AWS Identity and Access Management
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Actions, Resources, and Condition Keys for AWS Resource Access Manager

AWS Resource Access Manager (service prefix: ram) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Resource Access Manager

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AcceptResourceShareInvitation Accept the specified resource share invitation Write

resource-share-invitation*

ram:ShareOwnerAccountId

AssociateResourceShare Associates resource(s) and/or principal(s) to a resource share Write

resource-share*

ram:AllowsExternalPrincipals

principal

ram:Principal

resource

ram:RequestedResourceType

ram:ResourceArn

ram:ResourceShareName

CreateResourceShare Create resource share with provided resource(s) and/or principal(s) Write

principal

ram:Principal

resource-share

ram:RequestedResourceType

ram:ResourceArn

ram:AllowsExternalPrincipals

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteResourceShare Delete resource share Write

resource-share*

ram:AllowsExternalPrincipals

principal

ram:Principal

resource

ram:RequestedResourceType

ram:ResourceArn

ram:ResourceShareName

DisassociateResourceShare Disassociates resource(s) and/or principal(s) from a resource share Write

resource-share*

ram:AllowsExternalPrincipals

principal

ram:Principal

resource

ram:RequestedResourceType

ram:ResourceArn

ram:ResourceShareName

EnableSharingWithAwsOrganization Grants permission to access customer's organization and create a SLR in the customer's account. Write
GetResourcePolicies Gets the policies for the specified resources that you own and have shared. Read
GetResourceShareAssociations Get a set of resource share associations from a provided list or with a specified status of the specified type Read

resource-share

ram:ResourceShareName

GetResourceShareInvitations Get resource share invitations by the specified invitation arn or those for the resource share Read

resource-share

resource-share-invitation

ram:ShareOwnerAccountId

GetResourceShares Get a set of resource shares from a provided list or with a specified status Read

resource-share

ram:ResourceShareName

ListPendingInvitationResources Lists the resources in a resource share that is shared with you but that the invitation is still pending for Read

resource-share-invitation*

ListPrincipals Retrieve list of principals for a specified resource List

resource*

principal

ram:Principal

ListResources Retrieve list of resources for a specified principal List

principal*

resource

ram:ResourceArn

RejectResourceShareInvitation Reject the specified resource share invitation Write

resource-share-invitation*

ram:ShareOwnerAccountId

TagResource Tag the specified resources share Write

resource-share*

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Untag the specified resource share Write

resource-share*

aws:TagKeys

UpdateResourceShare Update attributes of the resource share Write

resource-share*

ram:AllowsExternalPrincipals

ram:ResourceShareName

Resources Defined by AWS Resource Access Manager

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
resource-share arn:${Partition}:ram:${Region}:${Account}:resource-share/${ResourcePath}

aws:ResourceTag/${TagKey}

resource-share-invitation arn:${Partition}:ram:${Region}:${Account}:resource-share-invitation/${ResourcePath}
resource arn:${Partition}:${Service}:${Region}:#{Account}:${ResourceType}/${ResourcePath}
principal arn:${Partition}:iam::${Account}:root

Condition Keys for AWS Resource Access Manager

AWS Resource Access Manager defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
aws:RequestTag/${TagKey} Specifies a tag key and value pair that must be used when creating or tagging a resource share. If users don't pass these specific tags, or if they don't specify tags at all, the request fails. String
aws:ResourceTag/${TagKey} Indicates that the action can only be performed on resources that have the specified tag key and value pair. String
aws:TagKeys Specifies the tag keys that can be used when creating or tagging a resource share String
ram:AllowsExternalPrincipals Indicates that the action can only be performed on resource shares that allow or deny sharing with external principals. For example, specify true if the action can only be performed on resource shares that allow sharing with external principals. External principals are AWS accounts that are outside of its AWS organization Bool
ram:Principal Principals with the specified format can be associated to or disassociated from a resource share String
ram:RequestedResourceType Indicates that the action can only be performed on the specified resource type String
ram:ResourceArn Indicates that the action can only be performed on a resource with the specified ARN. Arn
ram:ResourceShareName Indicates that the action can only be performed on a resource share with the specified name. String
ram:ShareOwnerAccountId Indicates that the action can only be performed on resource shares owned by a specific account. For example, you can use this condition key to specify which resource share invitations can be accepted or rejected based on the resource share owner’s account ID. String