Actions, resources, and condition keys for Amazon Q
Amazon Q (service prefix: q) provides the following
service-specific operations, resources, actions, and condition keys for use in IAM permission
policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
-
View the programmatic service authorization reference
for this service.
Topics
Actions defined by Amazon Q
Amazon Q has no API operations that can be used in the
Actions element of an IAM policy statement.
Permission-only actions for Amazon Q
The following actions are defined by Amazon Q but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to associate an AWS resource with an Amazon Q connector |
Write |
|||
Grants permission to associate a login domain with an Amazon Q Developer Profile |
Write |
|||
Grants permission to describe multiple groups for an Amazon Q Developer Profile |
Read |
|||
Grants permission to describe multiple users for an Amazon Q Developer Profile |
Read |
|||
Grants permission to get multiple groups for an Amazon Q Developer Profile |
Read |
|||
Grants permission to get multiple users for an Amazon Q Developer Profile |
Read |
|||
Grants permission to create an artifact with Amazon Q |
Write |
|||
Grants permission to create a user or group assignment for an Amazon Q Developer Profile |
Write |
|||
Grants permission to create OAuth user in Amazon Q |
Write |
|||
Grants permission to register an OAuth application in Amazon Q |
Write |
|||
Grants permission to create and configure a third party plugin in Amazon Q |
Write |
|||
Grants permission to create a SCIM access token for an Amazon Q Developer Profile |
Write |
|||
Grants permission to delete a user or group assignment for an Amazon Q Developer Profile |
Write |
|||
Grants permission to delete a conversation with Amazon Q |
Write |
|||
Grants permission to delete an OAuth application in Amazon Q |
Write |
|||
Grants permission to delete a configured plugin in Amazon Q |
Write |
|||
Grants permission to delete a SCIM access token for an Amazon Q Developer Profile |
Write |
|||
Grants permission to disassociate a login domain from an Amazon Q Developer Profile |
Write |
|||
Grants permission to generate code from CLI commands in Amazon Q |
Read |
|||
Grants permission to generate code recommendations in Amazon Q |
Read |
|||
Grants permission to view an Amazon Q artifact |
Read |
|||
Grants permission to view results of an action in an Amazon Q artifact |
Read |
|||
Grants permission to view information about a specific Amazon Q connector |
Read |
|||
Grants permission to get individual messages associated with a specific conversation with Amazon Q |
Read |
|||
Grants permission to Amazon Q to get the identity metadata |
Read |
|||
Grants permission to view information about a specific configured Amazon Q plugin |
Read |
|||
Grants permission to get troubleshooting results with Amazon Q |
Read |
|||
Grants permission to list individual conversations associated with a specific Amazon Q user |
Read |
|||
Grants permission to read metrics to populate Amazon Q dashboard |
List |
|||
Grants permission to list groups for an Amazon Q Developer Profile |
List |
|||
Grants permission to list login domains for an Amazon Q Developer Profile |
List |
|||
Grants permission to list available plugins in Amazon Q |
List |
|||
Grants permission to list configured plugins in Amazon Q |
List |
|||
Grants permission to list SCIM access tokens for an Amazon Q Developer Profile |
List |
|||
Grants permission to list all tags associated with an Amazon Q resource |
List |
|||
Grants permission to list users for an Amazon Q Developer Profile |
List |
|||
Grants permission to allow Amazon Q to perform actions on your behalf |
Write |
|||
Grants permission to perform an action in an Amazon Q artifact |
Write |
|||
Grants permission to reject a connection request for an Amazon Q connector |
Write |
|||
Grants permission to trigger asynchronous Amazon Q actions |
Write |
|||
Grants permission to send a message to Amazon Q |
Write |
|||
Grants permission to start a conversation with Amazon Q |
Write |
|||
Grants permission to start a troubleshooting analysis with Amazon Q |
Write |
|||
Grants permission to start a troubleshooting resolution explanation with Amazon Q |
Write |
|||
Grants permission to associate tags with an Amazon Q resource |
Tagging, Write |
|||
Grants permission to remove tags associated with an Amazon Q resource |
Tagging, Write |
|||
Grants permission to update a user or group assignment for an Amazon Q Developer Profile |
Write |
|||
Grants permission to update OAuth user in Amazon Q |
Write |
|||
Grants permission to update a conversation with Amazon Q |
Write |
|||
Grants permission to update an OAuth application in Amazon Q |
Write |
|||
Grants permission to update a third party plugin in Amazon Q |
Write |
|||
Grants permission to update a troubleshooting command result with Amazon Q |
Write |
|||
Grants permission to use Amazon Q plugins |
Write |
|||
Grants permission to verify an OAuth application in Amazon Q |
Write |
Resource types defined by Amazon Q
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements.
| Resource types | ARN | Condition keys |
|---|---|---|
arn:${Partition}:qdeveloper:${Region}:${Account}:plugin/${Identifier} |
||
arn:${Partition}:codewhisperer:${Region}:${Account}:profile/${Identifier} |
Condition keys for Amazon Q
Amazon Q defines the following condition keys that can be used in the
Condition element of an IAM policy.
| Condition keys | Description | Type |
|---|---|---|
Filters access by the tags that are passed in the request |
String |
|
Filters access by the tags associated with the Amazon Q resource |
String |
|
Filters access by the tag keys that are passed in the request |
ArrayOfString |
|
Filters access by IAM Identity Center Group ID |
ArrayOfString |
|
Filters access by IAM Identity Center User ID |
ArrayOfString |