Actions, resources, and condition keys for AWS Resource Access Manager - Service Authorization Reference

Actions, resources, and condition keys for AWS Resource Access Manager

AWS Resource Access Manager (service prefix: ram) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Resource Access Manager

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AcceptResourceShareInvitation Grants permission to accept the specified resource share invitation Write

resource-share-invitation*

ram:ShareOwnerAccountId

AssociateResourceShare Grants permission to associate resource(s) and/or principal(s) to a resource share Write

resource-share*

aws:ResourceTag/${TagKey}

ram:ResourceShareName

ram:AllowsExternalPrincipals

ram:Principal

ram:RequestedResourceType

ram:ResourceArn

AssociateResourceSharePermission Grants permission to associate a Permission with a Resource Share Write

permission*

resource-share*

CreateResourceShare Grants permission to create a resource share with provided resource(s) and/or principal(s) Write

aws:RequestTag/${TagKey}

aws:TagKeys

ram:RequestedResourceType

ram:ResourceArn

ram:RequestedAllowsExternalPrincipals

ram:Principal

DeleteResourceShare Grants permission to delete resource share Write

resource-share*

aws:ResourceTag/${TagKey}

ram:ResourceShareName

ram:AllowsExternalPrincipals

DisassociateResourceShare Grants permission to disassociate resource(s) and/or principal(s) from a resource share Write

resource-share*

aws:ResourceTag/${TagKey}

ram:ResourceShareName

ram:AllowsExternalPrincipals

ram:Principal

ram:RequestedResourceType

ram:ResourceArn

DisassociateResourceSharePermission Grants permission to disassociate a Permission from a Resource Share Write

permission*

resource-share*

EnableSharingWithAwsOrganization Grants permission to access customer's organization and create a SLR in the customer's account Write
GetPermission Grants permission to get the contents of an AWS RAM permission Read

permission*

ram:PermissionArn

GetResourcePolicies Grants permission to get the policies for the specified resources that you own and have shared Read
GetResourceShareAssociations Grants permission to get a set of resource share associations from a provided list or with a specified status of the specified type Read
GetResourceShareInvitations Grants permission to get resource share invitations by the specified invitation arn or those for the resource share Read
GetResourceShares Grants permission to get a set of resource shares from a provided list or with a specified status Read
ListPendingInvitationResources Grants permission to list the resources in a resource share that is shared with you but that the invitation is still pending for Read

resource-share-invitation*

ListPermissions Grants permission to list the AWS RAM permissions List
ListPrincipals Grants permission to list the principals that you have shared resources with or that have shared resources with you List
ListResourceSharePermissions Grants permission to list the Permissions associated with a Resource Share List

resource-share*

aws:ResourceTag/${TagKey}

ram:ResourceShareName

ram:AllowsExternalPrincipals

ListResourceTypes Grants permission to list the shareable resource types supported by AWS RAM List
ListResources Grants permission to list the resources that you added to resource shares or the resources that are shared with you List
PromoteResourceShareCreatedFromPolicy Grants permission to promote the specified resource share Write

resource-share*

RejectResourceShareInvitation Grants permission to reject the specified resource share invitation Write

resource-share-invitation*

ram:ShareOwnerAccountId

TagResource Grants permission to tag the specified resource share Tagging

resource-share*

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to untag the specified resource share Tagging

resource-share*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateResourceShare Grants permission to update attributes of the resource share Write

resource-share*

aws:ResourceTag/${TagKey}

ram:ResourceShareName

ram:AllowsExternalPrincipals

ram:RequestedAllowsExternalPrincipals

Resource types defined by AWS Resource Access Manager

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
resource-share arn:${Partition}:ram:${Region}:${Account}:resource-share/${ResourcePath}

aws:ResourceTag/${TagKey}

ram:AllowsExternalPrincipals

ram:ResourceShareName

resource-share-invitation arn:${Partition}:ram:${Region}:${Account}:resource-share-invitation/${ResourcePath}

ram:ShareOwnerAccountId

permission arn:${Partition}:ram::${Account}:permission/${ResourcePath}

ram:PermissionArn

ram:PermissionResourceType

Condition keys for AWS Resource Access Manager

AWS Resource Access Manager defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access based on the tags that are passed in the request when creating or tagging a resource share. If users don't pass these specific tags, or if they don't specify tags at all, the request fails String
aws:ResourceTag/${TagKey} Filters access based on the tags associated with the resource String
aws:TagKeys Filters access based on the tag keys that are passed when creating or tagging a resource share String
ram:AllowsExternalPrincipals Filters access based on resource shares that allow or deny sharing with external principals. For example, specify true if the action can only be performed on resource shares that allow sharing with external principals. External principals are AWS accounts that are outside of its AWS organization Bool
ram:PermissionArn Filters access based on the specified Permission ARN Arn
ram:PermissionResourceType Filters access based on permissions of specified resource type String
ram:Principal Filters access based on the format of the specified principal String
ram:RequestedAllowsExternalPrincipals Filters access based on the specified value for 'allowExternalPrincipals'. External principals are AWS accounts that are outside of its AWS Organization Bool
ram:RequestedResourceType Filters access based on the specified resource type String
ram:ResourceArn Filters access based on a resource with the specified ARN Arn
ram:ResourceShareName Filters access based on a resource share with the specified name String
ram:ShareOwnerAccountId Filters access based on resource shares owned by a specific account. For example, you can use this condition key to specify which resource share invitations can be accepted or rejected based on the resource share owner’s account ID String