. Read
GetFunctionDefinition Retrieves information about a Lambda function definition, such as its creation time and latest version. Read
GetFunctionDefinitionVersion Retrieves information about a Lambda function definition version, such as which Lambda functions are included in the version and their configurations. Read
GetGroup Retrieves information about a group. Read
GetGroupCertificateAuthority Retreives the CA associated with a group. Returns the public key of the CA. Read
GetGroupCertificateConfiguration Retrieves the current configuration for the CA used by the group. Read
GetGroupVersion Retrieves information about a group version. Read
GetLoggerDefinition Retrieves information about a logger definition. Read
GetLoggerDefinitionVersion Retrieves information about a logger definition version Read
GetResourceDefinition Retrieves information about a resource definition, such as its creation time and latest version. Read
GetResourceDefinitionVersion Retrieves information about a resource definition version, such as which resources are included in the version. Read
GetServiceRoleForAccount Retrieves the service role that is attached to the account. Read
GetSubscriptionDefinition Retrieves information about a subscription definition. Read
GetSubscriptionDefinitionVersion Retrieves information about a subscription definition version. Read
ListCoreDefinitionVersions Lists versions of a core definition. List
ListCoreDefinitions Retrieves a list of core definitions. List
ListDeployments Returns a history of deployments for the group. List
ListDeviceDefinitionVersions Lists the versions of a device definition. List
ListDeviceDefinitions Retrieves a list of device definitions. List
ListFunctionDefinitionVersions Lists the versions of a Lambda function definition. List
ListFunctionDefinitions Retrieves a list of Lambda function definitions. List
ListGroupCertificateAuthorities Retrieves the current CAs for a group. List
ListGroupVersions Lists the versions of a group. List
ListGroups Retrieves a list of groups. List
ListLoggerDefinitionVersions Lists the versions of a logger definition. List
ListLoggerDefinitions Retrieves a list of logger definitions. List
ListResourceDefinitionVersions Lists the versions of a resource definition. List
ListResourceDefinitions Retrieves a list of resource definitions. List
ListSubscriptionDefinitionVersions Lists the versions of a subscription definition. List
ListSubscriptionDefinitions Retrieves a list of subscription definitions. List
ResetDeployments Resets a group's deployments. Write
UpdateConnectivityInfo Updates the connectivity information for the core. Any devices that belong to the group which has this core will receive this information in order to find the location of the core and connect to it. Write
UpdateCoreDefinition Updates a core definition. Write
UpdateDeviceDefinition Updates a device definition. Write
UpdateFunctionDefinition Updates a Lambda function definition. Write
UpdateGroup Updates a group. Write
UpdateGroupCertificateConfiguration Updates the Certificate expiry time for a group. Write
UpdateLoggerDefinition Updates a logger definition. Write
UpdateResourceDefinition Updates a resource definition. Write
UpdateSubscriptionDefinition Updates a subscription definition. Write

Resources Defined by Greengrass

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
artifact arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}/deployments/${DeploymentId}/artifacts/lambda/${ArtifactId}
certficateAuthority arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}/certificateauthorities/${CertificateAuthorityId}
definition arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/${DefinitionName}/${DefinitionId}
definitionVersion arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/${DefinitionName}/${DefinitionId}/versions/${VersionId}
deployment arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}/deployments/${DeploymentId}
group arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}
groupVersion arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}/versions/${VersionId}
resourceDefinition arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/resources/${ResourceDefinitionId}
resourceDefinitionVersion arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/resources/${ResourceDefinitionId}/versions/${VersionId}

Condition Keys for AWS Greengrass

Greengrass has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.