Actions, resources, and condition keys for Network Manager - AWS Identity and Access Management

Actions, resources, and condition keys for Network Manager

Tip

This page is moving to a new location on November 16, 2020. Please update your bookmark to use the new page at https://docs.aws.amazon.com/service-authorization/latest/reference/list_networkmanager.html.

Network Manager (service prefix: networkmanager) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Network Manager

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AssociateCustomerGateway Grants permission to associate a customer gateway to a device Write

device*

global-network*

link

networkmanager:cgwArn

AssociateLink Grants permission to associate a link to a device Write

device*

global-network*

link*

CreateDevice Grants permission to create a new device Write

global-network*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateGlobalNetwork Grants permission to create a new global network Write

aws:RequestTag/${TagKey}

aws:TagKeys

iam:CreateServiceLinkedRole

CreateLink Grants permission to create a new link Write

global-network*

site

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSite Grants permission to create a new site Write

global-network*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteDevice Grants permission to delete a device Write

device*

global-network*

DeleteGlobalNetwork Grants permission to delete a global network Write

global-network*

DeleteLink Grants permission to delete a link Write

global-network*

link*

DeleteSite Grants permission to delete a site Write

global-network*

site*

DeregisterTransitGateway Grants permission to deregister a transit gateway from a global network Write

global-network*

networkmanager:tgwArn

DescribeGlobalNetworks Grants permission to describe global networks List

global-network

DisassociateCustomerGateway Grants permission to disassociate a customer gateway from a device Write

global-network*

networkmanager:cgwArn

DisassociateLink Grants permission to disassociate a link from a device Write

device*

global-network*

link*

GetCustomerGatewayAssociations Grants permission to describe customer gateway associations List

global-network*

GetDevices Grants permission to describe devices List

global-network*

device

GetLinkAssociations Grants permission to describe link associations List

global-network*

device

link

GetLinks Grants permission to describe links List

global-network*

link

GetSites Grants permission to describe global networks List

global-network*

site

GetTransitGatewayRegistrations Grants permission to describe transit gateway registrations List

global-network*

ListTagsForResource Grants permission to lists tag for a Network Manager resource Read

device

global-network

link

site

aws:ResourceTag/${TagKey}

RegisterTransitGateway Grants permission to register a transit gateway to a global network Write

global-network*

networkmanager:tgwArn

TagResource Grants permission to tag a Network Manager resource Tagging

device

global-network

link

site

aws:TagKeys

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

UntagResource Grants permission to untag a Network Manager resource Tagging

device

global-network

link

site

aws:TagKeys

UpdateDevice Grants permission to update a device Write

device*

global-network*

UpdateGlobalNetwork Grants permission to update a global network Write

global-network*

UpdateLink Grants permission to update a link Write

global-network*

link*

UpdateSite Grants permission to update a site Write

global-network*

site*

Resource types defined by Network Manager

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
global-network arn:${Partition}:networkmanager::${Account}:global-network/${ResourceId}

aws:ResourceTag/${TagKey}

site arn:${Partition}:networkmanager::${Account}:site/${GlobalNetworkId}/${ResourceId}

aws:ResourceTag/${TagKey}

link arn:${Partition}:networkmanager::${Account}:link/${GlobalNetworkId}/${ResourceId}

aws:ResourceTag/${TagKey}

device arn:${Partition}:networkmanager::${Account}:device/${GlobalNetworkId}/${ResourceId}

aws:ResourceTag/${TagKey}

Condition keys for Network Manager

Network Manager defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters actions based on tag key-value pairs attached to the resource String
aws:TagKeys Filters actions based on the presence of tag keys in the request String
networkmanager:cgwArn Controls which customer gateways can be associated or disassociated String
networkmanager:tgwArn Controls which transit gateways can be registered or deregistered String