AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Resource Access Manager

AWS Resource Access Manager (service prefix: ram) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Resource Access Manager

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AcceptResourceShareInvitation Accept the specified resource share invitation Write

resource-share-invitation*

ram:ShareOwnerAccountIds

AssociateResourceShare Associates resource(s) and/or principal(s) to a resource share Write

resource-share*

ram:AllowsExternalPrincipals

principal

ram:Principals

resource

ram:ResourceType

ram:ResourceArns

ram:ResourceShareNames

CreateResourceShare Create resource share with provided resource(s) and/or principal(s) Write

principal

ram:Principals

resource-share

ram:ResourceType

ram:ResourceArns

DeleteResourceShare Delete resource share Write

resource-share*

ram:AllowsExternalPrincipals

principal

ram:Principals

resource

ram:ResourceType

ram:ResourceArns

ram:ResourceShareNames

DisassociateResourceShare Disassociates resource(s) and/or principal(s) from a resource share Write

resource-share*

ram:AllowsExternalPrincipals

principal

ram:Principals

resource

ram:ResourceType

ram:ResourceArns

ram:ResourceShareNames

EnableSharingWithAwsOrganization Grants permission to access customer's organization and create a SLR in the customer's account. Write
GetResourceShareAssociations Get a set of resource share associations from a provided list or with a specified status of the specified type Read

resource-share

ram:ResourceShareNames

GetResourceShareInvitations Get resource share invitations by the specified invitation arn or those for the resource share Read

resource-share

resource-share-invitation

ram:ShareOwnerAccountIds

GetResourceShares Get a set of resource shares from a provided list or with a specified status Read

resource-share

ram:ResourceShareNames

ListPrincipals Retrieve list of principals for a specified resource List

resource*

principal

ram:Principals

ListResources Retrieve list of resources for a specified principal List

principal*

resource

ram:ResourceArns

RejectResourceShareInvitation Reject the specified resource share invitation Write

resource-share-invitation*

ram:ShareOwnerAccountIds

TagResource Tag the specified resources share Write

resource-share*

UntagResource Untag the specified resource share Write

resource-share*

UpdateResourceShare Update attributes of the resource share Write

resource-share*

ram:AllowsExternalPrincipals

ram:ResourceShareNames

Resources Defined by Resource Access Manager

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
resource-share arn:${Partition}:ram:${Region}:${Account}:resource-share/${ResourcePath}
resource-share-invitation arn:${Partition}:ram:${Region}:${Account}:resource-share-invitation/${ResourcePath}
resource arn:${Partition}:${Service}:${Region}:#{Account}:${ResourceType}/${ResourcePath}
principal arn:${Partition}:iam::${Account}:user/${User}

Condition Keys for AWS Resource Access Manager

AWS Resource Access Manager defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
aws:TagKeys Enforce tag keys that are used in the request String
ram:AllowsExternalPrincipals Resource shares can only be acted on if the share allows external principals Bool
ram:Principals Principals with the specified format can be associated to or disassociated from a resource share Arn
ram:ResourceArns Resources with the specified arn format can be associated to or disassociated from a resource share Arn
ram:ResourceShareNames Resource shares with the following names can be used in specified action String
ram:ResourceType Resources of ResourceType can be associated with the specified resource share String
ram:ShareOwnerAccountIds Resource share invitations can only be accepted/rejected if owned by the specified account id String