AWS Data Exchange API permissions: actions and resources reference

Use the following table as a reference when you are setting up Access control and writing a permissions policy that you can attach to an AWS Identity and Access Management (IAM) identity (identity-based policies). The table lists each AWS Data Exchange API operation, the actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field. You specify the resource value in the policy's Resource field.

Note

To specify an action, use the dataexchange: prefix followed by the API operation name (for example, dataexchange:CreateDataSet).

AWS Data Exchange API and required permissions for actions
AWS Data Exchange API operations	Required permissions (API actions)	Resources	Conditions
`CreateDataSet`	`dataexchange:CreateDataSet`	N/A	`aws:TagKeys` `aws:RequestTag`
`GetDataSet`	`dataexchange:GetDataSet`	Data set	`aws:RequestTag`
`UpdateDataSet`	`dataexchange:UpdateDataSet`	Data set	`aws:RequestTag`
`DeleteDataSet`	`dataexchange:DeleteDataSet`	Data set	`aws:RequestTag`
`ListDataSets`	`dataexchange:ListDataSets`	N/A	N/A
`CreateRevision`	`dataexchange:CreateRevision`	Data set	`aws:TagKeys` `aws:RequestTag`
`GetRevision`	`dataexchange:GetRevision`	Revision	`aws:RequestTag`
`DeleteRevision`	`dataexchange:DeleteRevision`	Revision	`aws:RequestTag`
`ListDataSetRevisions`	`dataexchange:ListDataSetRevisions`	Data set	`aws:RequestTag`
`ListRevisionAssets`	`dataexchange:ListRevisionAssets`	Revision	`aws:RequestTag`
`CreateEventAction`	`dataexchange:CreateEventAction`	N/A	N/A
`UpdateEventAction`	`dataexchange:UpdateEventAction`	EventAction	N/A
`GetEventAction`	`dataexchange:GetEventAction`	EventAction	N/A
`ListEventActions`	`dataexchange:ListEventActions`	N/A	N/A
`DeleteEventAction`	`dataexchange:DeleteEventAction`	EventAction	N/A
`CreateJob`	`dataexchange:CreateJob`	N/A	`dataexchange:JobType`
`GetJob`	`dataexchange:GetJob`	Job	`dataexchange:JobType`
`StartJob`**	`dataexchange:StartJob`	Job	`dataexchange:JobType`
`CancelJob`	`dataexchange:CancelJob`	Job	`dataexchange:JobType`
`ListJobs`	`dataexchange:ListJobs`	N/A	N/A
`ListTagsForResource`	`dataexchange:ListTagsForResource`	Revision	`aws:RequestTag`
`TagResource`	`dataexchange:TagResource`	Revision	`aws:TagKeys` `aws:RequestTag`
`UnTagResource`	`dataexchange:UnTagResource`	Revision	`aws:TagKeys` `aws:RequestTag`
`UpdateRevision`	`dataexchange:UpdateRevision`	Revision	`aws:RequestTag`
`DeleteAsset`	`dataexchange:DeleteAsset`	Asset	N/A
`GetAsset`	`dataexchange:GetAsset`	Asset	N/A
`UpdateAsset`	`dataexchange:UpdateAsset`	Asset	N/A
`SendApiAsset`	`dataexchange:SendApiAsset`	Asset	N/A

** Additional IAM permissions might be needed depending on the type of the job you are starting. See the following table for the AWS Data Exchange job types and associated additional IAM permissions. For more information about jobs, see Jobs in AWS Data Exchange.

Note

Currently, the SendApiAsset operation is not supported for the following SDKs:

AWS SDK for .NET
AWS SDK for C++
SDK for Java 2.x

AWS Data Exchange job type permissions for `StartJob`
Job type	Additional IAM permissions needed
`CREATE_S3_DATA_ACCESS_FROM_S3_BUCKET`	`dataexchange:CreateAsset`
`IMPORT_ASSETS_FROM_S3`	`dataexchange:CreateAsset`
`IMPORT_ASSET_FROM_SIGNED_URL`	`dataexchange:CreateAsset`
`IMPORT_ASSETS_FROM_API_GATEWAY_API`	`dataexchange:CreateAsset`
`IMPORT_ASSETS_FROM_REDSHIFT_DATA_SHARES`	`dataexchange:CreateAsset`, `redshift:AuthorizeDataShare`
`IMPORT_ASSETS_FROM_LAKE_FORMATION_TAG_POLICY (Preview)`	`dataexchange:CreateAsset`
`EXPORT_ASSETS_TO_S3`	`dataexchange:GetAsset`
`EXPORT_ASSETS_TO_SIGNED_URL`	`dataexchange:GetAsset`
`EXPORT_REVISIONS_TO_S3`	`dataexchange:GetRevision` `dataexchange:GetDataSet` Note The IAM permission `dataexchange:GetDataSet` is only needed if you are using `DataSet.Name` as the dynamic reference for the `EXPORT_REVISIONS_TO_S3` job type.

You can scope data set actions to the revision or asset level through the use of wildcards, as in the following example.


arn:aws:dataexchange:us-east-1:123456789012:data-sets/99EXAMPLE23c7c272897cf1EXAMPLE7a/revisions/*/assets/*

Some AWS Data Exchange actions can only be performed on the AWS Data Exchange console. These actions are integrated with AWS Marketplace functionality. The actions require the AWS Marketplace permissions shown in the following table.

AWS Data Exchange console-only actions for subscribers
Console action	IAM permission
Subscribe to a product	`aws-marketplace:Subscribe`
Send subscription verification request	`aws-marketplace:Subscribe`
Enable subscription auto-renew	`aws-marketplace:Subscribe`
Disable subscription auto-renew	`aws-marketplace:Unsubscribe`
List active subscriptions	`aws-marketplace:ViewSubscriptions`
View subscription	`aws-marketplace:ViewSubscriptions`
List subscription verification requests	`aws-marketplace:ListAgreementRequests`
View subscription verification request	`aws-marketplace:GetAgreementRequest`
Cancel subscription verification request	`aws-marketplace:CancelAgreementRequest`

AWS Data Exchange console-only actions for providers
Console action	IAM permission
Publish product	`aws-marketplace:StartChangeSet` `aws-marketplace:DescribeChangeSet` `dataexchange:PublishDataSet`
Unpublish product	`aws-marketplace:StartChangeSet` `aws-marketplace:DescribeChangeSet`
Edit product	`aws-marketplace:StartChangeSet` `aws-marketplace:DescribeChangeSet`
Create custom offer	`aws-marketplace:StartChangeSet` `aws-marketplace:DescribeChangeSet`
Edit custom offer	`aws-marketplace:StartChangeSet` `aws-marketplace:DescribeChangeSet`
View product details	`aws-marketplace:DescribeEntity` `aws-marketplace:ListEntities`
View product's custom offer	`aws-marketplace:DescribeEntity`
View product dashboard	`aws-marketplace:ListEntities` `aws-marketplace:DescribeEntity`
List products to which a data set or revision has been published	`aws-marketplace:ListEntities` `aws-marketplace:DescribeEntity`
List subscription verification requests	`aws-marketplace:ListAgreementApprovalRequests`
Approve subscription verification requests	`aws-marketplace:AcceptAgreementApprovalRequest`
Decline subscription verification requests	`aws-marketplace:RejectAgreementApprovalRequest`
Delete information from subscription verification requests	`aws-marketplace:UpdateAgreementApprovalRequest`
View subscription details	`aws-marketplace:SearchAgreements` `aws-marketplace:GetAgreementTerms`

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Access control

AWS managed policies