Actions, resources, and condition keys for Amazon AppStream 2.0

Amazon AppStream 2.0 (service prefix: appstream) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by Amazon AppStream 2.0
Resource types defined by Amazon AppStream 2.0
Condition keys for Amazon AppStream 2.0

Actions defined by Amazon AppStream 2.0

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys
AssociateAppBlockBuilderAppBlock	Grants permission to associate the specified app block builder with the app block	Write	app-block*
			app-block-builder*
				aws:ResourceTag/${TagKey}
AssociateApplicationFleet	Grants permission to associate the specified application with the fleet	Write	application*
			fleet*
				aws:ResourceTag/${TagKey}
AssociateApplicationToEntitlement	Grants permission to associate the specified application to the specified entitlement	Write	stack*
AssociateFleet	Grants permission to associate the specified fleet with the specified stack	Write	fleet*
			stack*
				aws:ResourceTag/${TagKey}
BatchAssociateUserStack	Grants permission to associate the specified users with the specified stacks. Users in a user pool cannot be assigned to stacks with fleets that are joined to an Active Directory domain	Write	stack*
BatchAssociateUserStack		Write		aws:ResourceTag/${TagKey}
BatchDisassociateUserStack	Grants permission to disassociate the specified users from the specified stacks	Write	stack*
BatchDisassociateUserStack		Write		aws:ResourceTag/${TagKey}
CopyImage	Grants permission to copy the specified image within the same Region or to a new Region within the same AWS account	Write	image*
CopyImage		Write		aws:ResourceTag/${TagKey}
CreateAppBlock	Grants permission to create an app block. App blocks store details about the virtual hard disk that contains the files for the application in an S3 bucket. It also stores the setup script with details about how to mount the virtual hard disk. App blocks are only supported for Elastic fleets	Write		aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys
CreateAppBlockBuilder	Grants permission to create an app block builder. An app block builder is a virtual machine that is used to create an app block	Write	app-block-builder*
CreateAppBlockBuilder		Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateAppBlockBuilderStreamingURL	Grants permission to create a URL to start an app block builder streaming session	Write	app-block-builder*
CreateAppBlockBuilderStreamingURL		Write		aws:ResourceTag/${TagKey}
CreateApplication	Grants permission to create an application within customer account. Applications store the details about how to launch applications on streaming instances. This is only supported for Elastic fleets	Write	app-block*
CreateApplication		Write		aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys
CreateDirectoryConfig	Grants permission to create a Directory Config object in AppStream 2.0. This object includes the configuration information required to join fleets and image builders to Microsoft Active Directory domains	Write
CreateEntitlement	Grants permission to create an entitlement to control access to applications based on user attributes	Write	stack*
CreateFleet	Grants permission to create a fleet. A fleet is a group of streaming instances from which applications are launched and streamed to users	Write	fleet*
			image
				aws:RequestTag/${TagKey} aws:TagKeys
CreateImageBuilder	Grants permission to create an image builder. An image builder is a virtual machine that is used to create an image	Write	image*
			image-builder*
				aws:RequestTag/${TagKey} aws:TagKeys
CreateImageBuilderStreamingURL	Grants permission to create a URL to start an image builder streaming session	Write	image-builder*
CreateImageBuilderStreamingURL		Write		aws:ResourceTag/${TagKey}
CreateStack	Grants permission to create a stack to start streaming applications to users. A stack consists of an associated fleet, user access policies, and storage configurations	Write	stack*
CreateStack		Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateStreamingURL	Grants permission to create a temporary URL to start an AppStream 2.0 streaming session for the specified user. A streaming URL enables application streaming to be tested without user setup	Write	fleet*
			stack*
				aws:ResourceTag/${TagKey}
CreateThemeForStack	Grants permission to create a custom branding theme, which might includes a custom logo, website links, and other branding to display to your users	Write	stack*
CreateUpdatedImage	Grants permission to update an existing image within customer account	Write	image*
CreateUpdatedImage		Write		aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys
CreateUsageReportSubscription	Grants permission to create a usage report subscription. Usage reports are generated daily	Write
CreateUser	Grants permission to create a new user in the user pool	Write
DeleteAppBlock	Grants permission to delete the specified app block	Write	app-block*
DeleteAppBlock	Grants permission to delete the specified app block	Write		aws:ResourceTag/${TagKey}
DeleteAppBlockBuilder	Grants permission to delete the specified app block builder and release capacity	Write	app-block-builder*
DeleteAppBlockBuilder		Write		aws:ResourceTag/${TagKey}
DeleteApplication	Grants permission to delete the specified application	Write	application*
DeleteApplication	Grants permission to delete the specified application	Write		aws:ResourceTag/${TagKey}
DeleteDirectoryConfig	Grants permission to delete the specified Directory Config object from AppStream 2.0. This object includes the configuration information required to join fleets and image builders to Microsoft Active Directory domains	Write
DeleteEntitlement	Grants permission to delete the specified entitlement	Write	stack*
DeleteFleet	Grants permission to delete the specified fleet	Write	fleet*
DeleteFleet	Grants permission to delete the specified fleet	Write		aws:ResourceTag/${TagKey}
DeleteImage	Grants permission to delete the specified image. An image cannot be deleted when it is in use	Write	image*
DeleteImage		Write		aws:ResourceTag/${TagKey}
DeleteImageBuilder	Grants permission to delete the specified image builder and release capacity	Write	image-builder*
DeleteImageBuilder		Write		aws:ResourceTag/${TagKey}
DeleteImagePermissions	Grants permission to delete permissions for the specified private image	Write	image*
DeleteImagePermissions		Write		aws:ResourceTag/${TagKey}
DeleteStack	Grants permission to delete the specified stack. After the stack is deleted, the application streaming environment provided by the stack is no longer available to users. Also, any reservations made for application streaming sessions for the stack are released	Write	stack*
DeleteStack		Write		aws:ResourceTag/${TagKey}
DeleteThemeForStack	Grants permission to delete a custom branding theme, which might includes a custom logo, website links, and other branding to display to your users	Write	stack*
DeleteUsageReportSubscription	Grants permission to disable usage report generation	Write
DeleteUser	Grants permission to delete a user from the user pool	Write
DescribeAppBlockBuilderAppBlockAssociations	Grants permission to retrieve the associations that are associated with the specified app block builder or app block	Read	app-block
DescribeAppBlockBuilderAppBlockAssociations		Read	app-block-builder
DescribeAppBlockBuilders	Grants permission to retrieve a list that describes one or more specified app block builders, if the app block builder names are provided. Otherwise, all app block builders in the account are described	Read	app-block-builder
DescribeAppBlocks	Grants permission to retrieve a list that describes one or more specified app blocks, if the app block arns are provided. Otherwise, all app blocks in the account are described	Read	app-block
DescribeApplicationFleetAssociations	Grants permission to retrieve the associations that are associated with the specified application or fleet	Read	application
DescribeApplicationFleetAssociations		Read	fleet
DescribeApplications	Grants permission to retrieve a list that describes one or more specified applications, if the application arns are provided. Otherwise, all applications in the account are described	Read	application
DescribeDirectoryConfigs	Grants permission to retrieve a list that describes one or more specified Directory Config objects for AppStream 2.0, if the names for these objects are provided. Otherwise, all Directory Config objects in the account are described. This object includes the configuration information required to join fleets and image builders to Microsoft Active Directory domains	Read
DescribeEntitlements	Grants permission to retrieve one or all entitlements for the specified stack	Read	stack*
DescribeFleets	Grants permission to retrieve a list that describes one or more specified fleets, if the fleet names are provided. Otherwise, all fleets in the account are described	Read	fleet
DescribeImageBuilders	Grants permission to retrieve a list that describes one or more specified image builders, if the image builder names are provided. Otherwise, all image builders in the account are described	Read	image-builder
DescribeImagePermissions	Grants permission to retrieve a list that describes the permissions for shared AWS account IDs on a private image that you own	Read	image*
DescribeImages	Grants permission to retrieve a list that describes one or more specified images, if the image names or image ARNs are provided. Otherwise, all images in the account are described	Read	image
DescribeSessions	Grants permission to retrieve a list that describes the streaming sessions for the specified stack and fleet. If a user ID is provided for the stack and fleet, only the streaming sessions for that user are described	Read	fleet*
DescribeSessions		Read	stack*
DescribeStacks	Grants permission to retrieve a list that describes one or more specified stacks, if the stack names are provided. Otherwise, all stacks in the account are described	Read	stack
DescribeThemeForStack	Grants permission to get the custom branding theme information, which might includes a custom logo, website links, and other branding to display to your users	Read	stack*
DescribeUsageReportSubscriptions	Grants permission to retrieve a list that describes one or more usage report subscriptions	Read
DescribeUserStackAssociations	Grants permission to retrieve a list that describes the UserStackAssociation objects	Read	stack
DescribeUsers	Grants permission to retrieve a list that describes users in the user pool	Read
DisableUser	Grants permission to disable the specified user in the user pool. This action does not delete the user	Write
DisassociateAppBlockBuilderAppBlock	Grants permission to disassociate the specified app block builder with the app block	Write	app-block*
			app-block-builder*
				aws:ResourceTag/${TagKey}
DisassociateApplicationFleet	Grants permission to disassociate the specified application from the specified fleet	Write	application*
			fleet*
				aws:ResourceTag/${TagKey}
DisassociateApplicationFromEntitlement	Grants permission to disassociate the specified application from the specified entitlement	Write	stack*
DisassociateFleet	Grants permission to disassociate the specified fleet from the specified stack	Write	fleet*
			stack*
				aws:ResourceTag/${TagKey}
EnableUser	Grants permission to enable a user in the user pool	Write
ExpireSession	Grants permission to immediately stop the specified streaming session	Write
ListAssociatedFleets	Grants permission to retrieve the name of the fleet that is associated with the specified stack	Read	stack*
ListAssociatedStacks	Grants permission to retrieve the name of the stack with which the specified fleet is associated	Read	fleet*
ListEntitledApplications	Grants permission to retrieve the applications that are associated with the specified entitlement	List	stack*
ListTagsForResource	Grants permission to retrieve a list of all tags for the specified AppStream 2.0 resource. The following resources can be tagged: Image builders, images, fleets, and stacks	Read
StartAppBlockBuilder	Grants permission to start the specified app block builder	Write	app-block-builder*
StartAppBlockBuilder	Grants permission to start the specified app block builder	Write		aws:ResourceTag/${TagKey}
StartFleet	Grants permission to start the specified fleet	Write	fleet*
StartFleet	Grants permission to start the specified fleet	Write		aws:ResourceTag/${TagKey}
StartImageBuilder	Grants permission to start the specified image builder	Write	image-builder*
StartImageBuilder	Grants permission to start the specified image builder	Write		aws:ResourceTag/${TagKey}
StopAppBlockBuilder	Grants permission to stop the specified app block builder	Write	app-block-builder*
StopAppBlockBuilder	Grants permission to stop the specified app block builder	Write		aws:ResourceTag/${TagKey}
StopFleet	Grants permission to stop the specified fleet	Write	fleet*
StopFleet	Grants permission to stop the specified fleet	Write		aws:ResourceTag/${TagKey}
StopImageBuilder	Grants permission to stop the specified image builder	Write	image-builder*
StopImageBuilder	Grants permission to stop the specified image builder	Write		aws:ResourceTag/${TagKey}
Stream	Grants permission to federated users to sign in by using their existing credentials and stream applications from the specified stack	Write	stack*
Stream		Write		appstream:userId
TagResource	Grants permission to add or overwrite one or more tags for the specified AppStream 2.0 resource. The following resources can be tagged: Image builders, images, fleets, stacks, app blocks and applications	Tagging	app-block
			app-block-builder
			application
			fleet
			image
			image-builder
			stack
				aws:RequestTag/${TagKey} aws:TagKeys aws:ResourceTag/${TagKey}
UntagResource	Grants permission to disassociate one or more tags from the specified AppStream 2.0 resource	Tagging	app-block
			app-block-builder
			application
			fleet
			image
			image-builder
			stack
				aws:TagKeys
UpdateAppBlockBuilder	Grants permission to update a specific app block builder. An app block builder is a virtual machine that is used to create an app block	Write	app-block-builder*
UpdateAppBlockBuilder		Write		aws:ResourceTag/${TagKey}
UpdateApplication	Grants permission to update the specified fields for the specified application	Write	application*
			app-block
				aws:ResourceTag/${TagKey}
UpdateDirectoryConfig	Grants permission to update the specified Directory Config object in AppStream 2.0. This object includes the configuration information required to join fleets and image builders to Microsoft Active Directory domains	Write
UpdateEntitlement	Grants permission to update the specified fields for the specified entitlement	Write	stack*
UpdateFleet	Grants permission to update the specified fleet. All attributes except the fleet name can be updated when the fleet is in the STOPPED state	Write	fleet*
			image
				aws:ResourceTag/${TagKey}
UpdateImagePermissions	Grants permission to add or update permissions for the specified private image	Write	image*
UpdateImagePermissions		Write		aws:ResourceTag/${TagKey}
UpdateStack	Grants permission to update the specified fields for the specified stack	Write	stack*
UpdateStack		Write		aws:ResourceTag/${TagKey}
UpdateThemeForStack	Grants permission to update the custom branding theme information, which might includes a custom logo, website links, and other branding to display to your users	Write	stack*

Resource types defined by Amazon AppStream 2.0

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types	ARN	Condition keys
fleet	`arn:${Partition}:appstream:${Region}:${Account}:fleet/${FleetName}`	aws:ResourceTag/${TagKey}
image	`arn:${Partition}:appstream:${Region}:${Account}:image/${ImageName}`	aws:ResourceTag/${TagKey}
image-builder	`arn:${Partition}:appstream:${Region}:${Account}:image-builder/${ImageBuilderName}`	aws:ResourceTag/${TagKey}
stack	`arn:${Partition}:appstream:${Region}:${Account}:stack/${StackName}`	aws:ResourceTag/${TagKey}
app-block	`arn:${Partition}:appstream:${Region}:${Account}:app-block/${AppBlockName}`	aws:ResourceTag/${TagKey}
application	`arn:${Partition}:appstream:${Region}:${Account}:application/${ApplicationName}`	aws:ResourceTag/${TagKey}
app-block-builder	`arn:${Partition}:appstream:${Region}:${Account}:app-block-builder/${AppBlockBuilderName}`	aws:ResourceTag/${TagKey}

Condition keys for Amazon AppStream 2.0

Amazon AppStream 2.0 defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
appstream:userId	Filters access by the ID of the AppStream 2.0 user	String
aws:RequestTag/${TagKey}	Filters access by the presence of tag key-value pairs in the request	String
aws:ResourceTag/${TagKey}	Filters access by the tag key-value pairs attached to the resource	String
aws:TagKeys	Filters access by the presence of tag keys in the request	ArrayOfString

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Application Transformation Service

AWS AppSync