Actions, resources, and condition keys for Amazon Storage Gateway - Service Authorization Reference

Actions, resources, and condition keys for Amazon Storage Gateway

Amazon Storage Gateway (service prefix: storagegateway) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Storage Gateway

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
ActivateGateway Grants permission to activate the gateway you previously deployed on your host Write

aws:RequestTag/${TagKey}

aws:TagKeys

AddCache Grants permission to configure one or more gateway local disks as cache for a cached-volume gateway Write

gateway*

AddTagsToResource Grants permission to add one or more tags to the specified resource Tagging

gateway

share

tape

volume

aws:RequestTag/${TagKey}

aws:TagKeys

AddUploadBuffer Grants permission to configure one or more gateway local disks as upload buffer for a specified gateway Write

gateway*

AddWorkingStorage Grants permission to configure one or more gateway local disks as working storage for a gateway Write

gateway*

AssignTapePool Grants permission to move a tape to the target pool specified Write

tape*

tapepool*

AttachVolume Grants permission to connect a volume to an iSCSI connection and then attaches the volume to the specified gateway Write

gateway*

volume*

BypassGovernanceRetention Grants permission to allow the governance retention lock on a pool to be bypassed Write

tapepool*

CancelArchival Grants permission to cancel archiving of a virtual tape to the virtual tape shelf (VTS) after the archiving process is initiated Write

gateway*

tape*

CancelRetrieval Grants permission to cancel retrieval of a virtual tape from the virtual tape shelf (VTS) to a gateway after the retrieval process is initiated Write

gateway*

tape*

CreateCachediSCSIVolume Grants permission to create a cached volume on a specified cached gateway. This operation is supported only for the gateway-cached volume architecture Write

gateway*

volume*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateNFSFileShare Grants permission to create a NFS file share on an existing file gateway Write

gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSMBFileShare Grants permission to create a SMB file share on an existing file gateway Write

gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSnapshot Grants permission to initiate a snapshot of a volume Write

volume*

CreateSnapshotFromVolumeRecoveryPoint Grants permission to initiate a snapshot of a gateway from a volume recovery point Write

volume*

CreateStorediSCSIVolume Grants permission to create a volume on a specified gateway Write

gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTapePool Grants permission to create a tape pool Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTapeWithBarcode Grants permission to create a virtual tape by using your own barcode Write

gateway*

tapepool*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTapes Grants permission to create one or more virtual tapes. You write data to the virtual tapes and then archive the tapes Write

gateway*

tapepool*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteAutomaticTapeCreationPolicy Grants permission to delete the automatic tape creation policy configured on a gateway-VTL Write

gateway*

DeleteBandwidthRateLimit Grants permission to delete the bandwidth rate limits of a gateway Write

gateway*

DeleteChapCredentials Grants permission to delete Challenge-Handshake Authentication Protocol (CHAP) credentials for a specified iSCSI target and initiator pair Write

target*

DeleteFileShare Grants permission to delete a file share from a file gateway Write

share*

DeleteGateway Grants permission to delete a gateway Write

gateway*

DeleteSnapshotSchedule Grants permission to delete a snapshot of a volume Write

volume*

DeleteTape Grants permission to delete the specified virtual tape Write

gateway*

tape*

DeleteTapeArchive Grants permission to delete the specified virtual tape from the virtual tape shelf (VTS) Write
DeleteTapePool Grants permission to delete the specified tape pool Write

tapepool*

DeleteVolume Grants permission to delete the specified gateway volume that you previously created using the CreateCachediSCSIVolume or CreateStorediSCSIVolume API Write

volume*

DescribeBandwidthRateLimit Grants permission to get the bandwidth rate limits of a gateway Read

gateway*

DescribeCache Grants permission to get information about the cache of a gateway. This operation is supported only for the gateway-cached volume architecture Read

gateway*

DescribeCachediSCSIVolumes Grants permission to get a description of the gateway volumes specified in the request. This operation is supported only for the gateway-cached volume architecture Read

volume*

DescribeChapCredentials Grants permission to get an array of Challenge-Handshake Authentication Protocol (CHAP) credentials information for a specified iSCSI target, one for each target-initiator pair Read

target*

DescribeGatewayInformation Grants permission to get metadata about a gateway such as its name, network interfaces, configured time zone, and the state (whether the gateway is running or not) Read

gateway*

DescribeMaintenanceStartTime Grants permission to get your gateway's weekly maintenance start time including the day and time of the week Read

gateway*

DescribeNFSFileShares Grants permission to get a description for one or more file shares from a file gateway Read

share*

DescribeSMBFileShares Grants permission to get a description for one or more file shares from a file gateway Read

share*

DescribeSMBSettings Grants permission to get a description of a Server Message Block (SMB) file share settings from a file gateway Read

gateway*

DescribeSnapshotSchedule Grants permission to describe the snapshot schedule for the specified gateway volume Read

volume*

DescribeStorediSCSIVolumes Grants permission to get the description of the gateway volumes specified in the request Read

volume*

DescribeTapeArchives Grants permission to get a description of specified virtual tapes in the virtual tape shelf (VTS) Read
DescribeTapeRecoveryPoints Grants permission to get a list of virtual tape recovery points that are available for the specified gateway-VTL Read

gateway*

DescribeTapes Grants permission to get a description of the specified Amazon Resource Name (ARN) of virtual tapes Read

gateway*

DescribeUploadBuffer Grants permission to get information about the upload buffer of a gateway Read

gateway*

DescribeVTLDevices Grants permission to get a description of virtual tape library (VTL) devices for the specified gateway Read

gateway*

DescribeWorkingStorage Grants permission to get information about the working storage of a gateway Read

gateway*

DetachVolume Grants permission to disconnect a volume from an iSCSI connection and then detaches the volume from the specified gateway Write

volume*

DisableGateway Grants permission to disable a gateway when the gateway is no longer functioning Write

gateway*

JoinDomain Grants permission to enable you to join an Active Directory Domain Write

gateway*

ListAutomaticTapeCreationPolicies Grants permission to list the automatic tape creation policies configured on the specified gateway-VTL or all gateway-VTLs owned by your account List

gateway*

ListFileShares Grants permission to get a list of the file shares for a specific file gateway, or the list of file shares that belong to the calling user account List

gateway*

ListGateways Grants permission to list gateways owned by an AWS account in a region specified in the request. The returned list is ordered by gateway Amazon Resource Name (ARN) List
ListLocalDisks Grants permission to get a list of the gateway's local disks List

gateway*

ListTagsForResource Grants permission to get the tags that have been added to the specified resource List

gateway

share

tape

volume

ListTapePools Grants permission to list tape pools owned by your AWS account List

tapepool*

ListTapes Grants permission to list virtual tapes in your virtual tape library (VTL) and your virtual tape shelf (VTS) List

tape*

ListVolumeInitiators Grants permission to list iSCSI initiators that are connected to a volume List

volume*

ListVolumeRecoveryPoints Grants permission to list the recovery points for a specified gateway List

gateway*

ListVolumes Grants permission to list the iSCSI stored volumes of a gateway List

gateway*

NotifyWhenUploaded Grants permission to send you a notification through CloudWatch Events when all files written to your NFS file share have been uploaded to Amazon S3 Write

share*

RefreshCache Grants permission to refresh the cache for the specified file share Write

share*

RemoveTagsFromResource Grants permission to remove one or more tags from the specified resource Tagging

gateway

share

tape

volume

aws:TagKeys

ResetCache Grants permission to reset all cache disks that have encountered a error and makes the disks available for reconfiguration as cache storage Write

gateway*

RetrieveTapeArchive Grants permission to retrieve an archived virtual tape from the virtual tape shelf (VTS) to a gateway-VTL Write

gateway*

tape*

RetrieveTapeRecoveryPoint Grants permission to retrieve the recovery point for the specified virtual tape Write

gateway*

tape*

SetLocalConsolePassword Grants permission to set the password for your VM local console Write

gateway*

SetSMBGuestPassword Grants permission to set the password for SMB Guest user Write

gateway*

ShutdownGateway Grants permission to shut down a gateway Write

gateway*

StartGateway Grants permission to start a gateway that you previously shut down Write

gateway*

UpdateAutomaticTapeCreationPolicy Grants permission to update the automatic tape creation policy configured on a gateway-VTL Write

gateway*

tapepool*

UpdateBandwidthRateLimit Grants permission to update the bandwidth rate limits of a gateway Write

gateway*

UpdateChapCredentials Grants permission to update the Challenge-Handshake Authentication Protocol (CHAP) credentials for a specified iSCSI target Write

target*

UpdateGatewayInformation Grants permission to update a gateway's metadata, which includes the gateway's name and time zone Write

gateway*

UpdateGatewaySoftwareNow Grants permission to update the gateway virtual machine (VM) software Write

gateway*

UpdateMaintenanceStartTime Grants permission to update a gateway's weekly maintenance start time information, including day and time of the week. The maintenance time is the time in your gateway's time zone Write

gateway*

UpdateNFSFileShare Grants permission to update a NFS file share Write

share*

UpdateSMBFileShare Grants permission to update a SMB file share Write

share*

UpdateSnapshotSchedule Grants permission to update a snapshot schedule configured for a gateway volume Write

volume*

UpdateVTLDeviceType Grants permission to update the type of medium changer in a gateway-VTL Write

device*

Resource types defined by Amazon Storage Gateway

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
device arn:${Partition}:storagegateway:${Region}:${Account}:gateway/${GatewayId}/device/${Vtldevice}
gateway arn:${Partition}:storagegateway:${Region}:${Account}:gateway/${GatewayId}

aws:ResourceTag/${TagKey}

share arn:${Partition}:storagegateway:${Region}:${Account}:share/${ShareId}

aws:ResourceTag/${TagKey}

tape arn:${Partition}:storagegateway:${Region}:${Account}:tape/${TapeBarcode}

aws:ResourceTag/${TagKey}

tapepool arn:${Partition}:storagegateway:${Region}:${Account}:tapepool/${PoolId}

aws:ResourceTag/${TagKey}

target arn:${Partition}:storagegateway:${Region}:${Account}:gateway/${GatewayId}/target/${IscsiTarget}
volume arn:${Partition}:storagegateway:${Region}:${Account}:gateway/${GatewayId}/volume/${VolumeId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon Storage Gateway

Amazon Storage Gateway defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters acess based on the allowed set of values for each of the tags String
aws:ResourceTag/${TagKey} Filters acess based on tag-value associated with the resource String
aws:TagKeys Filters acess based on the presence of mandatory tags in the request String