Actions, resources, and condition keys for Amazon Nimble Studio
Amazon Nimble Studio (service prefix: nimble
) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon Nimble Studio
You can specify the following actions in the Action
element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource
element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource
element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition
element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
---|---|---|---|---|---|
AcceptEulas | Grants permission to accept EULAs | Write | |||
CreateLaunchProfile | Grants permission to create a launch profile | Write |
ec2:CreateNetworkInterface ec2:DescribeNatGateways ec2:DescribeNetworkAcls ec2:DescribeRouteTables ec2:DescribeSubnets ec2:DescribeVpcEndpoints ec2:RunInstances |
||
CreateStreamingImage | Grants permission to create a streaming image | Write |
ec2:DescribeImages ec2:DescribeSnapshots ec2:ModifyInstanceAttribute ec2:ModifySnapshotAttribute ec2:RegisterImage |
||
CreateStreamingSession | Grants permission to create a streaming session | Write |
ec2:CreateNetworkInterface ec2:CreateNetworkInterfacePermission nimble:GetLaunchProfile nimble:GetLaunchProfileInitialization nimble:ListEulaAcceptances |
||
CreateStreamingSessionStream | Grants permission to create a StreamingSessionStream | Write | |||
CreateStudio | Grants permission to create a studio | Write |
iam:PassRole sso:CreateManagedApplicationInstance |
||
CreateStudioComponent | Grants permission to create a studio component. A studio component designates a network resource to which a launch profile will provide access | Write |
ds:AuthorizeApplication ds:DescribeDirectories ec2:DescribeSecurityGroups fsx:DescribeFileSystems iam:PassRole |
||
DeleteLaunchProfile | Grants permission to delete a launch profile | Write | |||
DeleteLaunchProfileMember | Grants permission to delete a launch profile member | Write | |||
DeleteStreamingImage | Grants permission to delete a streaming image | Write |
ec2:DeleteSnapshot ec2:DeregisterImage ec2:ModifyInstanceAttribute ec2:ModifySnapshotAttribute |
||
DeleteStreamingSession | Grants permission to delete a streaming session | Write |
ec2:DeleteNetworkInterface |
||
DeleteStudio | Grants permission to delete a studio | Write |
sso:DeleteManagedApplicationInstance |
||
DeleteStudioComponent | Grants permission to delete a studio component | Write |
ds:UnauthorizeApplication |
||
DeleteStudioMember | Grants permission to delete a studio member | Write | |||
GetEula | Grants permission to get a EULA | Read | |||
GetFeatureMap [permission only] | Grants permission to allow Nimble Studio portal to show the appropriate features for this account | Read | |||
GetLaunchProfile | Grants permission to get a launch profile | Read | |||
GetLaunchProfileDetails | Grants permission to get a launch profile's details, which includes the summary of studio components and streaming images used by the launch profile | Read | |||
GetLaunchProfileInitialization | Grants permission to get a launch profile initialization. A launch profile initialization is a dereferenced version of a launch profile, including attached studio component connection information | Read |
ds:DescribeDirectories ec2:DescribeSecurityGroups fsx:DescribeFileSystems |
||
GetLaunchProfileMember | Grants permission to get a launch profile member | Read | |||
GetStreamingImage | Grants permission to get a streaming image | Read | |||
GetStreamingSession | Grants permission to get a streaming session | Read | |||
GetStreamingSessionBackup | Grants permission to get a streaming session backup | Read | |||
GetStreamingSessionStream | Grants permission to get a streaming session stream | Read | |||
GetStudio | Grants permission to get a studio | Read | |||
GetStudioComponent | Grants permission to get a studio component | Read | |||
GetStudioMember | Grants permission to get a studio member | Read | |||
ListEulaAcceptances | Grants permission to list EULA acceptances | Read | |||
ListEulas | Grants permission to list EULAs | Read | |||
ListLaunchProfileMembers | Grants permission to list launch profile members | Read | |||
ListLaunchProfiles | Grants permission to list launch profiles | Read | |||
ListStreamingImages | Grants permission to list streaming images | Read | |||
ListStreamingSessionBackups | Grants permission to list streaming session backups | Read | |||
ListStreamingSessions | Grants permission to list streaming sessions | Read | |||
ListStudioComponents | Grants permission to list studio components | Read | |||
ListStudioMembers | Grants permission to list studio members | Read | |||
ListStudios | Grants permission to list all studios | Read | |||
ListTagsForResource | Grants permission to list all tags on a Nimble Studio resource | Read | |||
PutLaunchProfileMembers | Grants permission to add/update launch profile members | Write |
sso-directory:DescribeUsers |
||
PutStudioLogEvents [permission only] | Grants permission to report metrics and logs for the Nimble Studio portal to monitor application health | Write | |||
PutStudioMembers | Grants permission to add/update studio members | Write |
sso-directory:DescribeUsers |
||
StartStreamingSession | Grants permission to start a streaming session | Write |
nimble:GetLaunchProfile nimble:GetLaunchProfileMember |
||
StartStudioSSOConfigurationRepair | Grants permission to repair the studio's AWS IAM Identity Center configuration | Write |
sso:CreateManagedApplicationInstance sso:GetManagedApplicationInstance |
||
StopStreamingSession | Grants permission to stop a streaming session | Write |
nimble:GetLaunchProfile |
||
TagResource | Grants permission to add or overwrite one or more tags for the specified Nimble Studio resource | Tagging | |||
UntagResource | Grants permission to disassociate one or more tags from the specified Nimble Studio resource | Tagging | |||
UpdateLaunchProfile | Grants permission to update a launch profile | Write |
ec2:DescribeNatGateways ec2:DescribeNetworkAcls ec2:DescribeRouteTables ec2:DescribeSubnets ec2:DescribeVpcEndpoints |
||
UpdateLaunchProfileMember | Grants permission to update a launch profile member | Write | |||
UpdateStreamingImage | Grants permission to update a streaming image | Write | |||
UpdateStudio | Grants permission to update a studio | Write |
iam:PassRole |
||
UpdateStudioComponent | Grants permission to update a studio component | Write |
ds:AuthorizeApplication ds:DescribeDirectories ec2:DescribeSecurityGroups fsx:DescribeFileSystems iam:PassRole |
Resource types defined by Amazon Nimble Studio
The following resource types are defined by this service and can be used in the Resource
element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
Resource types | ARN | Condition keys |
---|---|---|
studio |
arn:${Partition}:nimble:${Region}:${Account}:studio/${StudioId}
|
|
streaming-image |
arn:${Partition}:nimble:${Region}:${Account}:streaming-image/${StreamingImageId}
|
|
studio-component |
arn:${Partition}:nimble:${Region}:${Account}:studio-component/${StudioComponentId}
|
|
launch-profile |
arn:${Partition}:nimble:${Region}:${Account}:launch-profile/${LaunchProfileId}
|
|
streaming-session |
arn:${Partition}:nimble:${Region}:${Account}:streaming-session/${StreamingSessionId}
|
|
streaming-session-backup |
arn:${Partition}:nimble:${Region}:${Account}:streaming-session-backup/${StreamingSessionBackupId}
|
|
eula |
arn:${Partition}:nimble:${Region}:${Account}:eula/${EulaId}
|
|
eula-acceptance |
arn:${Partition}:nimble:${Region}:${Account}:eula-acceptance/${EulaAcceptanceId}
|
Condition keys for Amazon Nimble Studio
Amazon Nimble Studio defines the following condition keys that can be used in the Condition
element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
Condition keys | Description | Type |
---|---|---|
aws:RequestTag/${TagKey} | Filters access by a tag key and value pair that is allowed in the request | String |
aws:ResourceTag/${TagKey} | Filters access by a tag key and value pair of a resource | String |
aws:TagKeys | Filters access by a list of tag keys that are allowed in the request | ArrayOfString |
nimble:createdBy | Filters access by the createdBy request parameter or the ID of the creator of the resource | String |
nimble:ownedBy | Filters access by the ownedBy request parameter or the ID of the owner of the resource | String |
nimble:principalId | Filters access by the principalId request parameter | String |
nimble:requesterPrincipalId | Filters access by the ID of the logged in user | String |
nimble:studioId | Filters access by a specific studio | ARN |