Actions, resources, and condition keys for Amazon AppStream 2.0
Amazon AppStream 2.0 (service prefix: appstream) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon AppStream 2.0
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AssociateAppBlockBuilderAppBlock | Grants permission to associate the specified app block builder with the app block | Write | |||
| AssociateApplicationFleet | Grants permission to associate the specified application with the fleet | Write | |||
| AssociateApplicationToEntitlement | Grants permission to associate the specified application to the specified entitlement | Write | |||
| AssociateFleet | Grants permission to associate the specified fleet with the specified stack | Write | |||
| BatchAssociateUserStack | Grants permission to associate the specified users with the specified stacks. Users in a user pool cannot be assigned to stacks with fleets that are joined to an Active Directory domain | Write | |||
| BatchDisassociateUserStack | Grants permission to disassociate the specified users from the specified stacks | Write | |||
| CopyImage | Grants permission to copy the specified image within the same Region or to a new Region within the same AWS account | Write | |||
| CreateAppBlock | Grants permission to create an app block. App blocks store details about the virtual hard disk that contains the files for the application in an S3 bucket. It also stores the setup script with details about how to mount the virtual hard disk. App blocks are only supported for Elastic fleets | Write | |||
| CreateAppBlockBuilder | Grants permission to create an app block builder. An app block builder is a virtual machine that is used to create an app block | Write | |||
| CreateAppBlockBuilderStreamingURL | Grants permission to create a URL to start an app block builder streaming session | Write | |||
| CreateApplication | Grants permission to create an application within customer account. Applications store the details about how to launch applications on streaming instances. This is only supported for Elastic fleets | Write | |||
| CreateDirectoryConfig | Grants permission to create a Directory Config object in AppStream 2.0. This object includes the configuration information required to join fleets and image builders to Microsoft Active Directory domains | Write | |||
| CreateEntitlement | Grants permission to create an entitlement to control access to applications based on user attributes | Write | |||
| CreateFleet | Grants permission to create a fleet. A fleet is a group of streaming instances from which applications are launched and streamed to users | Write | |||
| CreateImageBuilder | Grants permission to create an image builder. An image builder is a virtual machine that is used to create an image | Write | |||
| CreateImageBuilderStreamingURL | Grants permission to create a URL to start an image builder streaming session | Write | |||
| CreateStack | Grants permission to create a stack to start streaming applications to users. A stack consists of an associated fleet, user access policies, and storage configurations | Write | |||
| CreateStreamingURL | Grants permission to create a temporary URL to start an AppStream 2.0 streaming session for the specified user. A streaming URL enables application streaming to be tested without user setup | Write | |||
| CreateUpdatedImage | Grants permission to update an existing image within customer account | Write | |||
| CreateUsageReportSubscription | Grants permission to create a usage report subscription. Usage reports are generated daily | Write | |||
| CreateUser | Grants permission to create a new user in the user pool | Write | |||
| DeleteAppBlock | Grants permission to delete the specified app block | Write | |||
| DeleteAppBlockBuilder | Grants permission to delete the specified app block builder and release capacity | Write | |||
| DeleteApplication | Grants permission to delete the specified application | Write | |||
| DeleteDirectoryConfig | Grants permission to delete the specified Directory Config object from AppStream 2.0. This object includes the configuration information required to join fleets and image builders to Microsoft Active Directory domains | Write | |||
| DeleteEntitlement | Grants permission to delete the specified entitlement | Write | |||
| DeleteFleet | Grants permission to delete the specified fleet | Write | |||
| DeleteImage | Grants permission to delete the specified image. An image cannot be deleted when it is in use | Write | |||
| DeleteImageBuilder | Grants permission to delete the specified image builder and release capacity | Write | |||
| DeleteImagePermissions | Grants permission to delete permissions for the specified private image | Write | |||
| DeleteStack | Grants permission to delete the specified stack. After the stack is deleted, the application streaming environment provided by the stack is no longer available to users. Also, any reservations made for application streaming sessions for the stack are released | Write | |||
| DeleteUsageReportSubscription | Grants permission to disable usage report generation | Write | |||
| DeleteUser | Grants permission to delete a user from the user pool | Write | |||
| DescribeAppBlockBuilderAppBlockAssociations | Grants permission to retrieve the associations that are associated with the specified app block builder or app block | Read | |||
| DescribeAppBlockBuilders | Grants permission to retrieve a list that describes one or more specified app block builders, if the app block builder names are provided. Otherwise, all app block builders in the account are described | Read | |||
| DescribeAppBlocks | Grants permission to retrieve a list that describes one or more specified app blocks, if the app block arns are provided. Otherwise, all app blocks in the account are described | Read | |||
| DescribeApplicationFleetAssociations | Grants permission to retrieve the associations that are associated with the specified application or fleet | Read | |||
| DescribeApplications | Grants permission to retrieve a list that describes one or more specified applications, if the application arns are provided. Otherwise, all applications in the account are described | Read | |||
| DescribeDirectoryConfigs | Grants permission to retrieve a list that describes one or more specified Directory Config objects for AppStream 2.0, if the names for these objects are provided. Otherwise, all Directory Config objects in the account are described. This object includes the configuration information required to join fleets and image builders to Microsoft Active Directory domains | Read | |||
| DescribeEntitlements | Grants permission to retrieve one or all entitlements for the specified stack | Read | |||
| DescribeFleets | Grants permission to retrieve a list that describes one or more specified fleets, if the fleet names are provided. Otherwise, all fleets in the account are described | Read | |||
| DescribeImageBuilders | Grants permission to retrieve a list that describes one or more specified image builders, if the image builder names are provided. Otherwise, all image builders in the account are described | Read | |||
| DescribeImagePermissions | Grants permission to retrieve a list that describes the permissions for shared AWS account IDs on a private image that you own | Read | |||
| DescribeImages | Grants permission to retrieve a list that describes one or more specified images, if the image names or image ARNs are provided. Otherwise, all images in the account are described | Read | |||
| DescribeSessions | Grants permission to retrieve a list that describes the streaming sessions for the specified stack and fleet. If a user ID is provided for the stack and fleet, only the streaming sessions for that user are described | Read | |||
| DescribeStacks | Grants permission to retrieve a list that describes one or more specified stacks, if the stack names are provided. Otherwise, all stacks in the account are described | Read | |||
| DescribeUsageReportSubscriptions | Grants permission to retrieve a list that describes one or more usage report subscriptions | Read | |||
| DescribeUserStackAssociations | Grants permission to retrieve a list that describes the UserStackAssociation objects | Read | |||
| DescribeUsers | Grants permission to retrieve a list that describes users in the user pool | Read | |||
| DisableUser | Grants permission to disable the specified user in the user pool. This action does not delete the user | Write | |||
| DisassociateAppBlockBuilderAppBlock | Grants permission to disassociate the specified app block builder with the app block | Write | |||
| DisassociateApplicationFleet | Grants permission to disassociate the specified application from the specified fleet | Write | |||
| DisassociateApplicationFromEntitlement | Grants permission to disassociate the specified application from the specified entitlement | Write | |||
| DisassociateFleet | Grants permission to disassociate the specified fleet from the specified stack | Write | |||
| EnableUser | Grants permission to enable a user in the user pool | Write | |||
| ExpireSession | Grants permission to immediately stop the specified streaming session | Write | |||
| ListAssociatedFleets | Grants permission to retrieve the name of the fleet that is associated with the specified stack | Read | |||
| ListAssociatedStacks | Grants permission to retrieve the name of the stack with which the specified fleet is associated | Read | |||
| ListEntitledApplications | Grants permission to retrieve the applications that are associated with the specified entitlement | List | |||
| ListTagsForResource | Grants permission to retrieve a list of all tags for the specified AppStream 2.0 resource. The following resources can be tagged: Image builders, images, fleets, and stacks | Read | |||
| StartAppBlockBuilder | Grants permission to start the specified app block builder | Write | |||
| StartFleet | Grants permission to start the specified fleet | Write | |||
| StartImageBuilder | Grants permission to start the specified image builder | Write | |||
| StopAppBlockBuilder | Grants permission to stop the specified app block builder | Write | |||
| StopFleet | Grants permission to stop the specified fleet | Write | |||
| StopImageBuilder | Grants permission to stop the specified image builder | Write | |||
| Stream | Grants permission to federated users to sign in by using their existing credentials and stream applications from the specified stack | Write | |||
| TagResource | Grants permission to add or overwrite one or more tags for the specified AppStream 2.0 resource. The following resources can be tagged: Image builders, images, fleets, stacks, app blocks and applications | Tagging | |||
| UntagResource | Grants permission to disassociate one or more tags from the specified AppStream 2.0 resource | Tagging | |||
| UpdateAppBlockBuilder | Grants permission to update a specific app block builder. An app block builder is a virtual machine that is used to create an app block | Write | |||
| UpdateApplication | Grants permission to update the specified fields for the specified application | Write | |||
| UpdateDirectoryConfig | Grants permission to update the specified Directory Config object in AppStream 2.0. This object includes the configuration information required to join fleets and image builders to Microsoft Active Directory domains | Write | |||
| UpdateEntitlement | Grants permission to update the specified fields for the specified entitlement | Write | |||
| UpdateFleet | Grants permission to update the specified fleet. All attributes except the fleet name can be updated when the fleet is in the STOPPED state | Write | |||
| UpdateImagePermissions | Grants permission to add or update permissions for the specified private image | Write | |||
| UpdateStack | Grants permission to update the specified fields for the specified stack | Write | |||
Resource types defined by Amazon AppStream 2.0
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| fleet |
arn:${Partition}:appstream:${Region}:${Account}:fleet/${FleetName}
|
|
| image |
arn:${Partition}:appstream:${Region}:${Account}:image/${ImageName}
|
|
| image-builder |
arn:${Partition}:appstream:${Region}:${Account}:image-builder/${ImageBuilderName}
|
|
| stack |
arn:${Partition}:appstream:${Region}:${Account}:stack/${StackName}
|
|
| app-block |
arn:${Partition}:appstream:${Region}:${Account}:app-block/${AppBlockName}
|
|
| application |
arn:${Partition}:appstream:${Region}:${Account}:application/${ApplicationName}
|
|
| app-block-builder |
arn:${Partition}:appstream:${Region}:${Account}:app-block-builder/${AppBlockBuilderName}
|
Condition keys for Amazon AppStream 2.0
Amazon AppStream 2.0 defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| appstream:userId | Filters access by the ID of the AppStream 2.0 user | String |
| aws:RequestTag/${TagKey} | Filters access by the presence of tag key-value pairs in the request | String |
| aws:ResourceTag/${TagKey} | Filters access by the tag key-value pairs attached to the resource | String |
| aws:TagKeys | Filters access by the presence of tag keys in the request | ArrayOfString |
