AWS Cloud Map
Developer Guide

AWS Cloud Map API Permissions: Actions, Resources, and Conditions Reference

When you set up Access Control and write a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the following lists as a reference. The lists include each AWS Cloud Map API action, the actions that you must grant permissions access to, and the AWS resource that you must grant access to. You specify the actions in the Action field for the policy, and you specify the resource value in the Resource field for the policy.

You can use AWS Cloud Map–specific condition keys in your IAM policies for some operations. For more information, see AWS Cloud Map Condition Keys Reference. You can also use AWS-wide condition keys. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

To specify an action, use the servicediscovery prefix followed by the API action name, for example, servicediscovery:CreatePublicDnsNamespace and route53:CreateHostedZone.

Required Permissions for AWS Cloud Map Actions

CreateHttpNamespace

Required Permissions (API Action):

  • servicediscovery:CreateHttpNamespace

Resources: *

CreatePrivateDnsNamespace

Required Permissions (API Action):

  • servicediscovery:CreatePrivateDnsNamespace

  • route53:CreateHostedZone

  • route53:GetHostedZone

  • route53:ListHostedZonesByName

  • ec2:DescribeVpcs

  • ec2:DescribeRegions

Resources: *

CreatePublicDnsNamespace

Required Permissions (API Action):

  • servicediscovery:CreatePublicDnsNamespace

  • route53:CreateHostedZone

  • route53:GetHostedZone

  • route53:ListHostedZonesByName

Resources: *

CreateService

Required Permissions (API Action): servicediscovery:CreateService

Resources: *

DeleteNamespace

Required Permissions (API Action):

  • servicediscovery:DeleteNamespace

  • route53:DeleteHostedZone

Resources: *, arn:aws:servicediscovery:region:account-id:namespace/namespace-id

DeleteService

Required Permissions (API Action): servicediscovery:DeleteService

Resources: *, arn:aws:servicediscovery:region:account-id:service/service-id

DeregisterInstance

Required Permissions (API Action):

  • servicediscovery:DeregisterInstance

  • route53:GetHealthCheck

  • route53:DeleteHealthCheck

  • route53:UpdateHealthCheck

  • route53:ChangeResourceRecordSets

Resources: *

DiscoverInstances

Required Permissions (API Action): servicediscovery:DiscoverInstances

Resources: *

GetInstance

Required Permissions (API Action): servicediscovery:GetInstance

Resources: *

GetInstancesHealthStatus

Required Permissions (API Action): servicediscovery:GetInstancesHealthStatus

Resources: *

GetNamespace

Required Permissions (API Action): servicediscovery:GetNamespace

Resources: *, arn:aws:servicediscovery:region:account-id:namespace/namespace-id

GetOperation

Required Permissions (API Action): servicediscovery:GetOperation

Resources: *

GetService

Required Permissions (API Action): servicediscovery:GetService

Resources: *, arn:aws:servicediscovery:region:account-id:service/service-id

ListInstances

Required Permissions (API Action): servicediscovery:ListInstances

Resources: *

ListNamespaces

Required Permissions (API Action): servicediscovery:ListNamespaces

Resources: *

ListOperations

Required Permissions (API Action): servicediscovery:ListOperations

Resources: *

ListServices

Required Permissions (API Action): servicediscovery:ListServices

Resources: *

RegisterInstance

Required Permissions (API Action):

  • servicediscovery:RegisterInstance

  • route53:GetHealthCheck

  • route53:CreateHealthCheck

  • route53:UpdateHealthCheck

  • route53:ChangeResourceRecordSets

Resources: *

UpdateInstanceCustomHealthStatus

Required Permissions (API Action): servicediscovery:UpdateInstanceCustomHealthStatus

Resources: *

UpdateService

Required Permissions (API Action):

  • servicediscovery:UpdateService

  • route53:GetHealthCheck

  • route53:CreateHealthCheck

  • route53:DeleteHealthCheck

  • route53:UpdateHealthCheck

  • route53:ChangeResourceRecordSets

Resources: *, arn:aws:servicediscovery:region:account-id:service/service-id

AWS Cloud Map Condition Keys Reference

AWS Cloud Map defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For more information, see Specifying Conditions in an IAM Policy.

servicediscovery:NamespaceArn

A filter that lets you get objects by specifying the Amazon Resource Name (ARN) for the related namespace.

servicediscovery:NamespaceName

A filter that lets you get objects by specifying the name of the related namespace.

servicediscovery:ServiceArn

A filter that lets you get objects by specifying the Amazon Resource Name (ARN) for the related service.

servicediscovery:ServiceName

A filter that lets you get objects by specifying the name of the related service.