AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS IoT Things Graph

AWS IoT Things Graph (service prefix: iotthingsgraph) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS IoT Things Graph

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AssociateEntityToThing Associates a device with a concrete thing that is in the user's registry. A thing can be associated with only one device at a time. If you associate a thing with a new device id, its previous association will be removed. Write

iot:DescribeThing

iot:DescribeThingGroup

CreateFlowTemplate Creates a workflow template. Workflows can be created only in the user's namespace. (The public namespace contains only entities.) The workflow can contain only entities in the specified namespace. The workflow is validated against the entities in the latest version of the user's namespace unless another namespace version is specified in the request. Write
CreateSystemInstance Creates an instance of a system with specified configurations and Things. Tagging

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSystemTemplate Creates a system. The system is validated against the entities in the latest version of the user's namespace unless another namespace version is specified in the request. Write
DeleteFlowTemplate Deletes a workflow. Any new system or system instance that contains this workflow will fail to update or deploy. Existing system instances that contain the workflow will continue to run (since they use a snapshot of the workflow taken at the time of deploying the system instance). Write

Workflow*

DeleteNamespace Deletes the specified namespace. This action deletes all of the entities in the namespace. Delete the systems and flows in the namespace before performing this action. Write
DeleteSystemInstance Deletes a system instance. Only instances that have never been deployed, or that have been undeployed from the target can be deleted. Users can create a new system instance that has the same ID as a deleted system instance. Write

SystemInstance*

DeleteSystemTemplate Deletes a system. New system instances can't contain the system after its deletion. Existing system instances that contain the system will continue to work because they use a snapshot of the system that is taken when it is deployed. Write

System*

DeploySystemInstance Deploys the system instance to the target specified in CreateSystemInstance. Write

SystemInstance*

DeprecateFlowTemplate Deprecates the specified workflow. This action marks the workflow for deletion. Deprecated flows can't be deployed, but existing system instances that use the flow will continue to run. Write

Workflow*

DeprecateSystemTemplate Deprecates the specified system. Write

System*

DescribeNamespace Gets the latest version of the user's namespace and the public version that it is tracking. Read
DissociateEntityFromThing Dissociates a device entity from a concrete thing. The action takes only the type of the entity that you need to dissociate because only one entity of a particular type can be associated with a thing. Write

iot:DescribeThing

iot:DescribeThingGroup

GetEntities Gets descriptions of the specified entities. Uses the latest version of the user's namespace by default. Read
GetFlowTemplate Gets the latest version of the DefinitionDocument and FlowTemplateSummary for the specified workflow. Read

Workflow*

GetFlowTemplateRevisions Gets revisions of the specified workflow. Only the last 100 revisions are stored. If the workflow has been deprecated, this action will return revisions that occurred before the deprecation. This action won't work for workflows that have been deleted. Read

Workflow*

GetNamespaceDeletionStatus Gets the status of a namespace deletion task. Read
GetSystemInstance Gets a system instance. Read

SystemInstance*

GetSystemTemplate Gets a system. Read

System*

GetSystemTemplateRevisions Gets revisions made to the specified system template. Only the previous 100 revisions are stored. If the system has been deprecated, this action will return the revisions that occurred before its deprecation. This action won't work with systems that have been deleted. Read

System*

GetUploadStatus Gets the status of the specified upload. Read
ListFlowExecutionMessages Lists details of a single workflow execution List
ListTagsForResource Lists all tags for a given resource List

SystemInstance

SearchEntities Searches for entities of the specified type. You can search for entities in your namespace and the public namespace that you're tracking. Read
SearchFlowExecutions Searches for workflow executions of a system instance Read

SystemInstance*

SearchFlowTemplates Searches for summary information about workflows. Read
SearchSystemInstances Searches for system instances in the user's account. Read
SearchSystemTemplates Searches for summary information about systems in the user's account. You can filter by the ID of a workflow to return only systems that use the specified workflow. Read
SearchThings Searches for things associated with the specified entity. You can search by both device and device model. Read
TagResource Tag a specified resource Tagging

SystemInstance

aws:RequestTag/${TagKey}

aws:TagKeys

UndeploySystemInstance Removes the system instance and associated triggers from the target. Write

SystemInstance*

UntagResource Untag a specified resource Tagging

SystemInstance

aws:TagKeys

UpdateFlowTemplate Updates the specified workflow. All deployed systems and system instances that use the workflow will see the changes in the flow when it is redeployed. The workflow can contain only entities in the specified namespace. Write

Workflow*

UpdateSystemTemplate Updates the specified system. You don't need to run this action after updating a workflow. Any system instance that uses the system will see the changes in the system when it is redeployed. Write

System*

UploadEntityDefinitions Asynchronously uploads one or more entity definitions to the user's namespace. Write

Resources Defined by AWS IoT Things Graph

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
Workflow arn:${Partition}:iotthingsgraph:${Region}:${Account}:Workflow/${NamespacePath}
System arn:${Partition}:iotthingsgraph:${Region}:${Account}:System/${NamespacePath}
SystemInstance arn:${Partition}:iotthingsgraph:${Region}:${Account}:Deployment/${NamespacePath}

aws:ResourceTag/${TagKey}

Condition Keys for AWS IoT Things Graph

AWS IoT Things Graph defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
aws:RequestTag/${TagKey} Filters access by a key that is present in the request the user makes to the thingsgraph service. String
aws:ResourceTag/${TagKey} Filters access by a tag key and value pair. String
aws:TagKeys Filters access by the list of all the tag key names present in the request the user makes to the thingsgraph service. String