AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Identity And Access Management

Identity And Access Management (service prefix: iam) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Identity And Access Management

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AddClientIDToOpenIDConnectProvider Adds a new client ID (also known as audience) to the list of client IDs already registered for the specified IAM OpenID Connect (OIDC) provider resource. Write

oidc-provider*

AddRoleToInstanceProfile Adds the specified IAM role to the specified instance profile. Write

instance-profile*

AddUserToGroup Adds the specified user to the specified group. Write

group*

AttachGroupPolicy Attaches the specified managed policy to the specified IAM group. Permissions management

group*

iam:PolicyARN

AttachRolePolicy Attaches the specified managed policy to the specified IAM role. Permissions management

role*

iam:PolicyARN

iam:PermissionsBoundary

AttachUserPolicy Attaches the specified managed policy to the specified user. Permissions management

user*

iam:PolicyARN

iam:PermissionsBoundary

ChangePassword Changes the password of the IAM user who is calling this action. Write

user*

CreateAccessKey Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. Write

user*

CreateAccountAlias Creates an alias for your AWS account. Write
CreateGroup Creates a new group. Write

group*

CreateInstanceProfile Creates a new instance profile. Write

instance-profile*

CreateLoginProfile Creates a password for the specified user, giving the user the ability to access AWS services through the AWS Management Console. Write

user*

CreateOpenIDConnectProvider Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC). Write

oidc-provider*

CreatePolicy Creates a new managed policy for your AWS account. Permissions management

policy*

CreatePolicyVersion Creates a new version of the specified managed policy. Permissions management

policy*

CreateRole Creates a new role for your AWS account. Write

role*

iam:PermissionsBoundary

CreateSAMLProvider Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0. Write

saml-provider*

CreateServiceLinkedRole Creates an IAM role that is linked to a specific AWS service. Write

role*

iam:AWSServiceName

CreateServiceSpecificCredential Creates a new service-specific credential for an IAM user. Write

user*

CreateUser Creates a new IAM user for your AWS account. Write

user*

iam:PermissionsBoundary

CreateVirtualMFADevice Creates a new virtual MFA device for the AWS account. Write

mfa*

DeactivateMFADevice Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled. Write

user*

DeleteAccessKey Deletes the access key pair associated with the specified IAM user. Write

user*

DeleteAccountAlias Deletes the specified AWS account alias. For information about using an AWS account alias. Write
DeleteAccountPasswordPolicy Deletes the password policy for the AWS account. Permissions management
DeleteGroup Deletes the specified IAM group. Write

group*

DeleteGroupPolicy Deletes the specified inline policy that is embedded in the specified IAM group. Permissions management

group*

DeleteInstanceProfile Deletes the specified instance profile. Write

instance-profile*

DeleteLoginProfile Deletes the password for the specified IAM user, which terminates the user's ability to access AWS services through the AWS Management Console. Write

user*

DeleteOpenIDConnectProvider Deletes an OpenID Connect identity provider (IdP) resource object in IAM. Write

oidc-provider*

DeletePolicy Deletes the specified managed policy. Permissions management

policy*

DeletePolicyVersion Deletes the specified version from the specified managed policy. Permissions management

policy*

DeleteRole Deletes the specified role. Write

role*

DeleteRolePermissionsBoundary Deletes the permissions boundary from a role. Permissions management

role*

iam:PermissionsBoundary

DeleteRolePolicy Deletes the specified inline policy that is embedded in the specified IAM role. Permissions management

role*

iam:PermissionsBoundary

DeleteSAMLProvider Deletes a SAML provider resource in IAM. Write

saml-provider*

DeleteSSHPublicKey Deletes the specified SSH public key. Write

user*

DeleteServerCertificate Deletes the specified server certificate. Write

server-certificate*

DeleteServiceLinkedRole Deletes an IAM role that is linked to a specific AWS service. Write

role*

DeleteServiceSpecificCredential Deletes the specified service-specific credential for an IAM user. Write

user*

DeleteSigningCertificate Deletes a signing certificate associated with the specified IAM user. Write

user*

DeleteUser Deletes the specified IAM user. Write

user*

DeleteUserPermissionsBoundary Deletes the permissions boundary from the user. Permissions management

user*

iam:PermissionsBoundary

DeleteUserPolicy Deletes the specified inline policy that is embedded in the specified IAM user. Permissions management

user*

iam:PermissionsBoundary

DeleteVirtualMFADevice Deletes a virtual MFA device. Write

mfa

sms-mfa

DetachGroupPolicy Removes the specified managed policy from the specified IAM group. Permissions management

group*

iam:PolicyARN

DetachRolePolicy Removes the specified managed policy from the specified role. Permissions management

role*

iam:PolicyARN

iam:PermissionsBoundary

DetachUserPolicy Removes the specified managed policy from the specified user. Permissions management

user*

iam:PolicyARN

iam:PermissionsBoundary

EnableMFADevice Enables the specified MFA device and associates it with the specified IAM user. Write

user*

GenerateCredentialReport Generates a credential report for the AWS account. Read
GetAccessKeyLastUsed Retrieves information about when the specified access key was last used. Read

user*

GetAccountAuthorizationDetails Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another. Read
GetAccountPasswordPolicy Retrieves the password policy for the AWS account. Read
GetAccountSummary Retrieves information about IAM entity usage and IAM quotas in the AWS account. List
GetContextKeysForCustomPolicy Gets a list of all of the context keys referenced in the input policies. Read
GetContextKeysForPrincipalPolicy Gets a list of all of the context keys referenced in all of the IAM policies attached to the specified IAM entity. Read

group

role

user

GetCredentialReport Retrieves a credential report for the AWS account. For more information about the credential report. Read
GetGroup Returns a list of IAM users that are in the specified IAM group. Read

group*

GetGroupPolicy Retrieves the specified inline policy document that is embedded in the specified IAM group. Read

group*

GetInstanceProfile Retrieves information about the specified instance profile, including the instance profile's path, GUID, ARN, and role. Read

instance-profile*

GetLoginProfile Retrieves the user name and password-creation date for the specified IAM user. List

user*

GetOpenIDConnectProvider Returns information about the specified OpenID Connect (OIDC) provider resource object in IAM. Read

oidc-provider*

GetPolicy Retrieves information about the specified managed policy, including the policy's default version and the total number of IAM users, groups, and roles to which the policy is attached. Read

policy*

GetPolicyVersion Retrieves information about the specified version of the specified managed policy, including the policy document. Read

policy*

GetRole Retrieves information about the specified role, including the role's path, GUID, ARN, and the role's trust policy that grants permission to assume the role. Read

role*

GetRolePolicy Retrieves the specified inline policy document that is embedded with the specified IAM role. Read

role*

GetSAMLProvider Returns the SAML provider metadocument that was uploaded when the IAM SAML provider resource object was created or updated. Read

saml-provider*

GetSSHPublicKey Retrieves the specified SSH public key, including metadata about the key. Read

user*

GetServerCertificate Retrieves information about the specified server certificate stored in IAM. Read

server-certificate*

GetServiceLinkedRoleDeletionStatus Retrieves an IAM service linked role deletion status. Read

role*

GetUser Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN. Read

user*

GetUserPolicy Retrieves the specified inline policy document that is embedded in the specified IAM user. Read

user*

ListAccessKeys Returns information about the access key IDs associated with the specified IAM user. If there are none, the action returns an empty list. List

user*

ListAccountAliases Lists the account alias associated with the AWS account (Note: you can have only one). List
ListAttachedGroupPolicies Lists all managed policies that are attached to the specified IAM group. List

group*

ListAttachedRolePolicies Lists all managed policies that are attached to the specified IAM role. List

role*

ListAttachedUserPolicies Lists all managed policies that are attached to the specified IAM user. List

user*

ListEntitiesForPolicy Lists all IAM users, groups, and roles that the specified managed policy is attached to. List

policy*

ListGroupPolicies Lists the names of the inline policies that are embedded in the specified IAM group. List

group*

ListGroups Lists the IAM groups that have the specified path prefix. List
ListGroupsForUser Lists the IAM groups that the specified IAM user belongs to. List

user*

ListInstanceProfiles Lists the instance profiles that have the specified path prefix. List

instance-profile*

ListInstanceProfilesForRole Lists the instance profiles that have the specified associated IAM role. List

role*

ListMFADevices Lists the MFA devices for an IAM user. List

user

ListOpenIDConnectProviders Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account. List
ListPolicies Lists all the managed policies that are available in your AWS account, including your own customer-defined managed policies and all AWS managed policies. List
ListPolicyVersions Lists information about the versions of the specified managed policy, including the version that is currently set as the policy's default version. List

policy*

ListRolePolicies Lists the names of the inline policies that are embedded in the specified IAM role. List

role*

ListRoles Lists the IAM roles that have the specified path prefix. List
ListSAMLProviders Lists the SAML provider resource objects defined in IAM in the account. List
ListSSHPublicKeys Returns information about the SSH public keys associated with the specified IAM user. List

user*

ListServerCertificates Lists the server certificates stored in IAM that have the specified path prefix. If none exist, the action returns an empty list. List
ListServiceSpecificCredentials List service-specific credentials associated with the specified IAM user. List

user*

ListSigningCertificates Returns information about the signing certificates associated with the specified IAM user. List

user*

ListUserPolicies Lists the names of the inline policies embedded in the specified IAM user. List

user*

ListUsers Lists the IAM users that have the specified path prefix. List
ListVirtualMFADevices Lists the virtual MFA devices defined in the AWS account by assignment status. List
PassRole [permission only] Enables passing a role to a service. Write

role*

iam:PassedToService

PutGroupPolicy Adds or updates an inline policy document that is embedded in the specified IAM group. Permissions management

group*

PutRolePermissionsBoundary Put a policy to a role as permissions boundary Permissions management

role*

iam:PermissionsBoundary

PutRolePolicy Adds or updates an inline policy document that is embedded in the specified IAM role. Permissions management

role*

iam:PermissionsBoundary

PutUserPermissionsBoundary Put a policy to a user as permissions boundary Permissions management

user*

iam:PermissionsBoundary

PutUserPolicy Adds or updates an inline policy document that is embedded in the specified IAM user. Permissions management

user*

RemoveClientIDFromOpenIDConnectProvider Removes the specified client ID (also known as audience) from the list of client IDs registered for the specified IAM OpenID Connect (OIDC) provider resource object. Write

oidc-provider*

RemoveRoleFromInstanceProfile Removes the specified IAM role from the specified EC2 instance profile. Write

instance-profile*

RemoveUserFromGroup Removes the specified user from the specified group. Write

group*

ResetServiceSpecificCredential Resets the password for an existing service-specific credential for an IAM user. Write

user*

ResyncMFADevice Synchronizes the specified MFA device with its IAM resource object on the AWS servers. Write

user*

SetDefaultPolicyVersion Sets the specified version of the specified policy as the policy's default (operative) version. Permissions management

policy*

SimulateCustomPolicy Simulate how a set of IAM policies and optionally a resource-based policy works with a list of API actions and AWS resources to determine the policies' effective permissions. Read
SimulatePrincipalPolicy Simulate how a set of IAM policies attached to an IAM entity works with a list of API actions and AWS resources to determine the policies' effective permissions. Read

group

role

user

UpdateAccessKey Changes the status of the specified access key from Active to Inactive, or vice versa. Write

user*

UpdateAccountPasswordPolicy Updates the password policy settings for the AWS account. Write
UpdateAssumeRolePolicy Updates the policy that grants an IAM entity permission to assume a role. Permissions management

role*

UpdateGroup Updates the name and/or the path of the specified IAM group. Write

group*

UpdateLoginProfile Changes the password for the specified IAM user. Write

user*

UpdateOpenIDConnectProviderThumbprint Replaces the existing list of server certificate thumbprints associated with an OpenID Connect (OIDC) provider resource object with a new list of thumbprints. Write

oidc-provider*

UpdateRole Updates the description or maximum session duration setting of a role. Write

role*

UpdateRoleDescription Modifies only the description of a role. This operation performs the same function as the Description parameter in the UpdateRole operation. Write

role*

UpdateSAMLProvider Updates the metadata document for an existing SAML provider resource object. Write

saml-provider*

UpdateSSHPublicKey Sets the status of an IAM user's SSH public key to active or inactive. Write

user*

UpdateServerCertificate Updates the name and/or the path of the specified server certificate stored in IAM. Write

server-certificate*

UpdateServiceSpecificCredential Sets the status of a service-specific credential to active or inactive for an IAM user. Write

user*

UpdateSigningCertificate Changes the status of the specified user signing certificate from active to disabled, or vice versa. Write

user*

UpdateUser Updates the name and/or the path of the specified IAM user. Write

user*

UploadSSHPublicKey Uploads an SSH public key and associates it with the specified IAM user. Write

user*

UploadServerCertificate Uploads a server certificate entity for the AWS account Write

server-certificate*

UploadSigningCertificate Uploads an X.509 signing certificate and associates it with the specified IAM user. Write

user*

Resources Defined by IAM

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
assumed-role arn:${Partition}:iam::${Account}:assumed-role/${RoleName}/${RoleSessionName}
federated-user arn:${Partition}:iam::${Account}:federated-user/${UserName}
group arn:${Partition}:iam::${Account}:group/${GroupNameWithPath}
instance-profile arn:${Partition}:iam::${Account}:instance-profile/${InstanceProfileNameWithPath}
mfa arn:${Partition}:iam::${Account}:mfa/${Path}/${MfaTokenId}
oidc-provider arn:${Partition}:iam::${Account}:oidc-provider/${OidcProviderName}
policy arn:${Partition}:iam::${Account}:policy/${PolicyNameWithPath}
role arn:${Partition}:iam::${Account}:role/${RoleNameWithPath}
saml-provider arn:${Partition}:iam::${Account}:saml-provider/${SamlProviderName}
server-certificate arn:${Partition}:iam::${Account}:server-certificate/${CertificateNameWithPath}
sms-mfa arn:${Partition}:iam::${Account}:sms-mfa/${MfaTokenIdWithPath}
user arn:${Partition}:iam::${Account}:user/${UserNameWithPath}

Condition Keys for Identity And Access Management

Identity And Access Management defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
iam:AWSServiceName The AWS service to which this role is attached. String
iam:PassedToService The AWS service to which this role is passed. String
iam:PermissionsBoundary Policy attached as permissions boundary to an IAM principal. String
iam:PolicyARN The ARN of an IAM policy. ARN