Actions, resources, and condition keys for AWS Data Exchange
AWS Data Exchange (service prefix: dataexchange) provides the following
service-specific operations, resources, actions, and condition keys for use in IAM permission
policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
-
View the programmatic service authorization reference
for this service.
Topics
API operations defined by AWS Data Exchange
The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.
| Operation | IAM action | Condition key | Possible value(s) | Access level |
|---|---|---|---|---|
|
AcceptDataGrant |
Write |
|||
|
CancelJob |
Write |
|||
|
CreateDataGrant |
Write |
|||
Write |
||||
Write |
||||
Write |
||||
Write |
||||
Tagging, Write |
||||
|
CreateDataSet |
Write |
|||
Tagging, Write |
||||
|
CreateEventAction |
Write |
|||
Tagging, Write |
||||
|
CreateJob |
Write |
|||
iam:PassedToService |
dataexchange.amazonaws.com |
Write |
||
|
CreateRevision |
Write |
|||
Tagging, Write |
||||
|
DeleteAsset |
Write |
|||
|
DeleteDataGrant |
Write |
|||
|
DeleteDataSet |
Write |
|||
|
DeleteEventAction |
Write |
|||
|
DeleteRevision |
Write |
|||
|
GetAsset |
Read |
|||
|
GetDataGrant |
Read |
|||
Read |
||||
|
GetDataSet |
Read |
|||
|
GetEventAction |
Read |
|||
|
GetJob |
Read |
|||
|
GetReceivedDataGrant |
Read |
|||
Read |
||||
|
GetRevision |
Read |
|||
|
ListDataGrants |
List |
|||
List |
||||
|
ListDataSetRevisions |
List |
|||
|
ListDataSets |
List |
|||
|
ListEventActions |
List |
|||
|
ListJobs |
List |
|||
|
ListReceivedDataGrants |
List |
|||
List |
||||
|
ListRevisionAssets |
List |
|||
|
ListTagsForResource |
List |
|||
|
RevokeRevision |
Write |
|||
|
SendApiAsset |
Write |
|||
|
SendDataSetNotification |
Write |
|||
|
StartJob |
Write |
|||
Write |
||||
Tagging, Write |
||||
|
TagResource |
Tagging, Write |
|||
|
UntagResource |
Tagging, Write |
|||
|
UpdateAsset |
Write |
|||
|
UpdateDataSet |
Write |
|||
|
UpdateEventAction |
Write |
|||
|
UpdateRevision |
Write |
|||
Write |
||||
Write |
Actions defined by AWS Data Exchange
You can specify the following actions in the Action element of an IAM
policy statement. Use policies to grant permissions to perform an operation in AWS. When
you use an action in a policy, you usually allow or deny access to the API operation or CLI
command with the same name. However, in some cases, a single action controls access to more
than one operation. Alternatively, some operations require several different actions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to accept a data grant |
Write |
|||
Grants permission to cancel a job |
Write |
|||
Grants permission to create a data grant |
Write |
|||
Grants permission to create a data set |
Write |
|||
Grants permission to create an event action |
Write |
|||
Grants permission to create a job to import or export assets |
Write |
|||
Grants permission to create a revision |
Write |
|||
Grants permission to delete an asset |
Write |
|||
Grants permission to delete a data grant |
Write |
|||
Grants permission to delete a data set |
Write |
|||
Grants permission to delete an event action |
Write |
|||
Grants permission to delete a revision |
Write |
|||
Grants permission to get information about an asset and to export it (for example, in a Job) |
Read |
|||
Grants permission to get a data grant |
Read |
|||
Grants permission to get information about a data set |
Read |
|||
Grants permission to get an event action |
Read |
|||
Grants permission to get information about a job |
Read |
|||
Grants permission to get a received data grant |
Read |
|||
Grants permission to get information about a revision |
Read |
|||
Grants permission to list data grants for the account |
List |
|||
Grants permission to list the revisions of a data set |
List |
|||
Grants permission to list data sets for the account |
List |
|||
Grants permission to list event actions for the account |
List |
|||
Grants permission to list jobs for the account |
List |
|||
Grants permission to list received data grants for the account |
List |
|||
Grants permission to get list the assets of a revision |
List |
|||
Grants permission to list the tags that you associated with the specified resource |
List |
|||
Grants permission to revoke subscriber access to a revision |
Write |
|||
Grants permission to send a request to an API asset |
Write |
|||
Grants permission to send a notification to subscribers of a data set |
Write |
|||
Grants permission to start a job |
Write |
|||
Grants permission to add one or more tags to a specified resource |
Tagging, Write |
|||
Grants permission to remove one or more tags from a specified resource |
Tagging, Write |
|||
Grants permission to get update information about an asset |
Write |
|||
Grants permission to update information about a data set |
Write |
|||
Grants permission to update information for an event action |
Write |
|||
Grants permission to update information about a revision |
Write |
Permission-only actions for AWS Data Exchange
The following actions are defined by AWS Data Exchange but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to create an asset (for example, in a Job) |
Write |
|||
Grants permission to publish a data set to a product |
Write |
|||
Grants permission to publish a data set to a data grant |
Write |
Resource types defined by AWS Data Exchange
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements.
| Resource types | ARN | Condition keys |
|---|---|---|
arn:${Partition}:dataexchange:${Region}:${Account}:data-sets/${DataSetId}/revisions/${RevisionId}/assets/${AssetId} |
||
arn:${Partition}:dataexchange:${Region}:${Account}:data-grants/${DataGrantId} |
||
arn:${Partition}:dataexchange:${Region}:${Account}:data-sets/${DataSetId} |
||
arn:${Partition}:dataexchange:${Region}::data-sets/${DataSetId}/revisions/${RevisionId}/assets/${AssetId} |
||
arn:${Partition}:dataexchange:${Region}::data-sets/${DataSetId} |
||
arn:${Partition}:dataexchange:${Region}::data-sets/${DataSetId}/revisions/${RevisionId} |
||
arn:${Partition}:dataexchange:${Region}:${Account}:event-actions/${EventActionId} |
||
arn:${Partition}:dataexchange:${Region}:${Account}:jobs/${JobId} |
||
arn:${Partition}:dataexchange:${Region}:${Account}:data-sets/${DataSetId}/revisions/${RevisionId} |
Condition keys for AWS Data Exchange
AWS Data Exchange defines the following condition keys that can be used in the
Condition element of an IAM policy.
| Condition keys | Description | Type |
|---|---|---|
Filters access by the allowed set of values for each of the mandatory tags in the create request |
String |
|
Filters access by the tag value associated with the resource |
String |
|
Filters access by the presence of mandatory tags in the create request |
ArrayOfString |
|
Filters access by the specified job type |
String |