Actions, resources, and condition keys for AWS IoT Things Graph
AWS IoT Things Graph (service prefix: iotthingsgraph) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by AWS IoT Things Graph
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AssociateEntityToThing | Associates a device with a concrete thing that is in the user's registry. A thing can be associated with only one device at a time. If you associate a thing with a new device id, its previous association will be removed | Write |
iot:DescribeThing iot:DescribeThingGroup |
||
| CreateFlowTemplate | Creates a workflow template. Workflows can be created only in the user's namespace. (The public namespace contains only entities.) The workflow can contain only entities in the specified namespace. The workflow is validated against the entities in the latest version of the user's namespace unless another namespace version is specified in the request | Write | |||
| CreateSystemInstance | Creates an instance of a system with specified configurations and Things | Write | |||
| CreateSystemTemplate | Creates a system. The system is validated against the entities in the latest version of the user's namespace unless another namespace version is specified in the request | Write | |||
| DeleteFlowTemplate | Deletes a workflow. Any new system or system instance that contains this workflow will fail to update or deploy. Existing system instances that contain the workflow will continue to run (since they use a snapshot of the workflow taken at the time of deploying the system instance) | Write | |||
| DeleteNamespace | Deletes the specified namespace. This action deletes all of the entities in the namespace. Delete the systems and flows in the namespace before performing this action | Write | |||
| DeleteSystemInstance | Deletes a system instance. Only instances that have never been deployed, or that have been undeployed from the target can be deleted. Users can create a new system instance that has the same ID as a deleted system instance | Write | |||
| DeleteSystemTemplate | Deletes a system. New system instances can't contain the system after its deletion. Existing system instances that contain the system will continue to work because they use a snapshot of the system that is taken when it is deployed | Write | |||
| DeploySystemInstance | Deploys the system instance to the target specified in CreateSystemInstance | Write | |||
| DeprecateFlowTemplate | Deprecates the specified workflow. This action marks the workflow for deletion. Deprecated flows can't be deployed, but existing system instances that use the flow will continue to run | Write | |||
| DeprecateSystemTemplate | Deprecates the specified system | Write | |||
| DescribeNamespace | Gets the latest version of the user's namespace and the public version that it is tracking | Read | |||
| DissociateEntityFromThing | Dissociates a device entity from a concrete thing. The action takes only the type of the entity that you need to dissociate because only one entity of a particular type can be associated with a thing | Write |
iot:DescribeThing iot:DescribeThingGroup |
||
| GetEntities | Gets descriptions of the specified entities. Uses the latest version of the user's namespace by default | Read | |||
| GetFlowTemplate | Gets the latest version of the DefinitionDocument and FlowTemplateSummary for the specified workflow | Read | |||
| GetFlowTemplateRevisions | Gets revisions of the specified workflow. Only the last 100 revisions are stored. If the workflow has been deprecated, this action will return revisions that occurred before the deprecation. This action won't work for workflows that have been deleted | Read | |||
| GetNamespaceDeletionStatus | Gets the status of a namespace deletion task | Read | |||
| GetSystemInstance | Gets a system instance | Read | |||
| GetSystemTemplate | Gets a system | Read | |||
| GetSystemTemplateRevisions | Gets revisions made to the specified system template. Only the previous 100 revisions are stored. If the system has been deprecated, this action will return the revisions that occurred before its deprecation. This action won't work with systems that have been deleted | Read | |||
| GetUploadStatus | Gets the status of the specified upload | Read | |||
| ListFlowExecutionMessages | Lists details of a single workflow execution | List | |||
| ListTagsForResource | Lists all tags for a given resource | List | |||
| SearchEntities | Searches for entities of the specified type. You can search for entities in your namespace and the public namespace that you're tracking | Read | |||
| SearchFlowExecutions | Searches for workflow executions of a system instance | Read | |||
| SearchFlowTemplates | Searches for summary information about workflows | Read | |||
| SearchSystemInstances | Searches for system instances in the user's account | Read | |||
| SearchSystemTemplates | Searches for summary information about systems in the user's account. You can filter by the ID of a workflow to return only systems that use the specified workflow | Read | |||
| SearchThings | Searches for things associated with the specified entity. You can search by both device and device model | Read | |||
| TagResource | Tag a specified resource | Tagging | |||
| UndeploySystemInstance | Removes the system instance and associated triggers from the target | Write | |||
| UntagResource | Untag a specified resource | Tagging | |||
| UpdateFlowTemplate | Updates the specified workflow. All deployed systems and system instances that use the workflow will see the changes in the flow when it is redeployed. The workflow can contain only entities in the specified namespace | Write | |||
| UpdateSystemTemplate | Updates the specified system. You don't need to run this action after updating a workflow. Any system instance that uses the system will see the changes in the system when it is redeployed | Write | |||
| UploadEntityDefinitions | Asynchronously uploads one or more entity definitions to the user's namespace | Write |
Resource types defined by AWS IoT Things Graph
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| Workflow |
arn:${Partition}:iotthingsgraph:${Region}:${Account}:Workflow/${NamespacePath}
|
|
| System |
arn:${Partition}:iotthingsgraph:${Region}:${Account}:System/${NamespacePath}
|
|
| SystemInstance |
arn:${Partition}:iotthingsgraph:${Region}:${Account}:Deployment/${NamespacePath}
|
Condition keys for AWS IoT Things Graph
AWS IoT Things Graph defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by a key that is present in the request the user makes to the thingsgraph service | String |
| aws:ResourceTag/${TagKey} | Filters access by a tag key and value pair | String |
| aws:TagKeys | Filters access by the list of all the tag key names present in the request the user makes to the thingsgraph service | String |
