Actions, resources, and condition keys for AWS AppSync
AWS AppSync (service prefix: appsync) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by AWS AppSync
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AssociateApi | Grants permission to attach a GraphQL API to a custom domain name in AppSync | Write | |||
| AssociateMergedGraphqlApi | Grants permission to associate a merged API to a source API | Write | |||
| AssociateSourceGraphqlApi | Grants permission to associate a source API to a merged API | Write | |||
| CreateApiCache | Grants permission to create an API cache in AppSync | Write | |||
| CreateApiKey | Grants permission to create a unique key that you can distribute to clients who are executing your API | Write | |||
| CreateDataSource | Grants permission to create a data source | Write | |||
| CreateDomainName | Grants permission to create a custom domain name in AppSync | Write | |||
| CreateFunction | Grants permission to create a new function | Write | |||
| CreateGraphqlApi | Grants permission to create a GraphQL API, which is the top level AppSync resource | Write |
iam:CreateServiceLinkedRole |
||
| CreateResolver | Grants permission to create a resolver. A resolver converts incoming requests into a format that a data source can understand, and converts the data source's responses into GraphQL | Write | |||
| CreateType | Grants permission to create a type | Write | |||
| DeleteApiCache | Grants permission to delete an API cache in AppSync | Write | |||
| DeleteApiKey | Grants permission to delete an API key | Write | |||
| DeleteDataSource | Grants permission to delete a data source | Write | |||
| DeleteDomainName | Grants permission to delete a custom domain name in AppSync | Write | |||
| DeleteFunction | Grants permission to delete a function | Write | |||
| DeleteGraphqlApi | Grants permission to delete a GraphQL Api. This will also clean up every AppSync resource below that API | Write | |||
| DeleteResolver | Grants permission to delete a resolver | Write | |||
| DeleteResourcePolicy [permission only] | Grants permission to remove a resource policy | Write | |||
| DeleteType | Grants permission to delete a type | Write | |||
| DisassociateApi | Grants permission to detach a GraphQL API to a custom domain name in AppSync | Write | |||
| DisassociateMergedGraphqlApi | Grants permission to remove an associated source API from a merged API identified by the source API | Write | |||
| DisassociateSourceGraphqlApi | Grants permission to remove an associated source API from a merged API identified by the merged API | Write | |||
| EvaluateCode | Grants permission to evaluate code with a runtime and context | Read | |||
| EvaluateMappingTemplate | Grants permission to evaluate template mapping | Read | |||
| FlushApiCache | Grants permission to flush an API cache in AppSync | Write | |||
| GetApiAssociation | Grants permission to read custom domain name - GraphQL API association details in AppSync | Read | |||
| GetApiCache | Grants permission to read information about an API cache in AppSync | Read | |||
| GetDataSource | Grants permission to retrieve a data source | Read | |||
| GetDataSourceIntrospection | Grants permission to retrieve a data source introspection | Read | |||
| GetDomainName | Grants permission to read information about a custom domain name in AppSync | Read | |||
| GetFunction | Grants permission to retrieve a function | Read | |||
| GetGraphqlApi | Grants permission to retrieve a GraphQL API | Read | |||
| GetGraphqlApiEnvironmentVariables | Grants permission to retrieve the environment variables for a GraphQL API | Read | |||
| GetIntrospectionSchema | Grants permission to retrieve the introspection schema for a GraphQL API | Read | |||
| GetResolver | Grants permission to retrieve a resolver | Read | |||
| GetResourcePolicy [permission only] | Grants permission to read a resource policy | Read | |||
| GetSchemaCreationStatus | Grants permission to retrieve the current status of a schema creation operation | Read | |||
| GetSourceApiAssociation | Grants permission to read information about a merged API associated source API | Read | |||
| GetType | Grants permission to retrieve a type | Read | |||
| GraphQL | Grants permission to send a GraphQL query to a GraphQL API | Write | |||
| ListApiKeys | Grants permission to list the API keys for a given API | List | |||
| ListDataSources | Grants permission to list the data sources for a given API | List | |||
| ListDomainNames | Grants permission to enumerate custom domain names in AppSync | List | |||
| ListFunctions | Grants permission to list the functions for a given API | List | |||
| ListGraphqlApis | Grants permission to list GraphQL APIs | List | |||
| ListResolvers | Grants permission to list the resolvers for a given API and type | List | |||
| ListResolversByFunction | Grants permission to list the resolvers that are associated with a specific function | List | |||
| ListSourceApiAssociations | Grants permission to list source APIs associated to a given merged API | List | |||
| ListTagsForResource | Grants permission to list the tags for a resource | Read | |||
| ListTypes | Grants permission to list the types for a given API | List | |||
| ListTypesByAssociation | Grants permission to list the types for a given merged API and source API association | List | |||
| PutGraphqlApiEnvironmentVariables | Grants permission to update the environment variables for a GraphQL API | Write | |||
| PutResourcePolicy [permission only] | Grants permission to set a resource policy | Write | |||
| SetWebACL | Grants permission to set a web ACL | Write | |||
| SourceGraphQL [permission only] | Grants permission to send a GraphQL query to a source API of a merged API | Write | |||
| StartDataSourceIntrospection | Grants permission to introspect a data source | Write | |||
| StartSchemaCreation | Grants permission to add a new schema to your GraphQL API. This operation is asynchronous - GetSchemaCreationStatus can show when it has completed | Write | |||
| StartSchemaMerge | Grants permission to initiate a schema merge for a given merged API and associated source API | Write | |||
| TagResource | Grants permission to tag a resource | Tagging | |||
| UntagResource | Grants permission to untag a resource | Tagging | |||
| UpdateApiCache | Grants permission to update an API cache in AppSync | Write | |||
| UpdateApiKey | Grants permission to update an API key for a given API | Write | |||
| UpdateDataSource | Grants permission to update a data source | Write | |||
| UpdateDomainName | Grants permission to update a custom domain name in AppSync | Write | |||
| UpdateFunction | Grants permission to update an existing function | Write | |||
| UpdateGraphqlApi | Grants permission to update a GraphQL API | Write |
iam:CreateServiceLinkedRole |
||
| UpdateResolver | Grants permission to update a resolver | Write | |||
| UpdateSourceApiAssociation | Grants permission to update a merged API source API association | Write | |||
| UpdateType | Grants permission to update a type | Write |
Resource types defined by AWS AppSync
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| datasource |
arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/datasources/${DatasourceName}
|
|
| domain |
arn:${Partition}:appsync:${Region}:${Account}:domainnames/${DomainName}
|
|
| graphqlapi |
arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}
|
|
| field |
arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/types/${TypeName}/fields/${FieldName}
|
|
| type |
arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/types/${TypeName}
|
|
| function |
arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/functions/${FunctionId}
|
|
| sourceApiAssociation |
arn:${Partition}:appsync:${Region}:${Account}:apis/${MergedGraphQLAPIId}/sourceApiAssociations/${Associationid}
|
|
| mergedApiAssociation |
arn:${Partition}:appsync:${Region}:${Account}:apis/${SourceGraphQLAPIId}/mergedApiAssociations/${Associationid}
|
Condition keys for AWS AppSync
AWS AppSync defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| appsync:Visibility | Filters access by the visibility of an API | String |
| aws:RequestTag/${TagKey} | Filters access by the tag key-value pairs in the request | String |
| aws:ResourceTag/${TagKey} | Filters access by the tag key-value pairs attached to the resource | String |
| aws:TagKeys | Filters access by the presence of tag keys in the request | ArrayOfString |
