View a markdown version of this page

Actions, resources, and condition keys for Amazon WorkSpaces Thin Client - Service Authorization Reference

Actions, resources, and condition keys for Amazon WorkSpaces Thin Client

Amazon WorkSpaces Thin Client (service prefix: thinclient) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon WorkSpaces Thin Client

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

CreateEnvironment

thinclient:CreateEnvironment

Write

thinclient:TagResource

Tagging, Write

DeleteDevice

thinclient:DeleteDevice

Write

DeleteEnvironment

thinclient:DeleteEnvironment

Write

DeregisterDevice

thinclient:DeregisterDevice

Write

GetDevice

thinclient:GetDevice

Read

GetEnvironment

thinclient:GetEnvironment

Read

GetSoftwareSet

thinclient:GetSoftwareSet

Read

ListDevices

thinclient:ListDevices

List

ListEnvironments

thinclient:ListEnvironments

List

ListSoftwareSets

thinclient:ListSoftwareSets

List

ListTagsForResource

thinclient:ListTagsForResource

List

TagResource

thinclient:TagResource

Tagging, Write

UntagResource

thinclient:UntagResource

Tagging, Write

UpdateDevice

thinclient:UpdateDevice

Write

UpdateEnvironment

thinclient:TagResource

Tagging, Write

thinclient:UpdateEnvironment

Write

UpdateSoftwareSet

thinclient:UpdateSoftwareSet

Write

Actions defined by Amazon WorkSpaces Thin Client

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

CreateEnvironment

Grants permission to create environments

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

DeleteDevice

Grants permission to delete devices

device*

aws:ResourceTag/${TagKey}

Write

DeleteEnvironment

Grants permission to delete environments

environment*

aws:ResourceTag/${TagKey}

Write

DeregisterDevice

Grants permission to deregister devices

device*

aws:ResourceTag/${TagKey}

Write

GetDevice

Grants permission to get devices

device*

aws:ResourceTag/${TagKey}

Read

GetEnvironment

Grants permission to get details of environments

environment*

aws:ResourceTag/${TagKey}

Read

GetSoftwareSet

Grants permission to get details of software sets

softwareset*

aws:ResourceTag/${TagKey}

Read

ListDevices

Grants permission to list devices

List

ListEnvironments

Grants permission to list environments

List

ListSoftwareSets

Grants permission to list software sets

List

ListTagsForResource

Grants permission to list tags for a resource

device

aws:ResourceTag/${TagKey}

List

environment

aws:ResourceTag/${TagKey}

softwareset

aws:ResourceTag/${TagKey}

TagResource

Grants permission to add one or more tags to a resource

device

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

environment

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

softwareset

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UntagResource

Grants permission to remove one or more tags from a resource

device

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

environment

aws:ResourceTag/${TagKey}

aws:TagKeys

softwareset

aws:ResourceTag/${TagKey}

aws:TagKeys

UpdateDevice

Grants permission to update devices

device*

aws:ResourceTag/${TagKey}

Write

UpdateEnvironment

Grants permission to update environments

environment*

aws:ResourceTag/${TagKey}

Write

UpdateSoftwareSet

Grants permission to update software set

softwareset*

aws:ResourceTag/${TagKey}

Write

Permission-only actions for Amazon WorkSpaces Thin Client

The following actions are defined by Amazon WorkSpaces Thin Client but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.

Actions Description Resource types (*required) Condition keys Access level

GetDeviceDetails

Grants permission to get details of devices

device*

aws:ResourceTag/${TagKey}

Read

ListDeviceSessions

Grants permission to list device sessions

device*

aws:ResourceTag/${TagKey}

List

Resource types defined by Amazon WorkSpaces Thin Client

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

device

arn:${Partition}:thinclient:${Region}:${Account}:device/${DeviceId}

aws:ResourceTag/${TagKey}

environment

arn:${Partition}:thinclient:${Region}:${Account}:environment/${EnvironmentId}

aws:ResourceTag/${TagKey}

softwareset

arn:${Partition}:thinclient:${Region}:${Account}:softwareset/${SoftwareSetId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon WorkSpaces Thin Client

Amazon WorkSpaces Thin Client defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by the tags that are passed in the request

String

aws:ResourceTag/${TagKey}

Filters access by the tags associated with the resource

String

aws:TagKeys

Filters access by the tag keys that are passed in the request

ArrayOfString