Actions, resources, and condition keys for Identity And Access Management

Identity And Access Management (service prefix: iam) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by Identity And Access Management
Resource types defined by Identity And Access Management
Condition keys for Identity And Access Management

Actions defined by Identity And Access Management

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
AddClientIDToOpenIDConnectProvider	Grants permission to add a new client ID (audience) to the list of registered IDs for the specified IAM OpenID Connect (OIDC) provider resource	Write	oidc-provider*
AddRoleToInstanceProfile	Grants permission to add an IAM role to the specified instance profile	Write	instance-profile*		iam:PassRole
AddUserToGroup	Grants permission to add an IAM user to the specified IAM group	Write	group*
AttachGroupPolicy	Grants permission to attach a managed policy to the specified IAM group	Permissions management	group*
AttachGroupPolicy		Permissions management		iam:PolicyARN
AttachRolePolicy	Grants permission to attach a managed policy to the specified IAM role	Permissions management	role*
AttachRolePolicy		Permissions management		iam:PolicyARN iam:PermissionsBoundary
AttachUserPolicy	Grants permission to attach a managed policy to the specified IAM user	Permissions management	user*
AttachUserPolicy		Permissions management		iam:PolicyARN iam:PermissionsBoundary
ChangePassword	Grants permission for an IAM user to to change their own password	Write	user*
CreateAccessKey	Grants permission to create access key and secret access key for the specified IAM user	Write	user*
CreateAccountAlias	Grants permission to create an alias for your AWS account	Write
CreateGroup	Grants permission to create a new group	Write	group*
CreateInstanceProfile	Grants permission to create a new instance profile	Write	instance-profile*
CreateInstanceProfile	Grants permission to create a new instance profile	Write		aws:TagKeys aws:RequestTag/${TagKey}
CreateLoginProfile	Grants permission to create a password for the specified IAM user	Write	user*
CreateOpenIDConnectProvider	Grants permission to create an IAM resource that describes an identity provider (IdP) that supports OpenID Connect (OIDC)	Write	oidc-provider*
CreateOpenIDConnectProvider		Write		aws:TagKeys aws:RequestTag/${TagKey}
CreatePolicy	Grants permission to create a new managed policy	Permissions management	policy*
CreatePolicy	Grants permission to create a new managed policy	Permissions management		aws:TagKeys aws:RequestTag/${TagKey}
CreatePolicyVersion	Grants permission to create a new version of the specified managed policy	Permissions management	policy*
CreateRole	Grants permission to create a new role	Write	role*
CreateRole	Grants permission to create a new role	Write		iam:PermissionsBoundary aws:TagKeys aws:RequestTag/${TagKey}
CreateSAMLProvider	Grants permission to create an IAM resource that describes an identity provider (IdP) that supports SAML 2.0	Write	saml-provider*
CreateSAMLProvider		Write		aws:TagKeys aws:RequestTag/${TagKey}
CreateServiceLinkedRole	Grants permission to create an IAM role that allows an AWS service to perform actions on your behalf	Write	role*
CreateServiceLinkedRole		Write		iam:AWSServiceName
CreateServiceSpecificCredential	Grants permission to create a new service-specific credential for an IAM user	Write	user*
CreateUser	Grants permission to create a new IAM user	Write	user*
CreateUser	Grants permission to create a new IAM user	Write		iam:PermissionsBoundary aws:TagKeys aws:RequestTag/${TagKey}
CreateVirtualMFADevice	Grants permission to create a new virtual MFA device	Write	mfa*
CreateVirtualMFADevice	Grants permission to create a new virtual MFA device	Write		aws:TagKeys aws:RequestTag/${TagKey}
DeactivateMFADevice	Grants permission to deactivate the specified MFA device and remove its association with the IAM user for which it was originally enabled	Write	user*
DeleteAccessKey	Grants permission to delete the access key pair that is associated with the specified IAM user	Write	user*
DeleteAccountAlias	Grants permission to delete the specified AWS account alias	Write
DeleteAccountPasswordPolicy	Grants permission to delete the password policy for the AWS account	Permissions management
DeleteGroup	Grants permission to delete the specified IAM group	Write	group*
DeleteGroupPolicy	Grants permission to delete the specified inline policy from its group	Permissions management	group*
DeleteInstanceProfile	Grants permission to delete the specified instance profile	Write	instance-profile*
DeleteLoginProfile	Grants permission to delete the password for the specified IAM user	Write	user*
DeleteOpenIDConnectProvider	Grants permission to delete an OpenID Connect identity provider (IdP) resource object in IAM	Write	oidc-provider*
DeletePolicy	Grants permission to delete the specified managed policy and remove it from any IAM entities (users, groups, or roles) to which it is attached	Permissions management	policy*
DeletePolicyVersion	Grants permission to delete a version from the specified managed policy	Permissions management	policy*
DeleteRole	Grants permission to delete the specified role	Write	role*
DeleteRolePermissionsBoundary	Grants permission to remove the permissions boundary from a role	Permissions management	role*
DeleteRolePermissionsBoundary		Permissions management		iam:PermissionsBoundary
DeleteRolePolicy	Grants permission to delete the specified inline policy from the specified role	Permissions management	role*
DeleteRolePolicy		Permissions management		iam:PermissionsBoundary
DeleteSAMLProvider	Grants permission to delete a SAML provider resource in IAM	Write	saml-provider*
DeleteSSHPublicKey	Grants permission to delete the specified SSH public key	Write	user*
DeleteServerCertificate	Grants permission to delete the specified server certificate	Write	server-certificate*
DeleteServiceLinkedRole	Grants permission to delete an IAM role that is linked to a specific AWS service, if the service is no longer using it	Write	role*
DeleteServiceSpecificCredential	Grants permission to delete the specified service-specific credential for an IAM user	Write	user*
DeleteSigningCertificate	Grants permission to delete a signing certificate that is associated with the specified IAM user	Write	user*
DeleteUser	Grants permission to delete the specified IAM user	Write	user*
DeleteUserPermissionsBoundary	Grants permission to remove the permissions boundary from the specified IAM user	Permissions management	user*
DeleteUserPermissionsBoundary		Permissions management		iam:PermissionsBoundary
DeleteUserPolicy	Grants permission to delete the specified inline policy from an IAM user	Permissions management	user*
DeleteUserPolicy		Permissions management		iam:PermissionsBoundary
DeleteVirtualMFADevice	Grants permission to delete a virtual MFA device	Write	mfa
DeleteVirtualMFADevice	Grants permission to delete a virtual MFA device	Write	sms-mfa
DetachGroupPolicy	Grants permission to detach a managed policy from the specified IAM group	Permissions management	group*
DetachGroupPolicy		Permissions management		iam:PolicyARN
DetachRolePolicy	Grants permission to detach a managed policy from the specified role	Permissions management	role*
DetachRolePolicy		Permissions management		iam:PolicyARN iam:PermissionsBoundary
DetachUserPolicy	Grants permission to detach a managed policy from the specified IAM user	Permissions management	user*
DetachUserPolicy		Permissions management		iam:PolicyARN iam:PermissionsBoundary
EnableMFADevice	Grants permission to enable an MFA device and associate it with the specified IAM user	Write	user*
GenerateCredentialReport	Grants permission to generate a credential report for the AWS account	Read
GenerateOrganizationsAccessReport	Grants permission to generate an access report for an AWS Organizations entity	Read	access-report*		organizations:DescribePolicy organizations:ListChildren organizations:ListParents organizations:ListPoliciesForTarget organizations:ListRoots organizations:ListTargetsForPolicy
GenerateOrganizationsAccessReport		Read		iam:OrganizationsPolicyId
GenerateServiceLastAccessedDetails	Grants permission to generate a service last accessed data report for an IAM resource	Read	group*
			policy*
			role*
			user*
GetAccessKeyLastUsed	Grants permission to retrieve information about when the specified access key was last used	Read	user*
GetAccountAuthorizationDetails	Grants permission to retrieve information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another	Read
GetAccountPasswordPolicy	Grants permission to retrieve the password policy for the AWS account	Read
GetAccountSummary	Grants permission to retrieve information about IAM entity usage and IAM quotas in the AWS account	List
GetContextKeysForCustomPolicy	Grants permission to retrieve a list of all of the context keys that are referenced in the specified policy	Read
GetContextKeysForPrincipalPolicy	Grants permission to retrieve a list of all context keys that are referenced in all IAM policies that are attached to the specified IAM identity (user, group, or role)	Read	group
			role
			user
GetCredentialReport	Grants permission to retrieve a credential report for the AWS account	Read
GetGroup	Grants permission to retrieve a list of IAM users in the specified IAM group	Read	group*
GetGroupPolicy	Grants permission to retrieve an inline policy document that is embedded in the specified IAM group	Read	group*
GetInstanceProfile	Grants permission to retrieve information about the specified instance profile, including the instance profile's path, GUID, ARN, and role	Read	instance-profile*
GetLoginProfile	Grants permission to retrieve the user name and password creation date for the specified IAM user	List	user*
GetOpenIDConnectProvider	Grants permission to retrieve information about the specified OpenID Connect (OIDC) provider resource in IAM	Read	oidc-provider*
GetOrganizationsAccessReport	Grants permission to retrieve an AWS Organizations access report	Read
GetPolicy	Grants permission to retrieve information about the specified managed policy, including the policy's default version and the total number of identities to which the policy is attached	Read	policy*
GetPolicyVersion	Grants permission to retrieve information about a version of the specified managed policy, including the policy document	Read	policy*
GetRole	Grants permission to retrieve information about the specified role, including the role's path, GUID, ARN, and the role's trust policy	Read	role*
GetRolePolicy	Grants permission to retrieve an inline policy document that is embedded with the specified IAM role	Read	role*
GetSAMLProvider	Grants permission to retrieve the SAML provider metadocument that was uploaded when the IAM SAML provider resource was created or updated	Read	saml-provider*
GetSSHPublicKey	Grants permission to retrieve the specified SSH public key, including metadata about the key	Read	user*
GetServerCertificate	Grants permission to retrieve information about the specified server certificate stored in IAM	Read	server-certificate*
GetServiceLastAccessedDetails	Grants permission to retrieve information about the service last accessed data report	Read
GetServiceLastAccessedDetailsWithEntities	Grants permission to retrieve information about the entities from the service last accessed data report	Read
GetServiceLinkedRoleDeletionStatus	Grants permission to retrieve an IAM service-linked role deletion status	Read	role*
GetUser	Grants permission to retrieve information about the specified IAM user, including the user's creation date, path, unique ID, and ARN	Read	user*
GetUserPolicy	Grants permission to retrieve an inline policy document that is embedded in the specified IAM user	Read	user*
ListAccessKeys	Grants permission to list information about the access key IDs that are associated with the specified IAM user	List	user*
ListAccountAliases	Grants permission to list the account alias that is associated with the AWS account	List
ListAttachedGroupPolicies	Grants permission to list all managed policies that are attached to the specified IAM group	List	group*
ListAttachedRolePolicies	Grants permission to list all managed policies that are attached to the specified IAM role	List	role*
ListAttachedUserPolicies	Grants permission to list all managed policies that are attached to the specified IAM user	List	user*
ListEntitiesForPolicy	Grants permission to list all IAM identities to which the specified managed policy is attached	List	policy*
ListGroupPolicies	Grants permission to list the names of the inline policies that are embedded in the specified IAM group	List	group*
ListGroups	Grants permission to list the IAM groups that have the specified path prefix	List
ListGroupsForUser	Grants permission to list the IAM groups that the specified IAM user belongs to	List	user*
ListInstanceProfileTags	Grants permission to list the tags that are attached to the specified instance profile	List	instance-profile*
ListInstanceProfiles	Grants permission to list the instance profiles that have the specified path prefix	List	instance-profile*
ListInstanceProfilesForRole	Grants permission to list the instance profiles that have the specified associated IAM role	List	role*
ListMFADeviceTags	Grants permission to list the tags that are attached to the specified virtual mfa device	List	mfa*
ListMFADevices	Grants permission to list the MFA devices for an IAM user	List	user
ListOpenIDConnectProviderTags	Grants permission to list the tags that are attached to the specified OpenID Connect provider	List	oidc-provider*
ListOpenIDConnectProviders	Grants permission to list information about the IAM OpenID Connect (OIDC) provider resource objects that are defined in the AWS account	List
ListPolicies	Grants permission to list all managed policies	List
ListPoliciesGrantingServiceAccess	Grants permission to list information about the policies that grant an entity access to a specific service	List	group*
			role*
			user*
ListPolicyTags	Grants permission to list the tags that are attached to the specified managed policy	List	policy*
ListPolicyVersions	Grants permission to list information about the versions of the specified managed policy, including the version that is currently set as the policy's default version	List	policy*
ListRolePolicies	Grants permission to list the names of the inline policies that are embedded in the specified IAM role	List	role*
ListRoleTags	Grants permission to list the tags that are attached to the specified IAM role	List	role*
ListRoles	Grants permission to list the IAM roles that have the specified path prefix	List
ListSAMLProviderTags	Grants permission to list the tags that are attached to the specified SAML provider	List	saml-provider*
ListSAMLProviders	Grants permission to list the SAML provider resources in IAM	List
ListSSHPublicKeys	Grants permission to list information about the SSH public keys that are associated with the specified IAM user	List	user*
ListServerCertificateTags	Grants permission to list the tags that are attached to the specified server certificate	List	server-certificate*
ListServerCertificates	Grants permission to list the server certificates that have the specified path prefix	List
ListServiceSpecificCredentials	Grants permission to list the service-specific credentials that are associated with the specified IAM user	List	user*
ListSigningCertificates	Grants permission to list information about the signing certificates that are associated with the specified IAM user	List	user*
ListUserPolicies	Grants permission to list the names of the inline policies that are embedded in the specified IAM user	List	user*
ListUserTags	Grants permission to list the tags that are attached to the specified IAM user	List	user*
ListUsers	Grants permission to list the IAM users that have the specified path prefix	List
ListVirtualMFADevices	Grants permission to list virtual MFA devices by assignment status	List
PassRole [permission only]	Grants permission to pass a role to a service	Write	role*
PassRole [permission only]	Grants permission to pass a role to a service	Write		iam:AssociatedResourceArn iam:PassedToService
PutGroupPolicy	Grants permission to create or update an inline policy document that is embedded in the specified IAM group	Permissions management	group*
PutRolePermissionsBoundary	Grants permission to set a managed policy as a permissions boundary for a role	Permissions management	role*
PutRolePermissionsBoundary		Permissions management		iam:PermissionsBoundary
PutRolePolicy	Grants permission to create or update an inline policy document that is embedded in the specified IAM role	Permissions management	role*
PutRolePolicy		Permissions management		iam:PermissionsBoundary
PutUserPermissionsBoundary	Grants permission to set a managed policy as a permissions boundary for an IAM user	Permissions management	user*
PutUserPermissionsBoundary		Permissions management		iam:PermissionsBoundary
PutUserPolicy	Grants permission to create or update an inline policy document that is embedded in the specified IAM user	Permissions management	user*
PutUserPolicy		Permissions management		iam:PermissionsBoundary
RemoveClientIDFromOpenIDConnectProvider	Grants permission to remove the client ID (audience) from the list of client IDs in the specified IAM OpenID Connect (OIDC) provider resource	Write	oidc-provider*
RemoveRoleFromInstanceProfile	Grants permission to remove an IAM role from the specified EC2 instance profile	Write	instance-profile*
RemoveUserFromGroup	Grants permission to remove an IAM user from the specified group	Write	group*
ResetServiceSpecificCredential	Grants permission to reset the password for an existing service-specific credential for an IAM user	Write	user*
ResyncMFADevice	Grants permission to synchronize the specified MFA device with its IAM entity (user or role)	Write	user*
SetDefaultPolicyVersion	Grants permission to set the version of the specified policy as the policy's default version	Permissions management	policy*
SetSecurityTokenServicePreferences	Grants permission to set the STS global endpoint token version	Write
SimulateCustomPolicy	Grants permission to simulate whether an identity-based policy or resource-based policy provides permissions for specific API operations and resources	Read
SimulatePrincipalPolicy	Grants permission to simulate whether an identity-based policy that is attached to a specified IAM entity (user or role) provides permissions for specific API operations and resources	Read	group
			role
			user
TagInstanceProfile	Grants permission to add tags to an instance profile	Tagging	instance-profile*
TagInstanceProfile	Grants permission to add tags to an instance profile	Tagging		aws:TagKeys aws:RequestTag/${TagKey}
TagMFADevice	Grants permission to add tags to a virtual mfa device	Tagging	mfa*
TagMFADevice	Grants permission to add tags to a virtual mfa device	Tagging		aws:TagKeys aws:RequestTag/${TagKey}
TagOpenIDConnectProvider	Grants permission to add tags to an OpenID Connect provider	Tagging	oidc-provider*
TagOpenIDConnectProvider	Grants permission to add tags to an OpenID Connect provider	Tagging		aws:TagKeys aws:RequestTag/${TagKey}
TagPolicy	Grants permission to add tags to a managed policy	Tagging	policy*
TagPolicy	Grants permission to add tags to a managed policy	Tagging		aws:TagKeys aws:RequestTag/${TagKey}
TagRole	Grants permission to add tags to an IAM role	Tagging	role*
TagRole	Grants permission to add tags to an IAM role	Tagging		aws:TagKeys aws:RequestTag/${TagKey}
TagSAMLProvider	Grants permission to add tags to a SAML Provider	Tagging	saml-provider*
TagSAMLProvider	Grants permission to add tags to a SAML Provider	Tagging		aws:TagKeys aws:RequestTag/${TagKey}
TagServerCertificate	Grants permission to add tags to a server certificate	Tagging	server-certificate*
TagServerCertificate	Grants permission to add tags to a server certificate	Tagging		aws:TagKeys aws:RequestTag/${TagKey}
TagUser	Grants permission to add tags to an IAM user	Tagging	user*
TagUser	Grants permission to add tags to an IAM user	Tagging		aws:TagKeys aws:RequestTag/${TagKey}
UntagInstanceProfile	Grants permission to remove the specified tags from the instance profile	Tagging	instance-profile*
UntagInstanceProfile		Tagging		aws:TagKeys
UntagMFADevice	Grants permission to remove the specified tags from the virtual mfa device	Tagging	mfa*
UntagMFADevice		Tagging		aws:TagKeys
UntagOpenIDConnectProvider	Grants permission to remove the specified tags from the OpenID Connect provider	Tagging	oidc-provider*
UntagOpenIDConnectProvider		Tagging		aws:TagKeys
UntagPolicy	Grants permission to remove the specified tags from the managed policy	Tagging	policy*
UntagPolicy		Tagging		aws:TagKeys
UntagRole	Grants permission to remove the specified tags from the role	Tagging	role*
UntagRole		Tagging		aws:TagKeys
UntagSAMLProvider	Grants permission to remove the specified tags from the SAML Provider	Tagging	saml-provider*
UntagSAMLProvider		Tagging		aws:TagKeys
UntagServerCertificate	Grants permission to remove the specified tags from the server certificate	Tagging	server-certificate*
UntagServerCertificate		Tagging		aws:TagKeys
UntagUser	Grants permission to remove the specified tags from the user	Tagging	user*
UntagUser		Tagging		aws:TagKeys
UpdateAccessKey	Grants permission to update the status of the specified access key as Active or Inactive	Write	user*
UpdateAccountPasswordPolicy	Grants permission to update the password policy settings for the AWS account	Write
UpdateAssumeRolePolicy	Grants permission to update the policy that grants an IAM entity permission to assume a role	Permissions management	role*
UpdateGroup	Grants permission to update the name or path of the specified IAM group	Write	group*
UpdateLoginProfile	Grants permission to change the password for the specified IAM user	Write	user*
UpdateOpenIDConnectProviderThumbprint	Grants permission to update the entire list of server certificate thumbprints that are associated with an OpenID Connect (OIDC) provider resource	Write	oidc-provider*
UpdateRole	Grants permission to update the description or maximum session duration setting of a role	Write	role*
UpdateRoleDescription	Grants permission to update only the description of a role	Write	role*
UpdateSAMLProvider	Grants permission to update the metadata document for an existing SAML provider resource	Write	saml-provider*
UpdateSSHPublicKey	Grants permission to update the status of an IAM user's SSH public key to active or inactive	Write	user*
UpdateServerCertificate	Grants permission to update the name or the path of the specified server certificate stored in IAM	Write	server-certificate*
UpdateServiceSpecificCredential	Grants permission to update the status of a service-specific credential to active or inactive for an IAM user	Write	user*
UpdateSigningCertificate	Grants permission to update the status of the specified user signing certificate to active or disabled	Write	user*
UpdateUser	Grants permission to update the name or the path of the specified IAM user	Write	user*
UploadSSHPublicKey	Grants permission to upload an SSH public key and associate it with the specified IAM user	Write	user*
UploadServerCertificate	Grants permission to upload a server certificate entity for the AWS account	Write	server-certificate*
UploadServerCertificate		Write		aws:TagKeys aws:RequestTag/${TagKey}
UploadSigningCertificate	Grants permission to upload an X.509 signing certificate and associate it with the specified IAM user	Write	user*

Resource types defined by Identity And Access Management

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types	ARN	Condition keys
access-report	`arn:${Partition}:iam::${Account}:access-report/${EntityPath}`
assumed-role	`arn:${Partition}:iam::${Account}:assumed-role/${RoleName}/${RoleSessionName}`
federated-user	`arn:${Partition}:iam::${Account}:federated-user/${UserName}`
group	`arn:${Partition}:iam::${Account}:group/${GroupNameWithPath}`
instance-profile	`arn:${Partition}:iam::${Account}:instance-profile/${InstanceProfileNameWithPath}`	aws:ResourceTag/${TagKey}
mfa	`arn:${Partition}:iam::${Account}:mfa/${MfaTokenIdWithPath}`	aws:ResourceTag/${TagKey}
oidc-provider	`arn:${Partition}:iam::${Account}:oidc-provider/${OidcProviderName}`	aws:ResourceTag/${TagKey}
policy	`arn:${Partition}:iam::${Account}:policy/${PolicyNameWithPath}`	aws:ResourceTag/${TagKey}
role	`arn:${Partition}:iam::${Account}:role/${RoleNameWithPath}`	aws:ResourceTag/${TagKey} iam:ResourceTag/${TagKey}
saml-provider	`arn:${Partition}:iam::${Account}:saml-provider/${SamlProviderName}`	aws:ResourceTag/${TagKey}
server-certificate	`arn:${Partition}:iam::${Account}:server-certificate/${CertificateNameWithPath}`	aws:ResourceTag/${TagKey}
sms-mfa	`arn:${Partition}:iam::${Account}:sms-mfa/${MfaTokenIdWithPath}`
user	`arn:${Partition}:iam::${Account}:user/${UserNameWithPath}`	aws:ResourceTag/${TagKey} iam:ResourceTag/${TagKey}

Condition keys for Identity And Access Management

Identity And Access Management defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters access based on the tags that are passed in the request	String
aws:ResourceTag/${TagKey}	Filters access based on the tags associated with the resource	String
aws:TagKeys	Filters access based on the tag keys that are passed in the request	ArrayOfString
iam:AWSServiceName	Filters access by the AWS service to which this role is attached	String
iam:AssociatedResourceArn	Filters by the resource that the role will be used on behalf of	ARN
iam:OrganizationsPolicyId	Filters access by the ID of an AWS Organizations policy	String
iam:PassedToService	Filters access by the AWS service to which this role is passed	String
iam:PermissionsBoundary	Filters access if the specified policy is set as the permissions boundary on the IAM entity (user or role)	String
iam:PolicyARN	Filters access by the ARN of an IAM policy	ARN
iam:ResourceTag/${TagKey}	Filters access by the tags attached to an IAM entity (user or role)	String

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS IAM Identity Center (successor to AWS Single Sign-On) directory

AWS Identity and Access Management Roles Anywhere