View a markdown version of this page

Actions, resources, and condition keys for Multi-party approval - Service Authorization Reference

Actions, resources, and condition keys for Multi-party approval

Multi-party approval (service prefix: mpa) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Multi-party approval

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

CancelSession

mpa:CancelSession

Write

CreateApprovalTeam

mpa:CreateApprovalTeam

Write

mpa:TagResource

Tagging, Write

CreateIdentitySource

mpa:CreateIdentitySource

Write

mpa:TagResource

Tagging, Write

DeleteIdentitySource

mpa:DeleteIdentitySource

Write

DeleteInactiveApprovalTeamVersion

mpa:DeleteInactiveApprovalTeamVersion

Write

GetApprovalTeam

mpa:GetApprovalTeam

Read

GetIdentitySource

mpa:GetIdentitySource

Read

GetPolicyVersion

mpa:GetPolicyVersion

Read

GetResourcePolicy

mpa:GetResourcePolicy

Read

GetSession

mpa:GetSession

Read

ListApprovalTeams

mpa:ListApprovalTeams

List

ListIdentitySources

mpa:ListIdentitySources

List

ListPolicies

mpa:ListPolicies

List

ListPolicyVersions

mpa:ListPolicyVersions

List

ListResourcePolicies

mpa:ListResourcePolicies

List

ListSessions

mpa:ListSessions

List

ListTagsForResource

mpa:ListTagsForResource

List

StartActiveApprovalTeamDeletion

mpa:StartActiveApprovalTeamDeletion

Write

StartApprovalTeamBaseline

mpa:StartApprovalTeamBaseline

Write

TagResource

mpa:TagResource

Tagging, Write

UntagResource

mpa:UntagResource

Tagging, Write

UpdateApprovalTeam

mpa:UpdateApprovalTeam

Write

Actions defined by Multi-party approval

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

CancelSession

Grants permission to cancel an approval session

session*

aws:ResourceTag/${TagKey}

mpa:ProtectedResourceAccount

mpa:RequestedOperation

Write

CreateApprovalTeam

Grants permission to create an approval team

approval-team*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateIdentitySource

Grants permission to create an identity source

identity-source*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

DeleteIdentitySource

Grants permission to delete an identity source

identity-source*

aws:ResourceTag/${TagKey}

Write

DeleteInactiveApprovalTeamVersion

Grants permission to delete an inactive approval team

approval-team*

aws:ResourceTag/${TagKey}

Write

GetApprovalTeam

Grants permission to retrieve details for an approval team

approval-team*

aws:ResourceTag/${TagKey}

Read

GetIdentitySource

Grants permission to retrieve details for an identity source

identity-source*

aws:ResourceTag/${TagKey}

Read

GetPolicyVersion

Grants permission to retrieve details for a policy

Read

GetResourcePolicy

Grants permission to retrieve details for a specific resource

Read

GetSession

Grants permission to retrieve details for an approval session

session*

aws:ResourceTag/${TagKey}

mpa:ProtectedResourceAccount

mpa:RequestedOperation

Read

ListApprovalTeams

Grants permission to list approval teams

List

ListIdentitySources

Grants permission to list identity sources

List

ListPolicies

Grants permission to list policies

List

ListPolicyVersions

Grants permission to list the versions for policies

List

ListResourcePolicies

Grants permission to list policies for a resource

List

ListSessions

Grants permission to list approval sessions

List

ListTagsForResource

Grants permission to list tags for a resource

List

StartActiveApprovalTeamDeletion

Grants permission to start the deletion process for an active approval team

approval-team*

aws:ResourceTag/${TagKey}

Write

StartApprovalTeamBaseline

Grants permission to start a baseline for an active approval team

approval-team*

aws:ResourceTag/${TagKey}

Write

TagResource

Grants permission to tag a resource

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UntagResource

Grants permission to untag a resource

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UpdateApprovalTeam

Grants permission to update approval team

approval-team*

aws:ResourceTag/${TagKey}

Write

Permission-only actions for Multi-party approval

The following actions are defined by Multi-party approval but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.

Actions Description Resource types (*required) Condition keys Access level

DeleteResourcePolicy

Grants permission to delete a resource policy

Permissions management, Write

PutResourcePolicy

Grants permission to create or update policies for a resource

Permissions management, Write

StartSession

Grants permission to start an approval session

session*

aws:ResourceTag/${TagKey}

mpa:ProtectedResourceAccount

mpa:RequestedOperation

Write

Resource types defined by Multi-party approval

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

approval-team

arn:${Partition}:mpa:${Region}:${Account}:approval-team/${ApprovalTeamId}

aws:ResourceTag/${TagKey}

identity-source

arn:${Partition}:mpa:${Region}:${Account}:identity-source/${IdentitySourceId}

aws:ResourceTag/${TagKey}

session

arn:${Partition}:mpa:${Region}:${Account}:session/${SessionId}

aws:ResourceTag/${TagKey}

Condition keys for Multi-party approval

Multi-party approval defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by a tag key and value pair that is allowed in the request

String

aws:ResourceTag/${TagKey}

Filters access by a tag key and value pair of a resource

String

aws:TagKeys

Filters access by a list of tag keys that are allowed in the request

ArrayOfString

mpa:ProtectedResourceAccount

Filters access by the account that owns the resource that is the target of the operation that requires approval

String

mpa:RequestedOperation

Filters access by a requested operation that requires team approval before it can be executed

String