Required Permissions for AWS Cloud Map Actions AWS Cloud Map Condition Keys Reference

AWS Cloud Map API Permissions: Actions, Resources, and Conditions Reference

When you set up Access Control and write a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the following lists as a reference. The lists include each AWS Cloud Map API action, the actions that you must grant permissions access to, and the AWS resource that you must grant access to. You specify the actions in the Action field for the policy, and you specify the resource value in the Resource field for the policy.

You can use AWS Cloud Map–specific condition keys in your IAM policies for some operations. For more information, see AWS Cloud Map Condition Keys Reference. You can also use AWS wide condition keys. For a complete list of AWS wide keys, see Available Keys in the IAM User Guide.

To specify an action, use the servicediscovery prefix followed by the API action name, for example, servicediscovery:CreatePublicDnsNamespace and route53:CreateHostedZone.

Topics

Required Permissions for AWS Cloud Map Actions
AWS Cloud Map Condition Keys Reference

Required Permissions for AWS Cloud Map Actions

CreateHttpNamespace

Required Permissions (API Action):

servicediscovery:CreateHttpNamespace

Resources: *

CreatePrivateDnsNamespace

Required Permissions (API Action):

servicediscovery:CreatePrivateDnsNamespace
route53:CreateHostedZone
route53:GetHostedZone
route53:ListHostedZonesByName
ec2:DescribeVpcs
ec2:DescribeRegions

Resources: *

CreatePublicDnsNamespace

Required Permissions (API Action):

servicediscovery:CreatePublicDnsNamespace
route53:CreateHostedZone
route53:GetHostedZone
route53:ListHostedZonesByName

Resources: *

CreateService

Required Permissions (API Action): servicediscovery:CreateService

Resources: *

DeleteNamespace

Required Permissions (API Action):

servicediscovery:DeleteNamespace
route53:DeleteHostedZone

Resources: *, arn:aws:servicediscovery:region:account-id:namespace/namespace-id

DeleteService

Required Permissions (API Action): servicediscovery:DeleteService

Resources: *, arn:aws:servicediscovery:region:account-id:service/service-id

DeregisterInstance

Required Permissions (API Action):

servicediscovery:DeregisterInstance
route53:GetHealthCheck
route53:DeleteHealthCheck
route53:UpdateHealthCheck
route53:ChangeResourceRecordSets

Resources: *

DiscoverInstances

Required Permissions (API Action): servicediscovery:DiscoverInstances

Resources: *

GetInstance

Required Permissions (API Action): servicediscovery:GetInstance

Resources: *

GetInstancesHealthStatus

Required Permissions (API Action): servicediscovery:GetInstancesHealthStatus

Resources: *

GetNamespace

Required Permissions (API Action): servicediscovery:GetNamespace

Resources: *, arn:aws:servicediscovery:region:account-id:namespace/namespace-id

GetOperation

Required Permissions (API Action): servicediscovery:GetOperation

Resources: *

GetService

Required Permissions (API Action): servicediscovery:GetService

Resources: *, arn:aws:servicediscovery:region:account-id:service/service-id

ListInstances

Required Permissions (API Action): servicediscovery:ListInstances

Resources: *

ListNamespaces

Required Permissions (API Action): servicediscovery:ListNamespaces

Resources: *

ListOperations

Required Permissions (API Action): servicediscovery:ListOperations

Resources: *

ListServices

Required Permissions (API Action): servicediscovery:ListServices

Resources: *

RegisterInstance

Required Permissions (API Action):

servicediscovery:RegisterInstance
route53:GetHealthCheck
route53:CreateHealthCheck
route53:UpdateHealthCheck
route53:ChangeResourceRecordSets
ec2:DescribeInstances

Resources: *

UpdateHttpNamespace

Required Permissions (API Action): servicediscovery:UpdateHttpNamespace

Resources: *, arn:aws:servicediscovery:region:account-id:namespace/namespace-id

UpdateInstanceCustomHealthStatus

Required Permissions (API Action): servicediscovery:UpdateInstanceCustomHealthStatus

Resources: *

UpdatePrivateDnsNamespace

Required Permissions (API Action):

servicediscovery:UpdatePrivateDnsNamespace
route53:ChangeResourceRecordSets

Resources: *, arn:aws:servicediscovery:region:account-id:namespace/namespace-id

UpdatePublicDnsNamespace

Required Permissions (API Action):

servicediscovery:UpdatePublicDnsNamespace
route53:ChangeResourceRecordSets

Resources: *, arn:aws:servicediscovery:region:account-id:namespace/namespace-id

UpdateService

Required Permissions (API Action):

servicediscovery:UpdateService
route53:GetHealthCheck
route53:CreateHealthCheck
route53:DeleteHealthCheck
route53:UpdateHealthCheck
route53:ChangeResourceRecordSets

Resources: *, arn:aws:servicediscovery:region:account-id:service/service-id

AWS Cloud Map Condition Keys Reference

AWS Cloud Map defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For more information, see Specifying Conditions in an IAM Policy.

servicediscovery:NamespaceArn: A filter that lets you get objects by specifying the Amazon Resource Name (ARN) for the related namespace.
servicediscovery:NamespaceName: A filter that lets you get objects by specifying the name of the related namespace.
servicediscovery:ServiceArn: A filter that lets you get objects by specifying the Amazon Resource Name (ARN) for the related service.
servicediscovery:ServiceName: A filter that lets you get objects by specifying the name of the related service.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Using IAM Policies for AWS Cloud Map

Logging and Monitoring