How Amazon Timestream works with IAM - Amazon Timestream

How Amazon Timestream works with IAM

Before you use IAM to manage access to Timestream, you should understand what IAM features are available to use with Timestream. To get a high-level view of how Timestream and other AWS services work with IAM, see AWS Services That Work with IAM in the IAM User Guide.

Timestream identity-based policies

With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. Timestream supports specific actions and resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see IAM JSON Policy Elements Reference in the IAM User Guide.


Administrators can use AWS JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.

The Action element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Policy actions usually have the same name as the associated AWS API operation. There are some exceptions, such as permission-only actions that don't have a matching API operation. There are also some operations that require multiple actions in a policy. These additional actions are called dependent actions.

Include actions in a policy to grant permissions to perform the associated operation.

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation, CLI command or SQL command with the same name.

In some cases, a single action controls access to an API operation as well as SQL command. Alternatively, some operations require several different actions.

For a list of supported Timestream Action's, see the table below:


For all database-specific Actions, you can specify a database ARN to limit the action to a particular database.

Actions Description Access level Resource types (*required)


Returns the Timestream endpoint that subsequent requests must be made to.




Run queries on Timestream that select data from one or more tables. See this note for a detailed explanation




Cancel a query.




Get the list of tables.




Get the list of databases.




Get the list of measures.




Get the table description.




Get the database description.




Run queries that do not require a particular resource to be specified. See this note for a detailed explanation.




Insert data into Timestream.




Create a table.




Create a database.




Delete a database.




Update a database.




Delete a table.




Update a table.



SelectValues vs. select:

SelectValues is an Action that is used for queries that do not require a resource. An example of a query that does not require a resource is as follows:


Notice that this query does not refer to a particular Timestream resource. Consider another example:

SELECT now()

This query returns the current timestamp using the now() function, but does not require a resource to be specified. SelectValues is often used for testing, so that Timestream can run queries without resources. Now, consider a Select query:

SELECT * FROM database.table

This type of query requires a resource, specifcially an Timestream table , so that the specified data can be fetched from the table.


Administrators can use AWS JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.

The Resource JSON policy element specifies the object or objects to which the action applies. Statements must include either a Resource or a NotResource element. As a best practice, specify a resource using its Amazon Resource Name (ARN). You can do this for actions that support a specific resource type, known as resource-level permissions.

For actions that don't support resource-level permissions, such as listing operations, use a wildcard (*) to indicate that the statement applies to all resources.

"Resource": "*"

In Timestream databases and tables can be used in the Resource element of IAM permissions.

The Timestream database resource has the following ARN:


The Timestream table resource has the following ARN:


For more information about the format of ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces.

For example, to specify the database keyspace in your statement, use the following ARN:

"Resource": "arn:aws:timestream:us-east-1:123456789012:database/mydatabase"

To specify all databases that belong to a specific account, use the wildcard (*):

"Resource": "arn:aws:timestream:us-east-1:123456789012:database/*"

Some Timestream actions, such as those for creating resources, cannot be performed on a specific resource. In those cases, you must use the wildcard (*).

"Resource": "*"

Condition keys

Timestream does not provide any service-specific condition keys, but it does support using some global condition keys. To see all AWS global condition keys, see AWS Global Condition Context Keys in the IAM User Guide.


To view examples of Timestream identity-based policies, see Amazon Timestream identity-based policy examples.

Timestream resource-based policies

Timestream does not support resource-based policies. To view an example of a detailed resource-based policy page, see

Authorization based on Timestream tags

You can manage access to your Timestream resources by using tags. To manage resource access based on tags, you provide tag information in the condition element of a policy using the timestream:ResourceTag/key-name, aws:RequestTag/key-name, or aws:TagKeys condition keys. For more information about tagging Timestream resources, see Adding tags and labels to resources.

To view example identity-based policies for limiting access to a resource based on the tags on that resource, see Timestream resource access based on tags.

Timestream IAM roles

An IAM role is an entity within your AWS account that has specific permissions.

Using temporary credentials with Timestream

You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as AssumeRole or GetFederationToken.

Service-linked roles

Timestream does not support service-linked roles.

Service roles

Timestream does not support service roles.