Actions, resources, and condition keys for AWS HealthOmics - Service Authorization Reference

Actions, resources, and condition keys for AWS HealthOmics

AWS HealthOmics (service prefix: omics) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS HealthOmics

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AbortMultipartReadSetUpload Grants permission to abort multipart read set uploads Write

sequenceStore*

AcceptShare Grants permission to accept a share Write
BatchDeleteReadSet Grants permission to batch delete Read Sets in the given Sequence Store Write

sequenceStore*

CancelAnnotationImportJob Grants permission to cancel an Annotation Import Job Write

AnnotationImportJob*

CancelRun Grants permission to cancel a workflow run and stop all workflow tasks Write

run*

CancelVariantImportJob Grants permission to cancel a Variant Import Job Write

VariantImportJob*

CompleteMultipartReadSetUpload Grants permission to complete a multipart read set upload Write

sequenceStore*

CreateAnnotationStore Grants permission to create an Annotation Store Write
CreateAnnotationStoreVersion Grants permission to create a Version in an Annotation Store Write

AnnotationStore*

CreateMultipartReadSetUpload Grants permission to create a multipart read set upload Write

sequenceStore*

CreateReferenceStore Grants permission to create a Reference Store Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRunGroup Grants permission to create a new workflow run group Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSequenceStore Grants permission to create a Sequence Store Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateShare Grants permission to create a share Write
CreateVariantStore Grants permission to create a Variant Store Write
CreateWorkflow Grants permission to create a new workflow with a workflow definition and template of workflow parameters Write

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteAnnotationStore Grants permission to delete an Annotation Store Write

AnnotationStore*

DeleteAnnotationStoreVersions Grants permission to delete Versions in an Annotation Store Write

AnnotationStore*

AnnotationStoreVersion*

DeleteReference Grants permission to delete a Reference in the given Reference Store Write

reference*

referenceStore*

DeleteReferenceStore Grants permission to delete a Reference Store Write

referenceStore*

DeleteRun Grants permission to delete a workflow run Write

run*

DeleteRunGroup Grants permission to delete a workflow run group Write

runGroup*

DeleteSequenceStore Grants permission to delete a Sequence Store Write

sequenceStore*

DeleteShare Grants permission to delete a share Write
DeleteVariantStore Grants permission to delete a Variant Store Write

VariantStore*

DeleteWorkflow Grants permission to delete a workflow Write

workflow*

GetAnnotationImportJob Grants permission to get the status of an Annotation Import Job Read

AnnotationImportJob*

GetAnnotationStore Grants permission to get detailed information about an Annotation Store Read

AnnotationStore*

GetAnnotationStoreVersion Grants permission to get detailed information about a version in an Annotation Store Read

AnnotationStore*

AnnotationStoreVersion*

GetReadSet Grants permission to get a Read Set in the given Sequence Store Read

readSet*

sequenceStore*

GetReadSetActivationJob Grants permission to get details about a Read Set activation job for the given Sequence Store Read

sequenceStore*

GetReadSetExportJob Grants permission to get details about a Read Set export job for the given Sequence Store Read

sequenceStore*

GetReadSetImportJob Grants permission to get details about a Read Set import job for the given Sequence Store Read

sequenceStore*

GetReadSetMetadata Grants permission to get details about a Read Set in the given Sequence Store Read

readSet*

sequenceStore*

GetReference Grants permission to get a Reference in the given Reference Store Read

reference*

referenceStore*

GetReferenceImportJob Grants permission to get details about a Reference import job for the given Reference Store Read

referenceStore*

GetReferenceMetadata Grants permission to get details about a Reference in the given Reference Store Read

reference*

referenceStore*

GetReferenceStore Grants permission to get details about a Reference Store Read

referenceStore*

GetRun Grants permission to retrieve workflow run details Read

run*

GetRunGroup Grants permission to retrieve workflow run group details Read

runGroup*

GetRunTask Grants permission to retrieve workflow task details Read

TaskResource*

run*

GetSequenceStore Grants permission to get details about a Sequence Store Read

sequenceStore*

GetShare Grants permission to get detailed information about a Share Read
GetVariantImportJob Grants permission to get the status of a Variant Import Job Read

VariantImportJob*

GetVariantStore Grants permission to get detailed information about a Variant Store Read

VariantStore*

GetWorkflow Grants permission to retrieve workflow details Read

workflow*

ListAnnotationImportJobs Grants permission to get a list of Annotation Import Jobs List
ListAnnotationStoreVersions Grants permission to retrieve a list of information about Versions in an Annotation Store List

AnnotationStore*

ListAnnotationStores Grants permission to retrieve a list of information about Annotation Stores List
ListMultipartReadSetUploads Grants permission to list multipart read set uploads List

sequenceStore*

ListReadSetActivationJobs Grants permission to list Read Set activation jobs for the given Sequence Store List

sequenceStore*

ListReadSetExportJobs Grants permission to list Read Set export jobs for the given Sequence Store List

sequenceStore*

ListReadSetImportJobs Grants permission to list Read Set import jobs for the given Sequence Store List

sequenceStore*

ListReadSetUploadParts Grants permission to list read set upload parts List

sequenceStore*

ListReadSets Grants permission to list Read Sets in the given Sequence Store List

sequenceStore*

ListReferenceImportJobs Grants permission to list Reference import jobs for the given Reference Store List

referenceStore*

ListReferenceStores Grants permission to list Reference Stores List
ListReferences Grants permission to list References in the given Reference Store List

referenceStore*

ListRunGroups Grants permission to retrieve a list of workflow run groups List
ListRunTasks Grants permission to retrieve a list of tasks for a workflow run List

run*

ListRuns Grants permission to retrieve a list of workflow runs List
ListSequenceStores Grants permission to list Sequence Stores List
ListShares Grants permission to retrieve a list of information about shares List
ListTagsForResource Grants permission to retrieve a list of resource AWS tags List
ListVariantImportJobs Grants permission to get a list of Variant Import Jobs List
ListVariantStores Grants permission to retrieve a list of metadata for Variant Stores List
ListWorkflows Grants permission to retrieve a list of available workflows List
StartAnnotationImportJob Grants permission to import a list of Annotation files to an Annotation Store Write
StartReadSetActivationJob Grants permission to start a Read Set activation job from the given Sequence Store Write

sequenceStore*

StartReadSetExportJob Grants permission to start a Read Set export job from the given Sequence Store Write

sequenceStore*

StartReadSetImportJob Grants permission to start a Read Set import job into the given Sequence Store Write

sequenceStore*

StartReferenceImportJob Grants permission to start a Reference import job into the given Reference Store Write

referenceStore*

StartRun Grants permission to start a workflow run Write

run*

iam:PassRole

runGroup

workflow

aws:RequestTag/${TagKey}

aws:TagKeys

StartVariantImportJob Grants permission to import a list of variant files to an Variant Store Write
TagResource Grants permission to add AWS tags to a resource Tagging

readSet

reference

referenceStore

run

runGroup

sequenceStore

workflow

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to remove resource AWS tags Tagging

readSet

reference

referenceStore

run

runGroup

sequenceStore

workflow

aws:TagKeys

UpdateAnnotationStore Grants permission to update information about the Annotation Store Write

AnnotationStore*

UpdateAnnotationStoreVersion Grants permission to update information about the Version in an Annotation Store Write

AnnotationStore*

AnnotationStoreVersion*

UpdateRunGroup Grants permission to update a workflow run group Write

runGroup*

UpdateVariantStore Grants permission to update metadata about the Variant Store Write

VariantStore*

UpdateWorkflow Grants permission to update workflow details Write

workflow*

UploadReadSetPart Grants permission to upload read set parts Write

sequenceStore*

Resource types defined by AWS HealthOmics

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
AnnotationImportJob arn:${Partition}:omics:${Region}:${Account}:annotationImportJob/${AnnotationImportJobId}

omics:AnnotationImportJobJobId

AnnotationStore arn:${Partition}:omics:${Region}:${Account}:annotationStore/${AnnotationStoreId}

omics:AnnotationStoreName

AnnotationStoreVersion arn:${Partition}:omics:${Region}:${Account}:annotationStore/${AnnotationStoreName}/version/${AnnotationStoreVersionName}

omics:AnnotationStoreVersionName

readSet arn:${Partition}:omics:${Region}:${Account}:sequenceStore/${SequenceStoreId}/readSet/${ReadSetId}

aws:ResourceTag/${TagKey}

reference arn:${Partition}:omics:${Region}:${Account}:referenceStore/${ReferenceStoreId}/reference/${ReferenceId}

aws:ResourceTag/${TagKey}

referenceStore arn:${Partition}:omics:${Region}:${Account}:referenceStore/${ReferenceStoreId}

aws:ResourceTag/${TagKey}

run arn:${Partition}:omics:${Region}:${Account}:run/${Id}

aws:ResourceTag/${TagKey}

runGroup arn:${Partition}:omics:${Region}:${Account}:runGroup/${Id}

aws:ResourceTag/${TagKey}

sequenceStore arn:${Partition}:omics:${Region}:${Account}:sequenceStore/${SequenceStoreId}

aws:ResourceTag/${TagKey}

TaggingResource arn:${Partition}:omics:${Region}:${Account}:tag/${TagKey}
TaskResource arn:${Partition}:omics:${Region}:${Account}:task/${Id}
VariantImportJob arn:${Partition}:omics:${Region}:${Account}:variantImportJob/${VariantImportJobId}

omics:VariantImportJobJobId

VariantStore arn:${Partition}:omics:${Region}:${Account}:variantStore/${VariantStoreId}

omics:VariantStoreName

workflow arn:${Partition}:omics:${Region}:${Account}:workflow/${Id}

aws:ResourceTag/${TagKey}

Condition keys for AWS HealthOmics

AWS HealthOmics defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access by the presence of tag key-value pairs attached to the resource String
aws:TagKeys Filters access by the presence of tag keys in the request ArrayOfString
omics:AnnotationImportJobJobId Filters access by a unique resource identifier String
omics:AnnotationStoreName Filters access by the name of the store String
omics:AnnotationStoreVersionName Filters access by the name of the annotation store version String
omics:VariantImportJobJobId Filters access by a unique resource identifier String
omics:VariantStoreName Filters access by the name of the store String