Actions, resources, and condition keys for AWS IoT Core for LoRaWAN - Service Authorization Reference

Actions, resources, and condition keys for AWS IoT Core for LoRaWAN

AWS IoT Core for LoRaWAN (service prefix: iotwireless) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS IoT Core for LoRaWAN

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AssociateAwsAccountWithPartnerAccount Grants permission to link partner accounts with Aws account Write

aws:RequestTag/${TagKey}

aws:TagKeys

AssociateMulticastGroupWithFuotaTask Grants permission to associate the MulticastGroup with FuotaTask Write

FuotaTask*

MulticastGroup*

AssociateWirelessDeviceWithFuotaTask Grants permission to associate the wireless device with FuotaTask Write

FuotaTask*

WirelessDevice*

AssociateWirelessDeviceWithMulticastGroup Grants permission to associate the WirelessDevice with MulticastGroup Write

MulticastGroup*

WirelessDevice*

AssociateWirelessDeviceWithThing Grants permission to associate the wireless device with AWS IoT thing for a given wirelessDeviceId Write

WirelessDevice*

iot:DescribeThing

thing*

AssociateWirelessGatewayWithCertificate Grants permission to associate a WirelessGateway with the IoT Core Identity certificate Write

WirelessGateway*

cert*

AssociateWirelessGatewayWithThing Grants permission to associate the wireless gateway with AWS IoT thing for a given wirelessGatewayId Write

WirelessGateway*

iot:DescribeThing

thing*

CancelMulticastGroupSession Grants permission to cancel the MulticastGroup session Write

MulticastGroup*

CreateDestination Grants permission to create a Destination resource Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDeviceProfile Grants permission to create a DeviceProfile resource Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateFuotaTask Grants permission to create a FuotaTask resource Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateMulticastGroup Grants permission to create a MulticastGroup resource Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateNetworkAnalyzerConfiguration Grants permission to create a NetworkAnalyzerConfiguration resource Write

WirelessDevice*

WirelessGateway*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateServiceProfile Grants permission to create a ServiceProfile resource Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateWirelessDevice Grants permission to create a WirelessDevice resource with given Destination Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateWirelessGateway Grants permission to create a WirelessGateway resource Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateWirelessGatewayTask Grants permission to create a task for a given WirelessGateway Write

WirelessGateway*

CreateWirelessGatewayTaskDefinition Grants permission to create a WirelessGateway task definition Write

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteDestination Grants permission to delete a Destination Write

Destination*

DeleteDeviceProfile Grants permission to delete a DeviceProfile Write

DeviceProfile*

DeleteFuotaTask Grants permission to delete the FuotaTask Write

FuotaTask*

DeleteMulticastGroup Grants permission to delete the MulticastGroup Write

MulticastGroup*

DeleteNetworkAnalyzerConfiguration Grants permission to delete the NetworkAnalyzerConfiguration Write

NetworkAnalyzerConfiguration*

DeleteQueuedMessages Grants permission to delete QueuedMessages Write
DeleteServiceProfile Grants permission to delete a ServiceProfile Write

ServiceProfile*

DeleteWirelessDevice Grants permission to delete a WirelessDevice Write

WirelessDevice*

DeleteWirelessGateway Grants permission to delete a WirelessGateway Write

WirelessGateway*

DeleteWirelessGatewayTask Grants permission to delete task for a given WirelessGateway Write

WirelessGateway*

DeleteWirelessGatewayTaskDefinition Grants permission to delete a WirelessGateway task definition Write

WirelessGatewayTaskDefinition*

DisassociateAwsAccountFromPartnerAccount Grants permission to disassociate an AWS account from a partner account Write

SidewalkAccount*

DisassociateMulticastGroupFromFuotaTask Grants permission to disassociate the MulticastGroup from FuotaTask Write

FuotaTask*

MulticastGroup*

DisassociateWirelessDeviceFromFuotaTask Grants permission to disassociate the wireless device from FuotaTask Write

FuotaTask*

WirelessDevice*

DisassociateWirelessDeviceFromMulticastGroup Grants permission to disassociate the wireless device from MulticastGroup Write

MulticastGroup*

WirelessDevice*

DisassociateWirelessDeviceFromThing Grants permission to disassociate a wireless device from a AWS IoT thing Write

WirelessDevice*

iot:DescribeThing

thing*

DisassociateWirelessGatewayFromCertificate Grants permission to disassociate a WirelessGateway from a IoT Core Identity certificate Write

WirelessGateway*

cert*

DisassociateWirelessGatewayFromThing Grants permission to disassociate a WirelessGateway from a IoT Core thing Write

WirelessGateway*

iot:DescribeThing

thing*

GetDestination Grants permission to get the Destination Read

Destination*

GetDeviceProfile Grants permission to get the DeviceProfile Read

DeviceProfile*

GetEventConfigurationByResourceTypes Grants permission to get event configuration by resource types Read
GetFuotaTask Grants permission to get the FuotaTask Read

FuotaTask*

GetLogLevelsByResourceTypes Grants permission to get log levels by resource types Read
GetMulticastGroup Grants permission to get the MulticastGroup Read

MulticastGroup*

GetMulticastGroupSession Grants permission to get the MulticastGroup session Read

MulticastGroup*

GetNetworkAnalyzerConfiguration Grants permission to get the NetworkAnalyzerConfiguration Read

NetworkAnalyzerConfiguration*

GetPartnerAccount Grants permission to get the associated PartnerAccount Read

SidewalkAccount*

GetResourceEventConfiguration Grants permission to get an event configuration for an identifier Read

SidewalkAccount

WirelessDevice

WirelessGateway

GetResourceLogLevel Grants permission to get resource log level Read

WirelessDevice

WirelessGateway

GetServiceEndpoint Grants permission to retrieve the customer account specific endpoint for CUPS protocol connection or LoRaWAN Network Server (LNS) protocol connection, and optionally server trust certificate in PEM format Read
GetServiceProfile Grants permission to get the ServiceProfile Read

ServiceProfile*

GetWirelessDevice Grants permission to get the WirelessDevice Read

WirelessDevice*

GetWirelessDeviceStatistics Grants permission to get statistics info for a given WirelessDevice Read

WirelessDevice*

GetWirelessGateway Grants permission to get the WirelessGateway Read

WirelessGateway*

GetWirelessGatewayCertificate Grants permission to get the IoT Core Identity certificate id associated with the WirelessGateway Read

WirelessGateway*

GetWirelessGatewayFirmwareInformation Grants permission to get Current firmware version and other information for the WirelessGateway Read

WirelessGateway*

GetWirelessGatewayStatistics Grants permission to get statistics info for a given WirelessGateway Read

WirelessGateway*

GetWirelessGatewayTask Grants permission to get the task for a given WirelessGateway Read

WirelessGateway*

GetWirelessGatewayTaskDefinition Grants permission to get the given WirelessGateway task definition Read

WirelessGatewayTaskDefinition*

ListDestinations Grants permission to list information of available Destinations based on the AWS account Read
ListDeviceProfiles Grants permission to list information of available DeviceProfiles based on the AWS account Read
ListEventConfigurations Grants permission to list information of available event configurations based on the AWS account Read
ListFuotaTasks Grants permission to list information of available FuotaTasks based on the AWS account Read
ListMulticastGroups Grants permission to list information of available MulticastGroups based on the AWS account Read
ListMulticastGroupsByFuotaTask Grants permission to list information of available MulticastGroups by FuotaTask based on the AWS account Read

FuotaTask*

ListNetworkAnalyzerConfigurations Grants permission to list information of available NetworkAnalyzerConfigurations based on the AWS account Read
ListPartnerAccounts Grants permission to list the available partner accounts Read
ListQueuedMessages Grants permission to list the Queued Messages Read
ListServiceProfiles Grants permission to list information of available ServiceProfiles based on the AWS account Read
ListTagsForResource Grants permission to list all tags for a given resource Read

Destination

DeviceProfile

NetworkAnalyzerConfiguration

ServiceProfile

SidewalkAccount

WirelessDevice

WirelessGateway

WirelessGatewayTaskDefinition

ListWirelessDevices Grants permission to list information of available WirelessDevices based on the AWS account Read
ListWirelessGatewayTaskDefinitions Grants permission to list information of available WirelessGateway task definitions based on the AWS account Read
ListWirelessGateways Grants permission to list information of available WirelessGateways based on the AWS account Read
PutResourceLogLevel Grants permission to put resource log level Write

WirelessDevice

WirelessGateway

ResetAllResourceLogLevels Grants permission to reset all resource log levels Write
ResetResourceLogLevel Grants permission to reset resource log level Write

WirelessDevice

WirelessGateway

SendDataToMulticastGroup Grants permission to send data to the MulticastGroup Write

MulticastGroup*

SendDataToWirelessDevice Grants permission to send the decrypted application data frame to the target device Write

WirelessDevice*

StartBulkAssociateWirelessDeviceWithMulticastGroup Grants permission to associate the WirelessDevices with MulticastGroup Write

MulticastGroup*

StartBulkDisassociateWirelessDeviceFromMulticastGroup Grants permission to bulk disassociate the WirelessDevices from MulticastGroup Write

MulticastGroup*

StartFuotaTask Grants permission to start the FuotaTask Write

FuotaTask*

StartMulticastGroupSession Grants permission to start the MulticastGroup session Write

MulticastGroup*

StartNetworkAnalyzerStream Grants permission to start NetworkAnalyzer stream Write

NetworkAnalyzerConfiguration*

TagResource Grants permission to tag a given resource Tagging

Destination

DeviceProfile

NetworkAnalyzerConfiguration

ServiceProfile

SidewalkAccount

WirelessDevice

WirelessGateway

WirelessGatewayTaskDefinition

aws:RequestTag/${TagKey}

aws:TagKeys

TestWirelessDevice Grants permission to simulate a provisioned device to send an uplink data with payload of 'Hello' Write

WirelessDevice*

UntagResource Grants permission to remove the given tags from the resource Tagging

Destination

DeviceProfile

NetworkAnalyzerConfiguration

ServiceProfile

SidewalkAccount

WirelessDevice

WirelessGateway

WirelessGatewayTaskDefinition

aws:TagKeys

UpdateDestination Grants permission to update a Destination resource Write

Destination*

UpdateEventConfigurationByResourceTypes Grants permission to update event configuration by resource types Write
UpdateFuotaTask Grants permission to update the FuotaTask Write

FuotaTask*

UpdateLogLevelsByResourceTypes Grants permission to update log levels by resource types Write
UpdateMulticastGroup Grants permission to update the MulticastGroup Write

MulticastGroup*

UpdateNetworkAnalyzerConfiguration Grants permission to update the NetworkAnalyzerConfiguration Write

NetworkAnalyzerConfiguration*

WirelessDevice*

WirelessGateway*

UpdatePartnerAccount Grants permission to update a partner account Write

SidewalkAccount*

UpdateResourceEventConfiguration Grants permission to update an event configuration for an identifier Write

SidewalkAccount

WirelessDevice

WirelessGateway

UpdateWirelessDevice Grants permission to update a WirelessDevice resource Write

WirelessDevice*

UpdateWirelessGateway Grants permission to update a WirelessGateway resource Write

WirelessGateway*

Resource types defined by AWS IoT Core for LoRaWAN

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
WirelessDevice arn:${Partition}:iotwireless:${Region}:${Account}:WirelessDevice/${WirelessDeviceId}

aws:ResourceTag/${TagKey}

WirelessGateway arn:${Partition}:iotwireless:${Region}:${Account}:WirelessGateway/${WirelessGatewayId}

aws:ResourceTag/${TagKey}

DeviceProfile arn:${Partition}:iotwireless:${Region}:${Account}:DeviceProfile/${DeviceProfileId}

aws:ResourceTag/${TagKey}

ServiceProfile arn:${Partition}:iotwireless:${Region}:${Account}:ServiceProfile/${ServiceProfileId}

aws:ResourceTag/${TagKey}

Destination arn:${Partition}:iotwireless:${Region}:${Account}:Destination/${DestinationName}

aws:ResourceTag/${TagKey}

SidewalkAccount arn:${Partition}:iotwireless:${Region}:${Account}:SidewalkAccount/${SidewalkAccountId}

aws:ResourceTag/${TagKey}

WirelessGatewayTaskDefinition arn:${Partition}:iotwireless:${Region}:${Account}:WirelessGatewayTaskDefinition/${WirelessGatewayTaskDefinitionId}

aws:ResourceTag/${TagKey}

FuotaTask arn:${Partition}:iotwireless:${Region}:${Account}:FuotaTask/${FuotaTaskId}

aws:ResourceTag/${TagKey}

MulticastGroup arn:${Partition}:iotwireless:${Region}:${Account}:MulticastGroup/${MulticastGroupId}

aws:ResourceTag/${TagKey}

NetworkAnalyzerConfiguration arn:${Partition}:iotwireless:${Region}:${Account}:NetworkAnalyzerConfiguration/${NetworkAnalyzerConfigurationName}

aws:ResourceTag/${TagKey}

thing arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName}
cert arn:${Partition}:iot:${Region}:${Account}:cert/${Certificate}

Condition keys for AWS IoT Core for LoRaWAN

AWS IoT Core for LoRaWAN defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by a tag key that is present in the request that the user makes to IoT Wireless String
aws:ResourceTag/${TagKey} Filters access by tag key component of a tag attached to an IoT Wireless resource String
aws:TagKeys Filters access by the list of all the tag key names associated with the resource in the request ArrayOfString