AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Greengrass

AWS Greengrass (service prefix: greengrass) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Greengrass

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AssociateRoleToGroup Grants permission to associate a role with a group. The role's permissions must allow Greengrass core Lambda functions and connectors to perform actions in other AWS services. Write

group*

AssociateServiceRoleToAccount Grants permission to associate a role with your account. AWS IoT Greengrass uses this role to access your Lambda functions and AWS IoT resources. Permissions management
CreateConnectorDefinition Grants permission to create a connector definition. Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateConnectorDefinitionVersion Grants permission to create a version of an existing connector definition. Write

connectorDefinition*

CreateCoreDefinition Grants permission to create a core definition. Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCoreDefinitionVersion Grants permission to create a version of an existing core definition. Greengrass groups must each contain exactly one Greengrass core. Write

coreDefinition*

CreateDeployment Grants permission to create a deployment. Write

group*

CreateDeviceDefinition Grants permission to create a device definition. Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDeviceDefinitionVersion Grants permission to create a version of an existing device definition. Write

deviceDefinition*

CreateFunctionDefinition Grants permission to create a Lambda function definition to be used in a group that contains a list of Lambda functions and their configurations. Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateFunctionDefinitionVersion Grants permission to create a version of an existing Lambda function definition. Write

functionDefinition*

CreateGroup Grants permission to create a group. Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateGroupCertificateAuthority Grants permission to create a CA for the group, or rotate the existing CA. Write

group*

CreateGroupVersion Grants permission to create a version of a group that has already been defined. Write

group*

CreateLoggerDefinition Grants permission to create a logger definition. Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateLoggerDefinitionVersion Grants permission to create a version of an existing logger definition. Write

loggerDefinition*

CreateResourceDefinition Grants permission to create a resource definition that contains a list of resources to be used in a group. Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateResourceDefinitionVersion Grants permission to create a version of an existing resource definition. Write

resourceDefinition*

CreateSoftwareUpdateJob Grants permission to create an AWS IoT job that will trigger your Greengrass cores to update the software they are running. Write
CreateSubscriptionDefinition Grants permission to create a subscription definition. Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSubscriptionDefinitionVersion Grants permission to create a version of an existing subscription definition. Write

subscriptionDefinition*

DeleteConnectorDefinition Grants permission to delete a connector definition. Write

connectorDefinition*

DeleteCoreDefinition Grants permission to delete a core definition. Deleting a definition that is currently in use in a deployment affects future deployments. Write

coreDefinition*

DeleteDeviceDefinition Grants permission to delete a device definition. Deleting a definition that is currently in use in a deployment affects future deployments. Write

deviceDefinition*

DeleteFunctionDefinition Grants permission to delete a Lambda function definition. Deleting a definition that is currently in use in a deployment affects future deployments. Write

functionDefinition*

DeleteGroup Grants permission to delete a group that is not currently in use in a deployment. Write

group*

DeleteLoggerDefinition Grants permission to delete a logger definition. Deleting a definition that is currently in use in a deployment affects future deployments. Write

loggerDefinition*

DeleteResourceDefinition Grants permission to delete a resource definition. Write

resourceDefinition*

DeleteSubscriptionDefinition Grants permission to delete a subscription definition. Deleting a definition that is currently in use in a deployment affects future deployments. Write

subscriptionDefinition*

DisassociateRoleFromGroup Grants permission to disassociate the role from a group. Write

group*

DisassociateServiceRoleFromAccount Grants permission to disassociate the service role from an account. Without a service role, deployments will not work. Write
GetAssociatedRole Grants permission to retrieve the role associated with a group. Read

group*

GetBulkDeploymentStatus Grants permission to return the status of a bulk deployment. Read

bulkDeployment*

GetConnectivityInfo Grants permission to retrieve the connectivity information for a core. Read

connectivityInfo*

GetConnectorDefinition Grants permission to retrieve information about a connector definition. Read

connectorDefinition*

GetConnectorDefinitionVersion Grants permission to retrieve information about a connector definition version. Read

connectorDefinition*

connectorDefinitionVersion*

GetCoreDefinition Grants permission to retrieve information about a core definition. Read

coreDefinition*

GetCoreDefinitionVersion Grants permission to retrieve information about a core definition version. Read

coreDefinition*

coreDefinitionVersion*

GetDeploymentStatus Grants permission to return the status of a deployment. Read

deployment*

group*

GetDeviceDefinition Grants permission to retrieve information about a device definition. Read

deviceDefinition*

GetDeviceDefinitionVersion Grants permission to retrieve information about a device definition version. Read

deviceDefinition*

deviceDefinitionVersion*

GetFunctionDefinition Grants permission to retrieve information about a Lambda function definition, such as its creation time and latest version. Read

functionDefinition*

GetFunctionDefinitionVersion Grants permission to retrieve information about a Lambda function definition version, such as which Lambda functions are included in the version and their configurations. Read

functionDefinition*

functionDefinitionVersion*

GetGroup Grants permission to retrieve information about a group. Read

group*

GetGroupCertificateAuthority Grants permission to return the public key of the CA associated with a group. Read

certificateAuthority*

group*

GetGroupCertificateConfiguration Grants permission to retrieve the current configuration for the CA used by a group. Read

group*

GetGroupVersion Grants permission to retrieve information about a group version. Read

group*

groupVersion*

GetLoggerDefinition Grants permission to retrieve information about a logger definition. Read

loggerDefinition*

GetLoggerDefinitionVersion Grants permission to retrieve information about a logger definition version. Read

loggerDefinition*

loggerDefinitionVersion*

GetResourceDefinition Grants permission to retrieve information about a resource definition, such as its creation time and latest version. Read

resourceDefinition*

GetResourceDefinitionVersion Grants permission to retrieve information about a resource definition version, such as which resources are included in the version. Read

resourceDefinition*

resourceDefinitionVersion*

GetServiceRoleForAccount Grants permission to retrieve the service role that is attached to an account. Read
GetSubscriptionDefinition Grants permission to retrieve information about a subscription definition. Read

subscriptionDefinition*

GetSubscriptionDefinitionVersion Grants permission to retrieve information about a subscription definition version. Read

subscriptionDefinition*

subscriptionDefinitionVersion*

ListBulkDeploymentDetailedReports Grants permission to retrieve a paginated list of the deployments that have been started in a bulk deployment operation and their current deployment status. List

bulkDeployment*

ListBulkDeployments Grants permission to retrieve a list of bulk deployments. List
ListConnectorDefinitionVersions Grants permission to list the versions of a connector definition. List

connectorDefinition*

ListConnectorDefinitions Grants permission to retrieve a list of connector definitions. List
ListCoreDefinitionVersions Grants permission to list the versions of a core definition. List

coreDefinition*

ListCoreDefinitions Grants permission to retrieve a list of core definitions. List
ListDeployments Grants permission to retrieve a list of all deployments for a group. List

group*

ListDeviceDefinitionVersions Grants permission to list the versions of a device definition. List

deviceDefinition*

ListDeviceDefinitions Grants permission to retrieve a list of device definitions. List
ListFunctionDefinitionVersions Grants permission to list the versions of a Lambda function definition. List

functionDefinition*

ListFunctionDefinitions Grants permission to retrieve a list of Lambda function definitions. List
ListGroupCertificateAuthorities Grants permission to retrieve a list of current CAs for a group. List

group*

ListGroupVersions Grants permission to list the versions of a group. List

group*

ListGroups Grants permission to retrieve a list of groups. List
ListLoggerDefinitionVersions Grants permission to list the versions of a logger definition. List

loggerDefinition*

ListLoggerDefinitions Grants permission to retrieve a list of logger definitions. List
ListResourceDefinitionVersions Grants permission to list the versions of a resource definition. List

resourceDefinition*

ListResourceDefinitions Grants permission to retrieve a list of resource definitions. List
ListSubscriptionDefinitionVersions Grants permission to list the versions of a subscription definition. List

subscriptionDefinition*

ListSubscriptionDefinitions Grants permission to retrieve a list of subscription definitions. List
ListTagsForResource Grants permission to list the tags for a resource. List

bulkDeployment

connectorDefinition

coreDefinition

deviceDefinition

functionDefinition

group

loggerDefinition

resourceDefinition

subscriptionDefinition

aws:RequestTag/${TagKey}

aws:TagKeys

ResetDeployments Grants permission to reset a group's deployments. Write

group*

StartBulkDeployment Grants permission to deploy multiple groups in one operation. Write

aws:RequestTag/${TagKey}

aws:TagKeys

StopBulkDeployment Grants permission to stop the execution of a bulk deployment. Write

bulkDeployment*

TagResource Grants permission to add tags to a resource. Tagging

bulkDeployment

connectorDefinition

coreDefinition

deviceDefinition

functionDefinition

group

loggerDefinition

resourceDefinition

subscriptionDefinition

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to remove tags from a resource. Tagging

bulkDeployment

connectorDefinition

coreDefinition

deviceDefinition

functionDefinition

group

loggerDefinition

resourceDefinition

subscriptionDefinition

aws:TagKeys

UpdateConnectivityInfo Grants permission to update the connectivity information for a Greengrass core. Any devices that belong to the group that has this core will receive this information in order to find the location of the core and connect to it. Write

connectivityInfo*

UpdateConnectorDefinition Grants permission to update a connector definition. Write

connectorDefinition*

UpdateCoreDefinition Grants permission to update a core definition. Write

coreDefinition*

UpdateDeviceDefinition Grants permission to update a device definition. Write

deviceDefinition*

UpdateFunctionDefinition Grants permission to update a Lambda function definition. Write

functionDefinition*

UpdateGroup Grants permission to update a group. Write

group*

UpdateGroupCertificateConfiguration Grants permission to update the certificate expiry time for a group. Write

group*

UpdateLoggerDefinition Grants permission to update a logger definition. Write

loggerDefinition*

UpdateResourceDefinition Grants permission to update a resource definition. Write

resourceDefinition*

UpdateSubscriptionDefinition Grants permission to update a subscription definition. Write

subscriptionDefinition*

Resources Defined by Greengrass

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
connectivityInfo arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/things/${ThingName}/connectivityInfo
artifact arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}/deployments/${DeploymentId}/artifacts/lambda/${ArtifactId}
certificateAuthority arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}/certificateauthorities/${CertificateAuthorityId}
deployment arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}/deployments/${DeploymentId}
bulkDeployment arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/bulk/deployments/${BulkDeploymentId}

aws:ResourceTag/${TagKey}

group arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}

aws:ResourceTag/${TagKey}

groupVersion arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}/versions/${VersionId}
coreDefinition arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/cores/${CoreDefinitionId}

aws:ResourceTag/${TagKey}

coreDefinitionVersion arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/cores/${CoreDefinitionId}/versions/${VersionId}
deviceDefinition arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/devices/${DeviceDefinitionId}

aws:ResourceTag/${TagKey}

deviceDefinitionVersion arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/devices/${DeviceDefinitionId}/versions/${VersionId}
functionDefinition arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/functions/${FunctionDefinitionId}

aws:ResourceTag/${TagKey}

functionDefinitionVersion arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/functions/${FunctionDefinitionId}/versions/${VersionId}
subscriptionDefinition arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/subscriptions/${SubscriptionDefinitionId}

aws:ResourceTag/${TagKey}

subscriptionDefinitionVersion arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/subscriptions/${SubscriptionDefinitionId}/versions/${VersionId}
loggerDefinition arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/loggers/${LoggerDefinitionId}

aws:ResourceTag/${TagKey}

loggerDefinitionVersion arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/loggers/${LoggerDefinitionId}/versions/${VersionId}
resourceDefinition arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/resources/${ResourceDefinitionId}

aws:ResourceTag/${TagKey}

resourceDefinitionVersion arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/resources/${ResourceDefinitionId}/versions/${VersionId}
connectorDefinition arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/connectors/${ConnectorDefinitionId}

aws:ResourceTag/${TagKey}

connectorDefinitionVersion arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/connectors/${ConnectorDefinitionId}/versions/${VersionId}

Condition Keys for AWS Greengrass

AWS Greengrass defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
aws:CurrentTime Filters access by checking date/time conditions for the current date and time. Date
aws:EpochTime Filters access by checking date/time conditions for the current date and time in epoch or Unix time. Date
aws:MultiFactorAuthAge Filters access by checking how long ago (in seconds) the security credentials validated by multi-factor authentication (MFA) in the request were issued using MFA. Numeric
aws:MultiFactorAuthPresent Filters access by checking whether multi-factor authentication (MFA) was used to validate the temporary security credentials that made the current request. Boolean
aws:RequestTag/${TagKey} Filters create requests based on the allowed set of values for each of the mandatory tags. String
aws:ResourceTag/${TagKey} Filters actions based on the tag value associated with the resource. String
aws:SecureTransport Filters access by checking whether the request was sent using SSL. Boolean
aws:TagKeys Filters create requests based on the presence of mandatory tags in the request. String
aws:UserAgent Filters access by the requester's client application. String