Amplify permissions reference

The following table lists each AWS Amplify Console API operation, the corresponding permissions required to perform the operation, and the AWS resource for which you can grant the permissions. Refer to this table when setting up access control and writing permissions policies that you can attach to an IAM identity (identity-based policies).

Amplify console API operations	Required permissions	Resources
CreateApp	`amplify:CreateApp`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`
CreateBackendEnvironment	`amplify:CreateBackendEnvironment`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`
CreateBranch	`amplify:CreateBranch`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`
CreateDeployment	`amplify:CreateDeployment`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`/branches/`branch-name`
CreateDomainAssociation	`amplify:CreateDomainAssociation`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`
CreateWebhook	`amplify:CreateWebhook`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`/branches/`branch-name`
DeleteApp	`amplify:DeleteApp`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`
DeleteBackendEnvironment	`amplify:DeleteBackendEnvironment`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`
DeleteBranch	`amplify:DeleteBranch`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`/branches/`branch-name`
DeleteDomainAssociation	`amplify:DeleteDomainAssociation`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`/domains/`domain-name`
DeleteJob	`amplify:DeleteJob`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`/branches/`branch-name`/jobs/`job-id`
DeleteWebhook	`amplify:DeleteWebhook`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`
GenerateAccessLogs	`amplify:GenerateAccessLogs`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`
GetApp	`amplify:GetApp`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`
GetArtifactUrl	`amplify:GetArtifactUrl`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`
GetBackendEnvironment	`amplify:GetBackendEnvironment`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`
GetBranch	`amplify:GetBranch`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`/branches/`branch-name`
GetDomainAssociation	`amplify:GetDomainAssociation`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`/domains/`domain-name`
GetJob	`amplify:GetJob`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`/branches/`branch-name`/jobs/`job-id`
GetWebhook	`amplify:GetWebhook`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`
ListApps	`amplify:ListApps`	No required resource
ListArtifacts	`amplify:ListArtifacts`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`
ListBackendEnvironments	`amplify:ListBackendEnvironments`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`
ListBranches	`amplify:ListBranches`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`
ListDomainAssociations	`amplify:ListDomainAssociations`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`
ListJobs	`amplify:ListJobs`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`/branches/`branch-name`
ListWebhooks	`amplify:ListWebhooks`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`
StartDeployment	`amplify:StartDeployment`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`/branches/`branch-name`
StartJob	`amplify:StartJob`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`/branches/`branch-name`/jobs/`job-id`
StopJob	`amplify:StopJob`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`/branches/`branch-name`/jobs/`job-id`
TagResource	`amplify:TagResource`	arn:aws:amplify:`region`:`account-id`:apps/`app-id` or arn:aws:amplify:`region`:`account-id`:apps/`app-id`/branches/`branch-name` or arn:aws:amplify:`region`:`account-id`:apps/`app-id`/branches/`branch-name`/jobs/`job-id`
UntagResource	`amplify:UntagResource`	arn:aws:amplify:`region`:`account-id`:apps/`app-id` or arn:aws:amplify:`region`:`account-id`:apps/`app-id`/branches/`branch-name` or arn:aws:amplify:`region`:`account-id`:apps/`app-id`/branches/`branch-name`/jobs/`job-id`
UpdateApp	`amplify:UpdateApp`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`
UpdateBranch	`amplify:UpdateBranch`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`/branches/`branch-name`
UpdateDomainAssociation	`amplify:UpdateDomainAssociation`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`/domains/`domain-name`
UpdateWebhook	`amplify:UpdateWebhook`	arn:aws:amplify:`region`:`account-id`:apps/`app-id`

The following table lists each Amplify Admin UI API operation, the corresponding permissions required to perform the operation, and the AWS resource for which you can grant the permissions.

Admin UI API operations	Required permissions	Resources
CloneBackend	`amplifybackend:CloneBackend`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`
CreateBackend	`amplifybackend:CreateBackend`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`
CreateBackendAPI	`amplifybackend:CreateBackendAPI`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id` arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/environments arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/api
CreateBackendAuth	`amplifybackend:CreateBackendAuth`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id` arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/environments arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/auth
CreateBackendConfig	`amplifybackend:CreateBackendConfig`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`
CreateToken	`amplifybackend:CreateToken`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`
DeleteBackend	`amplifybackend:DeleteBackend`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id` arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/environments
DeleteBackendAPI	`amplifybackend:DeleteBackendAPI`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id` arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/environments arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/api
DeleteBackendAuth	`amplifybackend:DeleteBackendAuth`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id` arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/environments arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/auth
DeleteToken	`amplifybackend:DeleteToken`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`
GenerateBackendAPIModels	`amplifybackend:GenerateBackendAPIModels`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id` arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/environments arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/api
GetBackend	`amplifybackend:GetBackend`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id` arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/environments
GetBackendAPI	`amplifybackend:GetBackendAPI`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id` arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/environments arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/api
GetBackendAPIModels	`amplifybackend:GetBackendAPIModels`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id` arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/environments arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/api
GetBackendAuth	`amplifybackend:GetBackendAuth`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id` arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/environments arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/auth
GetBackendJob	`amplifybackend:GetBackendJob`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id` arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/job
GetToken	`amplifybackend:GetToken`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`
ListBackendJobs	`amplifybackend:ListBackendJobs`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id` arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/job
RemoveAllBackends	`amplifybackend:RemoveAllBackends`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id` arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/environments
RemoveBackendConfig	`amplifybackend:RemoveBackendConfig`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`
UpdateBackendAPI	`amplifybackend:UpdateBackendAPI`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id` arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/environments arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/api
UpdateBackendAuth	`amplifybackend:UpdateBackendAuth`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id` arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/environments arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/auth
UpdateBackendConfig	`amplifybackend:UpdateBackendConfig`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`
UpdateBackendJob	`amplifybackend:UpdateBackendJob`	arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id` arn:aws:amplifybackend:`region`:`account-id`:backend/`app-id`/job

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Troubleshooting

Cross-service confused deputy prevention