Actions, resources, and condition keys for Amazon Nimble Studio - Service Authorization Reference

Actions, resources, and condition keys for Amazon Nimble Studio

Amazon Nimble Studio (service prefix: nimble) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Nimble Studio

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AcceptEulas Grants permission to accept EULAs Write

eula*

CreateLaunchProfile Grants permission to create a launch profile Write

studio*

ec2:CreateNetworkInterface

ec2:DescribeNatGateways

ec2:DescribeNetworkAcls

ec2:DescribeRouteTables

ec2:DescribeSubnets

ec2:DescribeVpcEndpoints

ec2:RunInstances

aws:TagKeys

aws:RequestTag/${TagKey}

CreateStreamingImage Grants permission to create a streaming image Write

studio*

ec2:DescribeImages

ec2:DescribeSnapshots

ec2:ModifyInstanceAttribute

ec2:ModifySnapshotAttribute

ec2:RegisterImage

aws:TagKeys

aws:RequestTag/${TagKey}

CreateStreamingSession Grants permission to create a streaming session Write

launch-profile*

ec2:CreateNetworkInterface

ec2:CreateNetworkInterfacePermission

nimble:GetLaunchProfile

nimble:GetLaunchProfileInitialization

nimble:ListEulaAcceptances

aws:TagKeys

aws:RequestTag/${TagKey}

CreateStreamingSessionStream Grants permission to create a StreamingSessionStream Write

streaming-session*

nimble:requesterPrincipalId

CreateStudio Grants permission to create a studio Write

studio*

iam:PassRole

sso:CreateManagedApplicationInstance

aws:TagKeys

aws:RequestTag/${TagKey}

CreateStudioComponent Grants permission to create a studio component. A studio component designates a network resource to which a launch profile will provide access Write

studio*

ds:AuthorizeApplication

ds:DescribeDirectories

ec2:DescribeSecurityGroups

fsx:DescribeFileSystems

iam:PassRole

aws:TagKeys

aws:RequestTag/${TagKey}

DeleteLaunchProfile Grants permission to delete a launch profile Write

launch-profile*

DeleteLaunchProfileMember Grants permission to delete a launch profile member Write

launch-profile*

DeleteStreamingImage Grants permission to delete a streaming image Write

streaming-image*

ec2:DeleteSnapshot

ec2:DeregisterImage

ec2:ModifyInstanceAttribute

ec2:ModifySnapshotAttribute

DeleteStreamingSession Grants permission to delete a streaming session Write

streaming-session*

ec2:DeleteNetworkInterface

nimble:requesterPrincipalId

DeleteStudio Grants permission to delete a studio Write

studio*

sso:DeleteManagedApplicationInstance

DeleteStudioComponent Grants permission to delete a studio component Write

studio-component*

ds:UnauthorizeApplication

DeleteStudioMember Grants permission to delete a studio member Write

studio*

GetEula Grants permission to get a EULA Read

eula*

GetFeatureMap [permission only] Grants permission to allow Nimble Studio portal to show the appropriate features for this account Read
GetLaunchProfile Grants permission to get a launch profile Read

launch-profile*

GetLaunchProfileDetails Grants permission to get a launch profile's details, which includes the summary of studio components and streaming images used by the launch profile Read

launch-profile*

GetLaunchProfileInitialization Grants permission to get a launch profile initialization. A launch profile initialization is a dereferenced version of a launch profile, including attached studio component connection information Read

launch-profile*

ds:DescribeDirectories

ec2:DescribeSecurityGroups

fsx:DescribeFileSystems

GetLaunchProfileMember Grants permission to get a launch profile member Read

launch-profile*

GetStreamingImage Grants permission to get a streaming image Read

streaming-image*

GetStreamingSession Grants permission to get a streaming session Read

streaming-session*

nimble:requesterPrincipalId

GetStreamingSessionBackup Grants permission to get a streaming session backup Read

streaming-session-backup*

nimble:requesterPrincipalId

GetStreamingSessionStream Grants permission to get a streaming session stream Read

streaming-session*

nimble:requesterPrincipalId

GetStudio Grants permission to get a studio Read

studio*

GetStudioComponent Grants permission to get a studio component Read

studio-component*

GetStudioMember Grants permission to get a studio member Read

studio*

ListEulaAcceptances Grants permission to list EULA acceptances Read

eula-acceptance*

ListEulas Grants permission to list EULAs Read

eula*

ListLaunchProfileMembers Grants permission to list launch profile members Read

launch-profile*

ListLaunchProfiles Grants permission to list launch profiles Read

studio*

nimble:principalId

nimble:requesterPrincipalId

ListStreamingImages Grants permission to list streaming images Read

studio*

ListStreamingSessionBackups Grants permission to list streaming session backups Read

studio*

nimble:requesterPrincipalId

ListStreamingSessions Grants permission to list streaming sessions Read

studio*

nimble:createdBy

nimble:ownedBy

nimble:requesterPrincipalId

ListStudioComponents Grants permission to list studio components Read

studio*

ListStudioMembers Grants permission to list studio members Read

studio*

ListStudios Grants permission to list all studios Read
ListTagsForResource Grants permission to list all tags on a Nimble Studio resource Read

launch-profile

streaming-image

streaming-session

streaming-session-backup

studio

studio-component

PutLaunchProfileMembers Grants permission to add/update launch profile members Write

launch-profile*

sso-directory:DescribeUsers

PutStudioLogEvents [permission only] Grants permission to report metrics and logs for the Nimble Studio portal to monitor application health Write

studio*

PutStudioMembers Grants permission to add/update studio members Write

studio*

sso-directory:DescribeUsers

StartStreamingSession Grants permission to start a streaming session Write

streaming-session*

nimble:GetLaunchProfile

nimble:GetLaunchProfileMember

streaming-session-backup

nimble:requesterPrincipalId

StartStudioSSOConfigurationRepair Grants permission to repair the studio's AWS IAM Identity Center configuration Write

studio*

sso:CreateManagedApplicationInstance

sso:GetManagedApplicationInstance

StopStreamingSession Grants permission to stop a streaming session Write

streaming-session*

nimble:GetLaunchProfile

nimble:requesterPrincipalId

TagResource Grants permission to add or overwrite one or more tags for the specified Nimble Studio resource Tagging

launch-profile

streaming-image

streaming-session

streaming-session-backup

studio

studio-component

aws:RequestTag/${TagKey}

aws:TagKeys

aws:ResourceTag/${TagKey}

UntagResource Grants permission to disassociate one or more tags from the specified Nimble Studio resource Tagging

launch-profile

streaming-image

streaming-session

streaming-session-backup

studio

studio-component

aws:TagKeys

UpdateLaunchProfile Grants permission to update a launch profile Write

launch-profile*

ec2:DescribeNatGateways

ec2:DescribeNetworkAcls

ec2:DescribeRouteTables

ec2:DescribeSubnets

ec2:DescribeVpcEndpoints

UpdateLaunchProfileMember Grants permission to update a launch profile member Write

launch-profile*

UpdateStreamingImage Grants permission to update a streaming image Write

streaming-image*

UpdateStudio Grants permission to update a studio Write

studio*

iam:PassRole

UpdateStudioComponent Grants permission to update a studio component Write

studio-component*

ds:AuthorizeApplication

ds:DescribeDirectories

ec2:DescribeSecurityGroups

fsx:DescribeFileSystems

iam:PassRole

Resource types defined by Amazon Nimble Studio

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
studio arn:${Partition}:nimble:${Region}:${Account}:studio/${StudioId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

nimble:studioId

streaming-image arn:${Partition}:nimble:${Region}:${Account}:streaming-image/${StreamingImageId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

nimble:studioId

studio-component arn:${Partition}:nimble:${Region}:${Account}:studio-component/${StudioComponentId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

nimble:studioId

launch-profile arn:${Partition}:nimble:${Region}:${Account}:launch-profile/${LaunchProfileId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

nimble:studioId

streaming-session arn:${Partition}:nimble:${Region}:${Account}:streaming-session/${StreamingSessionId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

nimble:createdBy

nimble:ownedBy

streaming-session-backup arn:${Partition}:nimble:${Region}:${Account}:streaming-session-backup/${StreamingSessionBackupId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

nimble:ownedBy

eula arn:${Partition}:nimble:${Region}:${Account}:eula/${EulaId}
eula-acceptance arn:${Partition}:nimble:${Region}:${Account}:eula-acceptance/${EulaAcceptanceId}

nimble:studioId

Condition keys for Amazon Nimble Studio

Amazon Nimble Studio defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by a tag key and value pair that is allowed in the request String
aws:ResourceTag/${TagKey} Filters access by a tag key and value pair of a resource String
aws:TagKeys Filters access by a list of tag keys that are allowed in the request ArrayOfString
nimble:createdBy Filters access by the createdBy request parameter or the ID of the creator of the resource String
nimble:ownedBy Filters access by the ownedBy request parameter or the ID of the owner of the resource String
nimble:principalId Filters access by the principalId request parameter String
nimble:requesterPrincipalId Filters access by the ID of the logged in user String
nimble:studioId Filters access by a specific studio ARN