View a markdown version of this page

Actions, resources, and condition keys for AWS Private CA Connector for SCEP - Service Authorization Reference

Actions, resources, and condition keys for AWS Private CA Connector for SCEP

AWS Private CA Connector for SCEP (service prefix: pca-connector-scep) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by AWS Private CA Connector for SCEP

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

CreateChallenge

pca-connector-scep:CreateChallenge

Write

pca-connector-scep:TagResource

Tagging, Write

CreateConnector

pca-connector-scep:CreateConnector

Write

pca-connector-scep:TagResource

Tagging, Write

DeleteChallenge

pca-connector-scep:DeleteChallenge

Write

DeleteConnector

pca-connector-scep:DeleteConnector

Write

GetChallengeMetadata

pca-connector-scep:GetChallengeMetadata

Read

GetChallengePassword

pca-connector-scep:GetChallengePassword

Read

GetConnector

pca-connector-scep:GetConnector

Read

ListChallengeMetadata

pca-connector-scep:ListChallengeMetadata

List

ListConnectors

pca-connector-scep:ListConnectors

List

ListTagsForResource

pca-connector-scep:ListTagsForResource

Read

TagResource

pca-connector-scep:TagResource

Tagging, Write

UntagResource

pca-connector-scep:UntagResource

Tagging, Write

Actions defined by AWS Private CA Connector for SCEP

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

CreateChallenge

Grants permission to create a Challenge for a Connector

Connector*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateConnector

Grants permission to create a SCEP Connector in your account

aws:RequestTag/${TagKey}

aws:TagKeys

Write

DeleteChallenge

Grants permission to delete a Challenge for a Connector

Challenge*

aws:ResourceTag/${TagKey}

Write

DeleteConnector

Grants permission to delete a SCEP Connector in your account

Connector*

aws:ResourceTag/${TagKey}

Write

GetChallengeMetadata

Grants permission to get a Challenge for a Connector

Challenge*

aws:ResourceTag/${TagKey}

Read

GetChallengePassword

Grants permission to get a Challenge password for a Connector

Challenge*

aws:ResourceTag/${TagKey}

Read

GetConnector

Grants permission to get a SCEP Connector in your account

Connector*

aws:ResourceTag/${TagKey}

Read

ListChallengeMetadata

Grants permission to list Challenges for a Connector

List

ListConnectors

Grants permission to list the SCEP Connectors in your account

List

ListTagsForResource

Grants permission to list the tags for a pca-connector-scep resource in your account

Read

TagResource

Grants permission to tag a pca-connector-scep resource in your account

Challenge

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

Connector

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UntagResource

Grants permission to untag a pca-connector-scep resource in your account

Challenge

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

Connector

aws:ResourceTag/${TagKey}

aws:TagKeys

Resource types defined by AWS Private CA Connector for SCEP

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

Challenge

arn:${Partition}:pca-connector-scep:${Region}:${Account}:connector/${ConnectorId}/challenge/${ChallengeId}

aws:ResourceTag/${TagKey}

Connector

arn:${Partition}:pca-connector-scep:${Region}:${Account}:connector/${ConnectorId}

aws:ResourceTag/${TagKey}

Condition keys for AWS Private CA Connector for SCEP

AWS Private CA Connector for SCEP defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by the tags that are passed in the request

String

aws:ResourceTag/${TagKey}

Filters access by the tags associated with the resource

String

aws:TagKeys

Filters access by the tag keys that are passed in the request

ArrayOfString