We recommend using Amazon Lex V2 to take advantage of the latest features. Documentation for Amazon Lex V2 may be found here.
How Amazon Lex Works with IAM
Before you use AWS Identity and Access Management (IAM) to manage access to Amazon Lex, you should understand which IAM features are available to use with Amazon Lex. For a high-level view of how Amazon Lex and other AWS services work with IAM, see AWS Services That Work with IAM in the IAM User Guide.
Topics
Amazon Lex Identity-Based Policies
To specify allowed or denied actions and resources and the conditions under which actions are allowed or denied, use IAM identity-based policies,. Amazon Lex supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see IAM JSON Policy Elements Reference in the IAM User Guide.
Actions
The Action
element of an IAM identity-based
policy describes the specific action or actions that will be
allowed or denied by the policy. Policy actions usually have the
same name as the associated AWS API operation. The action is
used in a policy to grant permissions to perform the associated
operation.
In Amazon Lex, policy actions use the following prefix
before the action: lex:
. For example,
to grant someone permission to call an Amazon Lex bot with the
PostContent
operation, you include the
lex:PostContent
action in their policy. Policy
statements must include either an Action
or
NotAction
element. Amazon Lex defines
actions that describe the tasks that you can perform with this
service. To see a list of Amazon Lex actions, see
Actions Defined by Amazon Lex in the
IAM User Guide.
To specify multiple actions in a single statement, separate them with commas as follows.
"Action": [ "lex:action1", "lex:action2"
You can specify multiple actions using wildcards (*). For
example, to specify all actions that begin with the word
Put
, include the following action.
"Action": "lex:Put*"
Resources
The Resource
element specifies the object or
objects to which the action applies. Statements must include
either a Resource
or a NotResource
element. You specify a resource using an ARN or, to indicate that
the statement applies to all resources, the wildcard (*).
An Amazon Lex bot resource ARN has the following format.
arn:aws:lex:${Region}:${Account}:bot:${Bot-Name}
For more information about the format of ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces.
For example, to specify the OrderFlowers
bot in
your statement, use the following ARN.
"Resource": "arn:aws:lex:us-east-2:123456789012:bot:OrderFlowers"
To specify all bots that belong to a specific account, use the wildcard (*).
"Resource": "arn:aws:lex:us-east-2:123456789012:bot:*"
Some Amazon Lex actions, such as those for creating resources, can't be performed on a specific resource. In those cases, you must use the wildcard, (*).
"Resource": "*"
For a list of Amazon Lex resource types and their ARNs, see Resources Defined by Amazon Lex in the IAM User Guide. To learn with which actions you can specify the ARN of each resource, see Actions Defined by Amazon Lex.
Condition Keys
Use the Condition
element (or a
Condition
block) to specify conditions
in which a statement is in effect. The Condition
element is optional. You can build conditional expressions that
use condition operators, such as equals or less than, to
match the condition in the policy with values in the request.
If you specify multiple Condition
elements in a
statement, or multiple keys in a single Condition
element, AWS evaluates them using a logical AND
operation. If you specify multiple values for a single condition
key, AWS evaluates the condition using a logical
OR
operation. All of the conditions must be met
before the statement's permissions are granted.
You can also use placeholder variables when you specify conditions. For example, you can grant an IAM user permission to access a resource only if it is tagged with their IAM user name. For more information, see IAM Policy Elements: Variables and Tags in the IAM User Guide.
Amazon Lex defines its own set of condition keys and also supports using some global condition keys. For a list of all AWS global condition keys, see AWS Global Condition Context Keys in the IAM User Guide.
The following table lists the Amazon Lex condition keys
that apply to Amazon Lex resources. You can include these
keys in Condition
elements in an IAM permissions
policy.
Amazon Lex Condition Key | Description | Value Type | Permission |
---|---|---|---|
lex:associatedIntents |
Scopes the set of intents that can be used when creating or modifying the definition of a bot. |
Array of strings |
|
lex:associatedSlotTypes |
Scopes the set of slot types that can be used when creating or modifying the definition of a slot type. |
Array of strings |
|
lex:ChannelType |
Scopes the type of bot channel association that a user can create, get, or delete. |
String |
|
Examples
For examples of Amazon Lex identity-based policies, see Amazon Lex Identity-Based Policy Examples.
Amazon Lex Resource-Based Policies
Resource-based policies are JSON policy documents that specify what actions a specified principal can perform on the Amazon Lex resource and under what conditions. Amazon Lex does not support resource-based policies.
Authorization Based on Amazon Lex Tags
You can associate tags with certain types of Amazon Lex
resources for authorization. To control access based on tags,
provide tag information in the condition element of a policy by
using the lex:ResourceTag/${TagKey}
,
aws:RequestTag/${TagKey}
, or
aws:TagKeys
condition keys.
For information about tagging Amazon Lex resources, see Tagging Your Amazon Lex Resources. For an example identity-based policy that limits access to a resource based on the resource tags, see Example: Use a Tag to Access a Resource. For more information about using tags to limit access to resources, see Controlling Access Using Tags in the IAM User Guide.
The following table lists the actions and corresponding resource types for tag-based access control. Each action is authorized based on the tags associated with the corresponding resource type.
Action | Resource type | Condition keys | Notes |
---|---|---|---|
CreateBotVersion | bot | lex:ResourceTag |
|
DeleteBot | bot | lex:ResourceTag |
|
DeleteBotAlias | alias | lex:ResourceTag |
|
DeleteBotChannelAssociation | channel | lex:ResourceTag |
|
DeleteBotVersion | bot | lex:ResourceTag |
|
DeleteSession | bot or alias | lex:ResourceTag |
Uses tags associated with the bot when alias is set
to $LATEST . Uses tags associated with the
specified alias when used with other aliases. |
DeleteUtterances | bot | lex:ResourceTag |
|
GetBot | bot or alias | lex:ResourceTag |
Uses tags associated with the bot when
versionOrAlias is set to
$LATEST or numeric version. Uses tags
associated with the specified alias when used with
aliases |
GetBotAlias | alias | lex:ResourceTag |
|
GetBotChannelAssociation | chanel | lex:ResourceTag |
|
GetBotChannelAssociations | chanel | lex:ResourceTag |
Uses tags associated with the bot when alias is set to "-". Uses tags associated with the specified alias when a bot alias is specified |
GetBotVersions | bot | lex:ResourceTag |
|
GetExport | bot | lex:ResourceTag |
|
GetSession | bot or alias | lex:ResourceTag |
Uses tags associated with the bot when alias is set
to $LATEST . Uses tags associated with the
specified alias when used with other aliases. |
GetUtterancesView | bot | lex:ResourceTag |
|
ListTagsForResource | bot, alias, or channel | lex:ResourceTag |
|
PostContent | bot or alias | lex:ResourceTag |
Uses tags associated with the bot when alias is set
to $LATEST . Uses tags associated with the
specified alias when used with other aliases. |
PostText | bot or alias | lex:ResourceTag |
Uses tags associated with the bot when alias is set
to $LATEST . Uses tags associated with the
specified alias when used with other aliases. |
PutBot | bot | lex:ResourceTag, aws:RequestTag,
aws:TagKeys |
|
PutBotAlias | alias | lex:ResourceTag, aws:RequestTag,
aws:TagKeys |
|
PutSession | bot or alias | lex:ResourceTag |
Uses tags associated with the bot when alias is set
to $LATEST . Uses tags associated with the
specified alias when used with other aliases. |
StartImport | bot | lex:ResourceTag |
Relies on access policy for the PutBot
operation. Tags and permissions specific to the
StartImport operation are
ignored. |
TagResource | bot, alias, or channel | lex:ResourceTag, aws:RequestTag,
aws:TagKeys |
|
UntagResource | bot, alias, or channel | lex:ResourceTag, aws:RequestTag,
aws:TagKeys |
Amazon Lex IAM Roles
An IAM role is an entity within your AWS account that has specific permissions.
Using Temporary Credentials with Amazon Lex
You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as AssumeRole or GetFederationToken.
Amazon Lex supports using temporary credentials.
Service-Linked Roles
Service-linked roles allow AWS services to access resources in other services to complete an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view, but not edit, the permissions for service-linked roles.
Amazon Lex supports service-linked roles. For details about creating or managing Amazon Lex service-linked roles, see Step 1: Create a Service-Linked Role (AWS CLI).
Service Roles
A service can assume a service role on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might prevent the service from functioning as expected.
Amazon Lex supports service roles.
Choosing an IAM Role in Amazon Lex
Amazon Lex uses service-linked roles to call Amazon Comprehend and Amazon Polly. It uses resource-level permissions on your AWS Lambda functions to invoke them.
You must provide an IAM role to enable conversation tagging. For more information, see Creating an IAM Role and Policies for Conversation Logs.