AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Identity And Access Management

Identity And Access Management (service prefix: iam) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Identity And Access Management

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AddClientIDToOpenIDConnectProvider Grants permission to add a new client ID (audience) to the list of registered IDs for the specified IAM OpenID Connect (OIDC) provider resource Write

oidc-provider*

AddRoleToInstanceProfile Grants permission to add an IAM role to the specified instance profile Write

instance-profile*

AddUserToGroup Grants permission to add an IAM user to the specified IAM group Write

group*

AttachGroupPolicy Grants permission to attach a managed policy to the specified IAM group Permissions management

group*

iam:PolicyARN

AttachRolePolicy Grants permission to attach a managed policy to the specified IAM role Permissions management

role*

iam:PolicyARN

iam:PermissionsBoundary

AttachUserPolicy Grants permission to attach a managed policy to the specified IAM user Permissions management

user*

iam:PolicyARN

iam:PermissionsBoundary

ChangePassword Grants permission for an IAM user to to change their own password Write

user*

CreateAccessKey Grants permission to create access key and secret access key for the specified IAM user Write

user*

CreateAccountAlias Grants permission to create an alias for your AWS account Write
CreateGroup Grants permission to create a new group Write

group*

CreateInstanceProfile Grants permission to create a new instance profile Write

instance-profile*

CreateLoginProfile Grants permission to create a password for the specified IAM user Write

user*

CreateOpenIDConnectProvider Grants permission to create an IAM resource that describes an identity provider (IdP) that supports OpenID Connect (OIDC) Write

oidc-provider*

CreatePolicy Grants permission to create a new managed policy Permissions management

policy*

CreatePolicyVersion Grants permission to create a new version of the specified managed policy Permissions management

policy*

CreateRole Grants permission to create a new role Write

role*

iam:PermissionsBoundary

CreateSAMLProvider Grants permission to create an IAM resource that describes an identity provider (IdP) that supports SAML 2.0 Write

saml-provider*

CreateServiceLinkedRole Grants permission to create an IAM role that allows an AWS service to perform actions on your behalf Write

role*

iam:AWSServiceName

CreateServiceSpecificCredential Grants permission to create a new service-specific credential for an IAM user Write

user*

CreateUser Grants permission to create a new IAM user Write

user*

iam:PermissionsBoundary

CreateVirtualMFADevice Grants permission to create a new virtual MFA device Write

mfa*

DeactivateMFADevice Grants permission to deactivate the specified MFA device and remove its association with the IAM user for which it was originally enabled Write

user*

DeleteAccessKey Grants permission to delete the access key pair that is associated with the specified IAM user Write

user*

DeleteAccountAlias Grants permission to delete the specified AWS account alias Write
DeleteAccountPasswordPolicy Grants permission to delete the password policy for the AWS account Permissions management
DeleteGroup Grants permission to delete the specified IAM group Write

group*

DeleteGroupPolicy Grants permission to delete the specified inline policy from its group Permissions management

group*

DeleteInstanceProfile Grants permission to delete the specified instance profile Write

instance-profile*

DeleteLoginProfile Grants permission to delete the password for the specified IAM user Write

user*

DeleteOpenIDConnectProvider Grants permission to delete an OpenID Connect identity provider (IdP) resource object in IAM Write

oidc-provider*

DeletePolicy Grants permission to delete the specified managed policy and remove it from any IAM entities (users, groups, or roles) to which it is attached Permissions management

policy*

DeletePolicyVersion Grants permission to delete a version from the specified managed policy Permissions management

policy*

DeleteRole Grants permission to delete the specified role Write

role*

DeleteRolePermissionsBoundary Grants permission to remove the permissions boundary from a role Permissions management

role*

iam:PermissionsBoundary

DeleteRolePolicy Grants permission to delete the specified inline policy from the specified role Permissions management

role*

iam:PermissionsBoundary

DeleteSAMLProvider Grants permission to delete a SAML provider resource in IAM Write

saml-provider*

DeleteSSHPublicKey Grants permission to delete the specified SSH public key Write

user*

DeleteServerCertificate Grants permission to delete the specified server certificate Write

server-certificate*

DeleteServiceLinkedRole Grants permission to delete an IAM role that is linked to a specific AWS service, if the service is no longer using it Write

role*

DeleteServiceSpecificCredential Grants permission to delete the specified service-specific credential for an IAM user Write

user*

DeleteSigningCertificate Grants permission to delete a signing certificate that is associated with the specified IAM user Write

user*

DeleteUser Grants permission to delete the specified IAM user Write

user*

DeleteUserPermissionsBoundary Grants permission to remove the permissions boundary from the specified IAM user Permissions management

user*

iam:PermissionsBoundary

DeleteUserPolicy Grants permission to delete the specified inline policy from an IAM user Permissions management

user*

iam:PermissionsBoundary

DeleteVirtualMFADevice Grants permission to delete a virtual MFA device Write

mfa

sms-mfa

DetachGroupPolicy Grants permission to detach a managed policy from the specified IAM group Permissions management

group*

iam:PolicyARN

DetachRolePolicy Grants permission to detach a managed policy from the specified role Permissions management

role*

iam:PolicyARN

iam:PermissionsBoundary

DetachUserPolicy Grants permission to detach a managed policy from the specified IAM user Permissions management

user*

iam:PolicyARN

iam:PermissionsBoundary

EnableMFADevice Grants permission to enable an MFA device and associate it with the specified IAM user Write

user*

GenerateCredentialReport Grants permission to generate a credential report for the AWS account Read
GenerateOrganizationsAccessReport Grants permission to generate an access report for an AWS Organizations entity Read

access-report*

organizations:DescribePolicy

organizations:ListChildren

organizations:ListParents

organizations:ListPoliciesForTarget

organizations:ListRoots

organizations:ListTargetsForPolicy

iam:OrganizationsPolicyId

GenerateServiceLastAccessedDetails Grants permission to generate a service last accessed data report for an IAM resource Read
GetAccessKeyLastUsed Grants permission to retrieve information about when the specified access key was last used Read

user*

GetAccountAuthorizationDetails Grants permission to retrieve information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another Read
GetAccountPasswordPolicy Grants permission to retrieve the password policy for the AWS account Read
GetAccountSummary Grants permission to retrieve information about IAM entity usage and IAM quotas in the AWS account List
GetContextKeysForCustomPolicy Grants permission to retrieve a list of all of the context keys that are referenced in the specified policy Read
GetContextKeysForPrincipalPolicy Grants permission to retrieve a list of all context keys that are referenced in all IAM policies that are attached to the specified IAM identity (user, group, or role) Read

group

role

user

GetCredentialReport Grants permission to retrieve a credential report for the AWS account Read
GetGroup Grants permission to retrieve a list of IAM users in the specified IAM group Read

group*

GetGroupPolicy Grants permission to retrieve an inline policy document that is embedded in the specified IAM group Read

group*

GetInstanceProfile Grants permission to retrieve information about the specified instance profile, including the instance profile's path, GUID, ARN, and role Read

instance-profile*

GetLoginProfile Grants permission to retrieve the user name and password creation date for the specified IAM user List

user*

GetOpenIDConnectProvider Grants permission to retrieve information about the specified OpenID Connect (OIDC) provider resource in IAM Read

oidc-provider*

GetOrganizationsAccessReport Grants permission to retrieve an AWS Organizations access report Read
GetPolicy Grants permission to retrieve information about the specified managed policy, including the policy's default version and the total number of identities to which the policy is attached Read

policy*

GetPolicyVersion Grants permission to retrieve information about a version of the specified managed policy, including the policy document Read

policy*

GetRole Grants permission to retrieve information about the specified role, including the role's path, GUID, ARN, and the role's trust policy Read

role*

GetRolePolicy Grants permission to retrieve an inline policy document that is embedded with the specified IAM role Read

role*

GetSAMLProvider Grants permission to retrieve the SAML provider metadocument that was uploaded when the IAM SAML provider resource was created or updated Read

saml-provider*

GetSSHPublicKey Grants permission to retrieve the specified SSH public key, including metadata about the key Read

user*

GetServerCertificate Grants permission to retrieve information about the specified server certificate stored in IAM Read

server-certificate*

GetServiceLastAccessedDetails Grants permission to retrieve information about the service last accessed data report Read
GetServiceLastAccessedDetailsWithEntities Grants permission to retrieve information about the entities from the service last accessed data report Read
GetServiceLinkedRoleDeletionStatus Grants permission to retrieve an IAM service-linked role deletion status Read

role*

GetUser Grants permission to retrieve information about the specified IAM user, including the user's creation date, path, unique ID, and ARN Read

user*

GetUserPolicy Grants permission to retrieve an inline policy document that is embedded in the specified IAM user Read

user*

ListAccessKeys Grants permission to list information about the access key IDs that are associated with the specified IAM user List

user*

ListAccountAliases Grants permission to list the account alias that is associated with the AWS account List
ListAttachedGroupPolicies Grants permission to list all managed policies that are attached to the specified IAM group List

group*

ListAttachedRolePolicies Grants permission to list all managed policies that are attached to the specified IAM role List

role*

ListAttachedUserPolicies Grants permission to list all managed policies that are attached to the specified IAM user List

user*

ListEntitiesForPolicy Grants permission to list all IAM identities to which the specified managed policy is attached List

policy*

ListGroupPolicies Grants permission to list the names of the inline policies that are embedded in the specified IAM group List

group*

ListGroups Grants permission to list the IAM groups that have the specified path prefix List
ListGroupsForUser Grants permission to list the IAM groups that the specified IAM user belongs to List

user*

ListInstanceProfiles Grants permission to list the instance profiles that have the specified path prefix List

instance-profile*

ListInstanceProfilesForRole Grants permission to list the instance profiles that have the specified associated IAM role List

role*

ListMFADevices Grants permission to list the MFA devices for an IAM user List

user

ListOpenIDConnectProviders Grants permission to list information about the IAM OpenID Connect (OIDC) provider resource objects that are defined in the AWS account List
ListPolicies Grants permission to list all managed policies List
ListPoliciesGrantingServiceAccess Grants permission to list information about the policies that grant an entity access to a specific service List
ListPolicyVersions Grants permission to list information about the versions of the specified managed policy, including the version that is currently set as the policy's default version List

policy*

ListRolePolicies Grants permission to list the names of the inline policies that are embedded in the specified IAM role List

role*

ListRoleTags Grants permission to list the tags that are attached to the specified IAM role. List

role*

ListRoles Grants permission to list the IAM roles that have the specified path prefix List
ListSAMLProviders Grants permission to list the SAML provider resources in IAM List
ListSSHPublicKeys Grants permission to list information about the SSH public keys that are associated with the specified IAM user List

user*

ListServerCertificates Grants permission to list the server certificates that have the specified path prefix List
ListServiceSpecificCredentials Grants permission to list the service-specific credentials that are associated with the specified IAM user List

user*

ListSigningCertificates Grants permission to list information about the signing certificates that are associated with the specified IAM user List

user*

ListUserPolicies Grants permission to list the names of the inline policies that are embedded in the specified IAM user List

user*

ListUserTags Grants permission to list the tags that are attached to the specified IAM user. List

user*

ListUsers Grants permission to list the IAM users that have the specified path prefix List
ListVirtualMFADevices Grants permission to list virtual MFA devices by assignment status List
PassRole [permission only] Grants permission to pass a role to a service Write

role*

iam:PassedToService

PutGroupPolicy Grants permission to create or update an inline policy document that is embedded in the specified IAM group Permissions management

group*

PutRolePermissionsBoundary Grants permission to set a managed policy as a permissions boundary for a role Permissions management

role*

iam:PermissionsBoundary

PutRolePolicy Grants permission to create or update an inline policy document that is embedded in the specified IAM role Permissions management

role*

iam:PermissionsBoundary

PutUserPermissionsBoundary Grants permission to set a managed policy as a permissions boundary for an IAM user Permissions management

user*

iam:PermissionsBoundary

PutUserPolicy Grants permission to create or update an inline policy document that is embedded in the specified IAM user Permissions management

user*

iam:PermissionsBoundary

RemoveClientIDFromOpenIDConnectProvider Grants permission to remove the client ID (audience) from the list of client IDs in the specified IAM OpenID Connect (OIDC) provider resource Write

oidc-provider*

RemoveRoleFromInstanceProfile Grants permission to remove an IAM role from the specified EC2 instance profile Write

instance-profile*

RemoveUserFromGroup Grants permission to remove an IAM user from the specified group Write

group*

ResetServiceSpecificCredential Grants permission to reset the password for an existing service-specific credential for an IAM user Write

user*

ResyncMFADevice Grants permission to synchronize the specified MFA device with its IAM entity (user or role) Write

user*

SetDefaultPolicyVersion Grants permission to set the version of the specified policy as the policy's default version Permissions management

policy*

SetSecurityTokenServicePreferences Grants permission to set the STS global endpoint token version Write
SimulateCustomPolicy Grants permission to simulate whether an identity-based policy or resource-based policy provides permissions for specific API operations and resources Read
SimulatePrincipalPolicy Grants permission to simulate whether an identity-based policy that is attached to a specified IAM entity (user or role) provides permissions for specific API operations and resources Read

group

role

user

TagRole Grants permission to add tags to an IAM role. Tagging

role*

TagUser Grants permission to add tags to an IAM user. Tagging

user*

UntagRole Grants permission to remove the specified tags from the role. Tagging

role*

UntagUser Grants permission to remove the specified tags from the user. Tagging

user*

UpdateAccessKey Grants permission to update the status of the specified access key as Active or Inactive Write

user*

UpdateAccountPasswordPolicy Grants permission to update the password policy settings for the AWS account Write
UpdateAssumeRolePolicy Grants permission to update the policy that grants an IAM entity permission to assume a role Permissions management

role*

UpdateGroup Grants permission to update the name or path of the specified IAM group Write

group*

UpdateLoginProfile Grants permission to change the password for the specified IAM user Write

user*

UpdateOpenIDConnectProviderThumbprint Grants permission to update the entire list of server certificate thumbprints that are associated with an OpenID Connect (OIDC) provider resource Write

oidc-provider*

UpdateRole Grants permission to update the description or maximum session duration setting of a role Write

role*

UpdateRoleDescription Grants permission to update only the description of a role Write

role*

UpdateSAMLProvider Grants permission to update the metadata document for an existing SAML provider resource Write

saml-provider*

UpdateSSHPublicKey Grants permission to update the status of an IAM user's SSH public key to active or inactive Write

user*

UpdateServerCertificate Grants permission to update the name or the path of the specified server certificate stored in IAM Write

server-certificate*

UpdateServiceSpecificCredential Grants permission to update the status of a service-specific credential to active or inactive for an IAM user Write

user*

UpdateSigningCertificate Grants permission to update the status of the specified user signing certificate to active or disabled Write

user*

UpdateUser Grants permission to update the name or the path of the specified IAM user Write

user*

UploadSSHPublicKey Grants permission to upload an SSH public key and associate it with the specified IAM user Write

user*

UploadServerCertificate Grants permission to upload a server certificate entity for the AWS account Write

server-certificate*

UploadSigningCertificate Grants permission to upload an X.509 signing certificate and associate it with the specified IAM user Write

user*

Resources Defined by Identity And Access Management

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
access-report arn:${Partition}:iam::${Account}:access-report/${EntityPath}
assumed-role arn:${Partition}:iam::${Account}:assumed-role/${RoleName}/${RoleSessionName}
federated-user arn:${Partition}:iam::${Account}:federated-user/${UserName}
group arn:${Partition}:iam::${Account}:group/${GroupNameWithPath}
instance-profile arn:${Partition}:iam::${Account}:instance-profile/${InstanceProfileNameWithPath}
mfa arn:${Partition}:iam::${Account}:mfa/${Path}/${MfaTokenId}
oidc-provider arn:${Partition}:iam::${Account}:oidc-provider/${OidcProviderName}
policy arn:${Partition}:iam::${Account}:policy/${PolicyNameWithPath}
role arn:${Partition}:iam::${Account}:role/${RoleNameWithPath}

iam:ResourceTag/${TagKey}

saml-provider arn:${Partition}:iam::${Account}:saml-provider/${SamlProviderName}
server-certificate arn:${Partition}:iam::${Account}:server-certificate/${CertificateNameWithPath}
sms-mfa arn:${Partition}:iam::${Account}:sms-mfa/${MfaTokenIdWithPath}
user arn:${Partition}:iam::${Account}:user/${UserNameWithPath}

iam:ResourceTag/${TagKey}

Condition Keys for Identity And Access Management

Identity And Access Management defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
iam:AWSServiceName Filters access by the AWS service to which this role is attached String
iam:OrganizationsPolicyId Filters access by the ID of an AWS Organizations policy String
iam:PassedToService Filters access by the AWS service to which this role is passed String
iam:PermissionsBoundary Filters access if the specified policy is set as the permissions boundary on the IAM entity (user or role) String
iam:PolicyARN Filters access by the ARN of an IAM policy ARN
iam:ResourceTag/${TagKey} Filters access by the tags attached to an IAM entity (user or role). String