Actions, resources, and condition keys for AWS Resource Access Manager

AWS Resource Access Manager (service prefix: ram) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by AWS Resource Access Manager
Resource types defined by AWS Resource Access Manager
Condition keys for AWS Resource Access Manager

Actions defined by AWS Resource Access Manager

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
AcceptResourceShareInvitation	Grants permission to accept the specified resource share invitation	Write	resource-share-invitation*
AcceptResourceShareInvitation		Write		ram:ShareOwnerAccountId
AssociateResourceShare	Grants permission to associate resource(s) and/or principal(s) to a resource share	Write	resource-share*
AssociateResourceShare		Write		aws:ResourceTag/${TagKey} ram:ResourceShareName ram:AllowsExternalPrincipals ram:Principal ram:RequestedResourceType ram:ResourceArn
AssociateResourceSharePermission	Grants permission to associate a Permission with a Resource Share	Write	permission*
AssociateResourceSharePermission		Write	resource-share*
CreateResourceShare	Grants permission to create a resource share with provided resource(s) and/or principal(s)	Write		aws:RequestTag/${TagKey} aws:TagKeys ram:RequestedResourceType ram:ResourceArn ram:RequestedAllowsExternalPrincipals ram:Principal	ec2:CreateTags
DeleteResourceShare	Grants permission to delete resource share	Write	resource-share*
DeleteResourceShare	Grants permission to delete resource share	Write		aws:ResourceTag/${TagKey} ram:ResourceShareName ram:AllowsExternalPrincipals
DisassociateResourceShare	Grants permission to disassociate resource(s) and/or principal(s) from a resource share	Write	resource-share*
DisassociateResourceShare		Write		aws:ResourceTag/${TagKey} ram:ResourceShareName ram:AllowsExternalPrincipals ram:Principal ram:RequestedResourceType ram:ResourceArn
DisassociateResourceSharePermission	Grants permission to disassociate a Permission from a Resource Share	Write	permission*
DisassociateResourceSharePermission		Write	resource-share*
EnableSharingWithAwsOrganization	Grants permission to access customer's organization and create a SLR in the customer's account	Permissions management			iam:CreateServiceLinkedRole organizations:DescribeOrganization organizations:EnableAWSServiceAccess
GetPermission	Grants permission to get the contents of an AWS RAM permission	Read	permission*
GetPermission		Read		ram:PermissionArn
GetResourcePolicies	Grants permission to get the policies for the specified resources that you own and have shared	Read
GetResourceShareAssociations	Grants permission to get a set of resource share associations from a provided list or with a specified status of the specified type	Read
GetResourceShareInvitations	Grants permission to get resource share invitations by the specified invitation arn or those for the resource share	Read
GetResourceShares	Grants permission to get a set of resource shares from a provided list or with a specified status	Read		aws:RequestTag/${TagKey} aws:TagKeys
ListPendingInvitationResources	Grants permission to list the resources in a resource share that is shared with you but that the invitation is still pending for	Read	resource-share-invitation*
ListPermissionVersions	Grants permission to list the versions of an AWS RAM permission	List
ListPermissions	Grants permission to list the AWS RAM permissions	List
ListPrincipals	Grants permission to list the principals that you have shared resources with or that have shared resources with you	List
ListResourceSharePermissions	Grants permission to list the Permissions associated with a Resource Share	List	resource-share*
ListResourceSharePermissions		List		aws:ResourceTag/${TagKey} ram:ResourceShareName ram:AllowsExternalPrincipals
ListResourceTypes	Grants permission to list the shareable resource types supported by AWS RAM	List
ListResources	Grants permission to list the resources that you added to resource shares or the resources that are shared with you	List
PromoteResourceShareCreatedFromPolicy	Grants permission to promote the specified resource share	Write	resource-share*
RejectResourceShareInvitation	Grants permission to reject the specified resource share invitation	Write	resource-share-invitation*
RejectResourceShareInvitation		Write		ram:ShareOwnerAccountId
TagResource	Grants permission to tag the specified resource share	Tagging	resource-share*
TagResource	Grants permission to tag the specified resource share	Tagging		aws:RequestTag/${TagKey} aws:TagKeys
UntagResource	Grants permission to untag the specified resource share	Tagging	resource-share*
UntagResource	Grants permission to untag the specified resource share	Tagging		aws:RequestTag/${TagKey} aws:TagKeys
UpdateResourceShare	Grants permission to update attributes of the resource share	Write	resource-share*
UpdateResourceShare		Write		aws:ResourceTag/${TagKey} ram:ResourceShareName ram:AllowsExternalPrincipals ram:RequestedAllowsExternalPrincipals

Resource types defined by AWS Resource Access Manager

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys

Resource types	ARN	Condition keys
resource-share	`arn:${Partition}:ram:${Region}:${Account}:resource-share/${ResourcePath}`	aws:ResourceTag/${TagKey} ram:AllowsExternalPrincipals ram:ResourceShareName
resource-share-invitation	`arn:${Partition}:ram:${Region}:${Account}:resource-share-invitation/${ResourcePath}`	ram:ShareOwnerAccountId
permission	`arn:${Partition}:ram::${Account}:permission/${ResourcePath}`	ram:PermissionArn ram:PermissionResourceType

resource-share

arn:${Partition}:ram:${Region}:${Account}:resource-share/${ResourcePath}

aws:ResourceTag/${TagKey}

ram:AllowsExternalPrincipals

ram:ResourceShareName

resource-share-invitation

arn:${Partition}:ram:${Region}:${Account}:resource-share-invitation/${ResourcePath}

ram:ShareOwnerAccountId

permission

arn:${Partition}:ram::${Account}:permission/${ResourcePath}

ram:PermissionArn

ram:PermissionResourceType

Condition keys for AWS Resource Access Manager

AWS Resource Access Manager defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters access based on the tags that are passed in the request when creating or tagging a resource share. If users don't pass these specific tags, or if they don't specify tags at all, the request fails	String
aws:ResourceTag/${TagKey}	Filters access based on the tags associated with the resource	String
aws:TagKeys	Filters access based on the tag keys that are passed when creating or tagging a resource share	ArrayOfString
ram:AllowsExternalPrincipals	Filters access based on resource shares that allow or deny sharing with external principals. For example, specify true if the action can only be performed on resource shares that allow sharing with external principals. External principals are AWS accounts that are outside of its AWS organization	Bool
ram:PermissionArn	Filters access based on the specified Permission ARN	ARN
ram:PermissionResourceType	Filters access based on permissions of specified resource type	String
ram:Principal	Filters access based on the format of the specified principal	String
ram:RequestedAllowsExternalPrincipals	Filters access based on the specified value for 'allowExternalPrincipals'. External principals are AWS accounts that are outside of its AWS Organization	Bool
ram:RequestedResourceType	Filters access based on the specified resource type	String
ram:ResourceArn	Filters access based on a resource with the specified ARN	ARN
ram:ResourceShareName	Filters access based on a resource share with the specified name	String
ram:ShareOwnerAccountId	Filters access based on resource shares owned by a specific account. For example, you can use this condition key to specify which resource share invitations can be accepted or rejected based on the resource share owner's account ID	String

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Resilience Hub Service

Amazon Resource Group Tagging API