Actions, resources, and condition keys for Amazon S3 Glacier
Amazon S3 Glacier (service prefix: glacier) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon S3 Glacier
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AbortMultipartUpload | Grants permission to abort a multipart upload identified by the upload ID | Write | |||
| AbortVaultLock | Grants permission to abort the vault locking process if the vault lock is not in the Locked state | Permissions management | |||
| AddTagsToVault | Grants permission to add the specified tags to a vault | Tagging | |||
| CompleteMultipartUpload | Grants permission to complete a multipart upload process | Write | |||
| CompleteVaultLock | Grants permission to complete the vault locking process | Permissions management | |||
| CreateVault | Grants permission to create a new vault with the specified name | Write | |||
| DeleteArchive | Grants permission to delete an archive from a vault | Write | |||
| DeleteVault | Grants permission to delete a vault | Write | |||
| DeleteVaultAccessPolicy | Grants permission to delete the access policy associated with the specified vault | Permissions management | |||
| DeleteVaultNotifications | Grants permission to delete the notification configuration set for a vault | Write | |||
| DescribeJob | Grants permission to get information about a job previously initiated | Read | |||
| DescribeVault | Grants permission to get information about a vault | Read | |||
| GetDataRetrievalPolicy | Grants permission to get the data retrieval policy | Read | |||
| GetJobOutput | Grants permission to download the output of the job specified | Read | |||
| GetVaultAccessPolicy | Grants permission to retrieve the access-policy subresource set on the vault | Read | |||
| GetVaultLock | Grants permission to retrieve attributes from the lock-policy subresource set on the specified vault | Read | |||
| GetVaultNotifications | Grants permission to retrieve the notification-configuration subresource set on the vault | Read | |||
| InitiateJob | Grants permission to initiate a job of the specified type | Write | |||
| InitiateMultipartUpload | Grants permission to initiate a multipart upload | Write | |||
| InitiateVaultLock | Grants permission to initiate the vault locking process | Permissions management | |||
| ListJobs | Grants permission to list jobs for a vault that are in-progress and jobs that have recently finished | List | |||
| ListMultipartUploads | Grants permission to list in-progress multipart uploads for the specified vault | List | |||
| ListParts | Grants permission to list the parts of an archive that have been uploaded in a specific multipart upload | List | |||
| ListProvisionedCapacity | Grants permission to list the provisioned capacity for the specified AWS account | List | |||
| ListTagsForVault | Grants permission to list all the tags attached to a vault | List | |||
| ListVaults | Grants permission to list all vaults | List | |||
| PurchaseProvisionedCapacity | Grants permission to purchases a provisioned capacity unit for an AWS account | Write | |||
| RemoveTagsFromVault | Grants permission to remove one or more tags from the set of tags attached to a vault | Tagging | |||
| SetDataRetrievalPolicy | Grants permission to set and then enacts a data retrieval policy in the region specified in the PUT request | Permissions management | |||
| SetVaultAccessPolicy | Grants permission to configure an access policy for a vault; will overwrite an existing policy | Permissions management | |||
| SetVaultNotifications | Grants permission to configure vault notifications | Write | |||
| UploadArchive | Grants permission to upload an archive to a vault | Write | |||
| UploadMultipartPart | Grants permission to upload a part of an archive | Write |
Resource types defined by Amazon S3 Glacier
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| vault |
arn:${Partition}:glacier:${Region}:${Account}:vaults/${VaultName}
|
Condition keys for Amazon S3 Glacier
Amazon S3 Glacier defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by the tags that are passed in the request | String |
| aws:TagKeys | Filters access by the tag keys that are passed in the request | ArrayOfString |
| glacier:ArchiveAgeInDays | Filters access by how long an archive has been stored in the vault, in days | String |
| glacier:ResourceTag/ | Filters access by a customer-defined tag | String |
