AWS Cloud Map API Permissions: Actions, Resources, and Conditions Reference
When you set up Access Control and write
a permissions policy that you can attach to an IAM identity (identity-based policies), you
can use the following lists as a reference. The lists include each AWS Cloud Map API action, the
actions that you must grant permissions access to, and the AWS resource that you must grant
access to. You specify the actions in the Action field for the policy, and you
specify the resource value in the Resource field for the policy.
You can use AWS Cloud Map–specific condition keys in your IAM policies for some operations. For more information, see AWS Cloud Map Condition Keys Reference. You can also use AWS wide condition keys. For a complete list of AWS wide keys, see Available Keys in the IAM User Guide.
To specify an action, use the servicediscovery prefix followed by the API
action name, for example, servicediscovery:CreatePublicDnsNamespace and
route53:CreateHostedZone.
Required Permissions for AWS Cloud Map Actions
- CreateHttpNamespace
-
Required Permissions (API Action):
-
servicediscovery:CreateHttpNamespace
Resources:
* -
- CreatePrivateDnsNamespace
-
Required Permissions (API Action):
-
servicediscovery:CreatePrivateDnsNamespace -
route53:CreateHostedZone -
route53:GetHostedZone -
route53:ListHostedZonesByName -
ec2:DescribeVpcs -
ec2:DescribeRegions
Resources:
* -
- CreatePublicDnsNamespace
-
Required Permissions (API Action):
-
servicediscovery:CreatePublicDnsNamespace -
route53:CreateHostedZone -
route53:GetHostedZone -
route53:ListHostedZonesByName
Resources:
* -
- CreateService
-
Required Permissions (API Action):
servicediscovery:CreateServiceResources:
* - DeleteNamespace
-
Required Permissions (API Action):
-
servicediscovery:DeleteNamespace
Resources:
*,arn:aws:servicediscovery:region:account-id:namespace/namespace-id -
- DeleteService
-
Required Permissions (API Action):
servicediscovery:DeleteServiceResources:
*,arn:aws:servicediscovery:region:account-id:service/service-id - DeregisterInstance
-
Required Permissions (API Action):
-
servicediscovery:DeregisterInstance -
route53:GetHealthCheck -
route53:DeleteHealthCheck -
route53:UpdateHealthCheck -
route53:ChangeResourceRecordSets
Resources:
* -
- DiscoverInstances
-
Required Permissions (API Action):
servicediscovery:DiscoverInstancesResources:
* - GetInstance
-
Required Permissions (API Action):
servicediscovery:GetInstanceResources:
* - GetInstancesHealthStatus
-
Required Permissions (API Action):
servicediscovery:GetInstancesHealthStatusResources:
* - GetNamespace
-
Required Permissions (API Action):
servicediscovery:GetNamespaceResources:
*,arn:aws:servicediscovery:region:account-id:namespace/namespace-id - GetOperation
-
Required Permissions (API Action):
servicediscovery:GetOperationResources:
* - GetService
-
Required Permissions (API Action):
servicediscovery:GetServiceResources:
*,arn:aws:servicediscovery:region:account-id:service/service-id - ListInstances
-
Required Permissions (API Action):
servicediscovery:ListInstancesResources:
* - ListNamespaces
-
Required Permissions (API Action):
servicediscovery:ListNamespacesResources:
* - ListOperations
-
Required Permissions (API Action):
servicediscovery:ListOperationsResources:
* - ListServices
-
Required Permissions (API Action):
servicediscovery:ListServicesResources:
* - ListTagsForResource
-
Required Permissions (API Action):
servicediscovery:ListTagsForResourceResources:
* - RegisterInstance
-
Required Permissions (API Action):
-
servicediscovery:RegisterInstance -
route53:GetHealthCheck -
route53:CreateHealthCheck -
route53:UpdateHealthCheck -
route53:ChangeResourceRecordSets -
ec2:DescribeInstances
Resources:
* -
- TagResource
-
Required Permissions (API Action):
servicediscovery:TagResourceResources:
* - UntagResource
-
Required Permissions (API Action):
servicediscovery:UntagResourceResources:
* - UpdateHttpNamespace
-
Required Permissions (API Action):
servicediscovery:UpdateHttpNamespaceResources:
*,arn:aws:servicediscovery:region:account-id:namespace/namespace-id - UpdateInstanceCustomHealthStatus
-
Required Permissions (API Action):
servicediscovery:UpdateInstanceCustomHealthStatusResources:
* - UpdatePrivateDnsNamespace
-
Required Permissions (API Action):
-
servicediscovery:UpdatePrivateDnsNamespace -
route53:ChangeResourceRecordSets
Resources:
*,arn:aws:servicediscovery:region:account-id:namespace/namespace-id -
- UpdatePublicDnsNamespace
-
Required Permissions (API Action):
-
servicediscovery:UpdatePublicDnsNamespace -
route53:ChangeResourceRecordSets
Resources:
*,arn:aws:servicediscovery:region:account-id:namespace/namespace-id -
- UpdateService
-
Required Permissions (API Action):
-
servicediscovery:UpdateService -
route53:GetHealthCheck -
route53:CreateHealthCheck -
route53:DeleteHealthCheck -
route53:UpdateHealthCheck -
route53:ChangeResourceRecordSets
Resources:
*,arn:aws:servicediscovery:region:account-id:service/service-id -
AWS Cloud Map Condition Keys Reference
AWS Cloud Map defines the following condition keys that can be used in the
Condition element of an IAM policy for specific AWS Cloud Map actions. You can use
these keys to further refine the conditions under which the policy statement applies. For
details on which AWS Cloud Map actions accept these condition keys, see Actions defined by
AWS Cloud Map. For more information about condition keys in general, see Specifying Conditions in an IAM Policy.
servicediscovery:NamespaceArn-
A filter that lets you get objects by specifying the Amazon Resource Name (ARN) for the related namespace.
servicediscovery:NamespaceName-
A filter that lets you get objects by specifying the name of the related namespace.
servicediscovery:ServiceArn-
A filter that lets you get objects by specifying the Amazon Resource Name (ARN) for the related service.
servicediscovery:ServiceName-
A filter that lets you get objects by specifying the name of the related service.
