Actions, resources, and condition keys for AWS Resource Access Manager (RAM)

AWS Resource Access Manager (RAM) (service prefix: ram) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by AWS Resource Access Manager (RAM)
Resource types defined by AWS Resource Access Manager (RAM)
Condition keys for AWS Resource Access Manager (RAM)

Actions defined by AWS Resource Access Manager (RAM)

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
AcceptResourceShareInvitation	Grants permission to accept the specified resource share invitation	Write	resource-share-invitation*
AcceptResourceShareInvitation		Write		ram:ShareOwnerAccountId ram:ResourceShareName
AssociateResourceShare	Grants permission to associate resource(s) and/or principal(s) to a resource share	Write	resource-share*
AssociateResourceShare		Write		aws:ResourceTag/${TagKey} ram:ResourceTag/${TagKey} ram:ResourceShareName ram:AllowsExternalPrincipals ram:Principal ram:RequestedResourceType ram:ResourceArn
AssociateResourceSharePermission	Grants permission to associate a Permission with a Resource Share	Write	customer-managed-permission*
			permission*
			resource-share*
CreatePermission	Grants permission to create a Permission that can be associated to a Resource Share	Write		ram:PermissionArn ram:PermissionResourceType aws:ResourceTag/${TagKey} aws:RequestTag/${TagKey} aws:TagKeys	ram:TagResource
CreatePermissionVersion	Grants permission to create a new version of a Permission that can be associated to a Resource Share	Write	customer-managed-permission*
CreatePermissionVersion		Write		ram:PermissionArn ram:PermissionResourceType
CreateResourceShare	Grants permission to create a resource share with provided resource(s) and/or principal(s)	Write		aws:RequestTag/${TagKey} aws:TagKeys ram:RequestedResourceType ram:ResourceArn ram:RequestedAllowsExternalPrincipals ram:Principal
DeletePermission	Grants permission to delete a specified Permission	Write	customer-managed-permission*
DeletePermission	Grants permission to delete a specified Permission	Write		aws:ResourceTag/${TagKey} ram:PermissionArn ram:PermissionResourceType
DeletePermissionVersion	Grants permission to delete a specified version of a permission	Write	customer-managed-permission*
DeletePermissionVersion		Write		ram:PermissionArn ram:PermissionResourceType
DeleteResourceShare	Grants permission to delete resource share	Write	resource-share*
DeleteResourceShare	Grants permission to delete resource share	Write		aws:ResourceTag/${TagKey} ram:ResourceTag/${TagKey} ram:ResourceShareName ram:AllowsExternalPrincipals
DisassociateResourceShare	Grants permission to disassociate resource(s) and/or principal(s) from a resource share	Write	resource-share*
DisassociateResourceShare		Write		aws:ResourceTag/${TagKey} ram:ResourceTag/${TagKey} ram:ResourceShareName ram:AllowsExternalPrincipals ram:Principal ram:RequestedResourceType ram:ResourceArn
DisassociateResourceSharePermission	Grants permission to disassociate a Permission from a Resource Share	Write	customer-managed-permission*
			permission*
			resource-share*
EnableSharingWithAwsOrganization	Grants permission to access customer's organization and create a SLR in the customer's account	Permissions management			iam:CreateServiceLinkedRole organizations:DescribeOrganization organizations:EnableAWSServiceAccess
GetPermission	Grants permission to get the contents of an AWS RAM permission	Read	customer-managed-permission*
			permission*
				ram:PermissionArn
GetResourcePolicies	Grants permission to get the policies for the specified resources that you own and have shared	Read
GetResourceShareAssociations	Grants permission to get a set of resource share associations from a provided list or with a specified status of the specified type	Read
GetResourceShareInvitations	Grants permission to get resource share invitations by the specified invitation arn or those for the resource share	Read
GetResourceShares	Grants permission to get a set of resource shares from a provided list or with a specified status	Read		aws:RequestTag/${TagKey} aws:TagKeys
ListPendingInvitationResources	Grants permission to list the resources in a resource share that is shared with you but that the invitation is still pending for	Read	resource-share-invitation*
ListPendingInvitationResources		Read		ram:ResourceShareName
ListPermissionAssociations	Grants permission to list information about the permission and any associations	List	customer-managed-permission*
			permission*
				ram:PermissionArn ram:PermissionResourceType
ListPermissionVersions	Grants permission to list the versions of an AWS RAM permission	List
ListPermissions	Grants permission to list the AWS RAM permissions	List
ListPrincipals	Grants permission to list the principals that you have shared resources with or that have shared resources with you	List
ListReplacePermissionAssociationsWork	Grants permission to retrieve the status of the asynchronous permission replacement	List
ListResourceSharePermissions	Grants permission to list the Permissions associated with a Resource Share	List	resource-share*
ListResourceSharePermissions		List		aws:ResourceTag/${TagKey} ram:ResourceShareName ram:AllowsExternalPrincipals
ListResourceTypes	Grants permission to list the shareable resource types supported by AWS RAM	List
ListResources	Grants permission to list the resources that you added to resource shares or the resources that are shared with you	List
PromotePermissionCreatedFromPolicy	Grants permission to create a separate, fully manageable customer managed permission	Write	customer-managed-permission*
PromotePermissionCreatedFromPolicy		Write		ram:PermissionArn ram:PermissionResourceType
PromoteResourceShareCreatedFromPolicy	Grants permission to promote the specified resource share	Write	resource-share*
RejectResourceShareInvitation	Grants permission to reject the specified resource share invitation	Write	resource-share-invitation*
RejectResourceShareInvitation		Write		ram:ShareOwnerAccountId ram:ResourceShareName
ReplacePermissionAssociations	Grants permission to update all resource shares to a new permission	Write	customer-managed-permission*
			permission*
				ram:PermissionArn ram:PermissionResourceType
SetDefaultPermissionVersion	Grants permission to specify a version number as the default version for the respective customer managed permission	Write	customer-managed-permission*
SetDefaultPermissionVersion		Write		ram:PermissionArn ram:PermissionResourceType
TagResource	Grants permission to tag the specified resource share or permission	Tagging	customer-managed-permission
			resource-share
				aws:RequestTag/${TagKey} aws:TagKeys
UntagResource	Grants permission to untag the specified resource share or permission	Tagging	customer-managed-permission
			resource-share
				aws:TagKeys
UpdateResourceShare	Grants permission to update attributes of the resource share	Write	resource-share*
UpdateResourceShare		Write		aws:ResourceTag/${TagKey} ram:ResourceTag/${TagKey} ram:ResourceShareName ram:AllowsExternalPrincipals ram:RequestedAllowsExternalPrincipals

Resource types defined by AWS Resource Access Manager (RAM)

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types	ARN	Condition keys
resource-share	`arn:${Partition}:ram:${Region}:${Account}:resource-share/${ResourcePath}`	aws:ResourceTag/${TagKey} ram:AllowsExternalPrincipals ram:ResourceShareName
resource-share-invitation	`arn:${Partition}:ram:${Region}:${Account}:resource-share-invitation/${ResourcePath}`	ram:ShareOwnerAccountId
permission	`arn:${Partition}:ram::${Account}:permission/${ResourcePath}`	ram:PermissionArn ram:PermissionResourceType
customer-managed-permission	`arn:${Partition}:ram:${Region}:${Account}:permission/${ResourcePath}`	aws:ResourceTag/${TagKey} ram:PermissionArn ram:PermissionResourceType

Condition keys for AWS Resource Access Manager (RAM)

AWS Resource Access Manager (RAM) defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters access by the tags that are passed in the request when creating or tagging a resource share. If users don't pass these specific tags, or if they don't specify tags at all, the request fails	String
aws:ResourceTag/${TagKey}	Filters access by the tags associated with the resource	String
aws:TagKeys	Filters access by the tag keys that are passed when creating or tagging a resource share	ArrayOfString
ram:AllowsExternalPrincipals	Filters access by resource shares that allow or deny sharing with external principals. For example, specify true if the action can only be performed on resource shares that allow sharing with external principals. External principals are AWS accounts that are outside of its AWS organization	Bool
ram:PermissionArn	Filters access by the specified Permission ARN	ARN
ram:PermissionResourceType	Filters access by permissions of specified resource type	String
ram:Principal	Filters access by format of the specified principal	String
ram:RequestedAllowsExternalPrincipals	Filters access by the specified value for 'allowExternalPrincipals'. External principals are AWS accounts that are outside of its AWS Organization	Bool
ram:RequestedResourceType	Filters access by the specified resource type	String
ram:ResourceArn	Filters access by the specified ARN	ARN
ram:ResourceShareName	Filters access by a resource share with the specified name	String
ram:ResourceTag/${TagKey}	Filters access by the tags associated with the resource	String
ram:ShareOwnerAccountId	Filters access by resource shares owned by a specific account. For example, you can use this condition key to specify which resource share invitations can be accepted or rejected based on the resource share owner’s account ID	String

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Resilience Hub

AWS Resource Explorer