View a markdown version of this page

Actions, resources, and condition keys for Amazon QLDB - Service Authorization Reference

Actions, resources, and condition keys for Amazon QLDB

Amazon QLDB (service prefix: qldb) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

Actions defined by Amazon QLDB

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

CancelJournalKinesisStream

Grants permission to cancel a journal kinesis stream

stream*

aws:ResourceTag/${TagKey}

Write

CreateLedger

Grants permission to create a ledger

ledger*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

DeleteLedger

Grants permission to delete a ledger

ledger*

aws:ResourceTag/${TagKey}

Write

DescribeJournalKinesisStream

Grants permission to describe information about a journal kinesis stream

stream*

aws:ResourceTag/${TagKey}

Read

DescribeJournalS3Export

Grants permission to describe information about a journal export job

ledger*

aws:ResourceTag/${TagKey}

Read

DescribeLedger

Grants permission to describe a ledger

ledger*

aws:ResourceTag/${TagKey}

Read

ExportJournalToS3

Grants permission to export journal contents to an Amazon S3 bucket

ledger*

aws:ResourceTag/${TagKey}

Write

GetBlock

Grants permission to retrieve a block from a ledger for a given BlockAddress

ledger*

aws:ResourceTag/${TagKey}

Read

GetDigest

Grants permission to retrieve a digest from a ledger for a given BlockAddress

ledger*

aws:ResourceTag/${TagKey}

Read

GetRevision

Grants permission to retrieve a revision for a given document ID and a given BlockAddress

ledger*

aws:ResourceTag/${TagKey}

Read

ListJournalKinesisStreamsForLedger

Grants permission to list journal kinesis streams for a specified ledger

stream*

aws:ResourceTag/${TagKey}

List

ListJournalS3Exports

Grants permission to list journal export jobs for all ledgers

List

ListJournalS3ExportsForLedger

Grants permission to list journal export jobs for a specified ledger

ledger*

aws:ResourceTag/${TagKey}

List

ListLedgers

Grants permission to list existing ledgers

List

ListTagsForResource

Grants permission to list tags for a resource

catalog

aws:ResourceTag/${TagKey}

Read

ledger

aws:ResourceTag/${TagKey}

stream

aws:ResourceTag/${TagKey}

table

aws:ResourceTag/${TagKey}

PartiQLCreateIndex

Grants permission to create an index on a table

table*

aws:ResourceTag/${TagKey}

Write

PartiQLCreateTable

Grants permission to create a table

table*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

PartiQLDelete

Grants permission to delete documents from a table

table*

aws:ResourceTag/${TagKey}

Write

PartiQLDropIndex

Grants permission to drop an index from a table

table*

aws:ResourceTag/${TagKey}

qldb:Purge

Write

PartiQLDropTable

Grants permission to drop a table

table*

aws:ResourceTag/${TagKey}

qldb:Purge

Write

PartiQLHistoryFunction

Grants permission to use the history function on a table

table*

aws:ResourceTag/${TagKey}

Read

PartiQLInsert

Grants permission to insert documents into a table

table*

aws:ResourceTag/${TagKey}

Write

PartiQLRedact

Grants permission to redact historic revisions

table*

aws:ResourceTag/${TagKey}

Write

PartiQLSelect

Grants permission to select documents from a table

catalog

aws:ResourceTag/${TagKey}

Read

table

aws:ResourceTag/${TagKey}

PartiQLUndropTable

Grants permission to undrop a table

table*

aws:ResourceTag/${TagKey}

Write

PartiQLUpdate

Grants permission to update existing documents in a table

table*

aws:ResourceTag/${TagKey}

Write

SendCommand

Grants permission to send commands to a ledger

ledger*

aws:ResourceTag/${TagKey}

Write

StreamJournalToKinesis

Grants permission to stream journal contents to a Kinesis Data Stream

stream*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

TagResource

Grants permission to add one or more tags to a resource

catalog

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

ledger

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

stream

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

table

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UntagResource

Grants permission to remove one or more tags from a resource

catalog

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

ledger

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

stream

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

table

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UpdateLedger

Grants permission to update properties on a ledger

ledger*

aws:ResourceTag/${TagKey}

Write

UpdateLedgerPermissionsMode

Grants permission to update the permissions mode on a ledger

ledger*

aws:ResourceTag/${TagKey}

Write

Permission-only actions for Amazon QLDB

The following actions are defined by Amazon QLDB but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.

Actions Description Resource types (*required) Condition keys Access level

ExecuteStatement

Grants permission to send commands to a ledger via the console

ledger*

aws:ResourceTag/${TagKey}

Write

InsertSampleData

Grants permission to insert sample application data via the console

ledger*

aws:ResourceTag/${TagKey}

Write

ShowCatalog

Grants permission to view a ledger's catalog via the console

ledger*

aws:ResourceTag/${TagKey}

Write

Resource types defined by Amazon QLDB

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

catalog

arn:${Partition}:qldb:${Region}:${Account}:ledger/${LedgerName}/information_schema/user_tables

aws:ResourceTag/${TagKey}

ledger

arn:${Partition}:qldb:${Region}:${Account}:ledger/${LedgerName}

aws:ResourceTag/${TagKey}

stream

arn:${Partition}:qldb:${Region}:${Account}:stream/${LedgerName}/${StreamId}

aws:ResourceTag/${TagKey}

table

arn:${Partition}:qldb:${Region}:${Account}:ledger/${LedgerName}/table/${TableId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon QLDB

Amazon QLDB defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by a tag key and value pair that is allowed in the request

String

aws:ResourceTag/${TagKey}

Filters access by a tag key and value pair of a resource

String

aws:TagKeys

Filters access by a list of tag keys that are allowed in the request

ArrayOfString

qldb:Purge

Filters access by the value of purge that is specified in a PartiQL DROP statement

String