How Amazon Managed Blockchain Works with IAM - Amazon Managed Blockchain

How Amazon Managed Blockchain Works with IAM

Before you use IAM to manage access to Managed Blockchain, you should understand what IAM features are available to use with Managed Blockchain. To get a high-level view of how Managed Blockchain and other AWS services work with IAM, see AWS Services That Work with IAM in the IAM User Guide.

Managed Blockchain Identity-Based Policies

With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. Managed Blockchain supports specific actions and resources. To learn about all of the elements that you use in a JSON policy, see IAM JSON Policy Elements Reference in the IAM User Guide.

Actions

The Action element of an IAM identity-based policy describes the specific action or actions that will be allowed or denied by the policy. Policy actions usually have the same name as the associated AWS API operation. The action is used in a policy to grant permissions to perform the associated operation.

Policy actions in Managed Blockchain use the following prefix before the action: managedblockchain:. For example, to grant someone permission to vote on a proposal with the Managed Blockchain VoteOnProposal API operation, you include the managedblockchain:VoteOnProposal action in their policy. Policy statements must include either an Action or NotAction element. Managed Blockchain defines its own set of actions that describe tasks that you can perform with this service.

To specify multiple actions in a single statement, separate them with commas as follows:

"Action": [ "managedblockchain:action1", "managedblockchain:action2"

You can specify multiple actions using wildcards (*). For example, to specify all actions that begin with the word List, include the following action:

"Action": "managedblockchain:List*"

To see a list of Managed Blockchain actions, see Actions Defined by Amazon Managed Blockchain in the IAM User Guide.

Resources

The Resource element specifies the object or objects to which the action applies. Statements must include either a Resource or a NotResource element. You specify a resource using an ARN or using the wildcard (*) to indicate that the statement applies to all resources.

Managed Blockchain resource types that can be used in IAM permission policy statements include the following:

  • network

  • member

  • node

  • proposal

  • invitation

Members, nodes, and invitations are associated with your account. Networks and proposals, on the other hand, are scoped to the entire blockchain network and are not associated with a particular account.

For example a Managed Blockchain network resource has the following ARN:

arn:${Partition}:managedblockchain:${Region}::networks/${NetworkId}

For example, to specify the n-MWY63ZJZU5HGNCMBQER7IN6OIU network in your statement, use the following ARN:

"Resource": "arn:aws:managedblockchain:us-east-1::networks/n-MWY63ZJZU5HGNCMBQER7IN6OIU"

To specify any network that is visible to your account, use the wildcard (*):

"Resource": "arn:aws:managedblockchain:us-east-1::networks/*"

Some Managed Blockchain actions, such as CreateNetwork, ListInvitations, and ListNetworks cannot be performed on a specific resource. In those cases, you must use the wildcard (*).

"Resource": "*"

To see a list of Managed Blockchain resource types and their ARNs, see Resources Defined by Amazon Managed Blockchain in the IAM User Guide. To learn with which actions you can specify the ARN of each resource, see Actions Defined by Amazon Managed Blockchain.

Condition Keys

Managed Blockchain does not provide any service-specific condition keys, but it does support using some global condition keys. To see all AWS global condition keys, see AWS Global Condition Context Keys in the IAM User Guide.

Examples

To view examples of Managed Blockchain identity-based policies, see Amazon Managed Blockchain Identity-Based Policy Examples.

Managed Blockchain Resource-Based Policies

Managed Blockchain does not support resource-based policies.

Authorization Based on Managed Blockchain Tags

Managed Blockchain does not support tagging resources or controlling access based on tags.