View a markdown version of this page

Actions, resources, and condition keys for AWS DevOps Agent Service - Service Authorization Reference

Actions, resources, and condition keys for AWS DevOps Agent Service

AWS DevOps Agent Service (service prefix: aidevops) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by AWS DevOps Agent Service

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

AssociateService

aidevops:AssociateService

Write

iam:PassRole

iam:PassedToService

aidevops.amazonaws.com

Write

CreateAgentSpace

aidevops:CreateAgentSpace

Write

aidevops:TagResource

Tagging, Write

CreatePrivateConnection

aidevops:CreatePrivateConnection

Write

aidevops:TagResource

Tagging, Write

DeleteAgentSpace

aidevops:DeleteAgentSpace

Write

DeletePrivateConnection

aidevops:DeletePrivateConnection

Write

DeregisterService

aidevops:DeregisterService

Write

DescribePrivateConnection

aidevops:DescribePrivateConnection

Read

DisableOperatorApp

aidevops:DisableOperatorApp

Write

DisassociateService

aidevops:DisassociateService

Write

EnableOperatorApp

aidevops:EnableOperatorApp

Write

iam:PassRole

iam:PassedToService

aidevops.amazonaws.com

Write

GetAgentSpace

aidevops:GetAgentSpace

Read

GetAssociation

aidevops:GetAssociation

Read

GetOperatorApp

aidevops:GetOperatorApp

Read

GetService

aidevops:GetService

Read

ListAgentSpaces

aidevops:ListAgentSpaces

List

ListAssociations

aidevops:ListAssociations

List

ListPrivateConnections

aidevops:ListPrivateConnections

List

ListServices

aidevops:ListServices

List

ListTagsForResource

aidevops:ListTagsForResource

Read

ListWebhooks

aidevops:ListWebhooks

List

RegisterService

aidevops:RegisterService

Write

aidevops:TagResource

Tagging, Write

iam:PassRole

iam:PassedToService

aidevops.amazonaws.com

Write

TagResource

aidevops:TagResource

Tagging, Write

UntagResource

aidevops:UntagResource

Tagging, Write

UpdateAgentSpace

aidevops:UpdateAgentSpace

Write

UpdateAssociation

aidevops:UpdateAssociation

Write

iam:PassRole

iam:PassedToService

aidevops.amazonaws.com

Write

UpdateOperatorAppIdpConfig

aidevops:UpdateOperatorAppIdpConfig

Write

UpdatePrivateConnectionCertificate

aidevops:UpdatePrivateConnectionCertificate

Write

ValidateAwsAssociations

aidevops:ValidateAwsAssociations

Write

Actions defined by AWS DevOps Agent Service

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

AssociateService

Grants permission to associate service

agentspace*

aws:ResourceTag/${TagKey}

Write

associations*

CreateAccessToken

Grants permission to create an access token

agentspace*

aws:ResourceTag/${TagKey}

Write

CreateAgentSpace

Grants permission to create agentspace

agentspace*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateAsset

Grants permission to create an asset

agentspace*

aws:ResourceTag/${TagKey}

Write

CreateAssetFile

Grants permission to create an asset file

agentspace*

aws:ResourceTag/${TagKey}

Write

CreateBacklogTask

Grants permission to create a new backlog task

agentspace*

aws:ResourceTag/${TagKey}

Write

CreateChat

Grants permission to create a chat

agentspace*

aws:ResourceTag/${TagKey}

Write

CreateKnowledgeItem

Grants permission to create a new knowledge item

agentspace*

aws:ResourceTag/${TagKey}

Write

CreateOneTimeLoginSession

Grants permission to generate secure one-time session for initiating off-console Application login

agentspace*

aws:ResourceTag/${TagKey}

Write

CreatePrivateConnection

Grants permission to create a private connection

private-connection*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateTrigger

Grants permission to create a trigger

agentspace*

aws:ResourceTag/${TagKey}

Write

DeleteAgentSpace

Grants permission to delete agentspace

agentspace*

aws:ResourceTag/${TagKey}

Write

DeleteAsset

Grants permission to delete an asset

agentspace*

aws:ResourceTag/${TagKey}

Write

DeleteAssetFile

Grants permission to delete an asset file

agentspace*

aws:ResourceTag/${TagKey}

Write

DeleteKnowledgeItem

Grants permission to delete a knowledge item

agentspace*

aws:ResourceTag/${TagKey}

Write

DeletePrivateConnection

Grants permission to delete a private connection

private-connection*

aws:ResourceTag/${TagKey}

Write

DeleteTrigger

Grants permission to delete a trigger

agentspace*

aws:ResourceTag/${TagKey}

Write

DeregisterService

Grants permission to deregister a service

service*

aws:ResourceTag/${TagKey}

Write

DescribePrivateConnection

Grants permission to describe a private connection

private-connection*

aws:ResourceTag/${TagKey}

Read

DescribeServices

Grants permission to describe support services

agentspace*

aws:ResourceTag/${TagKey}

Read

DescribeSupportLevel

Grants permission to describe customer support level

agentspace*

aws:ResourceTag/${TagKey}

Write

DisableOperatorApp

Grants permission to disable the Operator App access to the given AgentSpace

agentspace*

aws:ResourceTag/${TagKey}

Write

DisassociateService

Grants permission to disassociate service

agentspace*

aws:ResourceTag/${TagKey}

Write

associations*

DiscoverTopology

Grants permission to discover topology information

agentspace*

aws:ResourceTag/${TagKey}

Write

EnableOperatorApp

Grants permission to enable the Operator App to access the given AgentSpace

agentspace*

aws:ResourceTag/${TagKey}

Write

EndChatForCase

Grants permission to end a chat for a case

agentspace*

aws:ResourceTag/${TagKey}

Write

GetAccessToken

Grants permission to get access token details

agentspace*

aws:ResourceTag/${TagKey}

Read

GetAccountUsage

Grants permission to retrieve account usage information

Read

GetAgentSpace

Grants permission to get agentspace

agentspace*

aws:ResourceTag/${TagKey}

Read

GetAsset

Grants permission to get an asset

agentspace*

aws:ResourceTag/${TagKey}

Read

GetAssetContent

Grants permission to get asset content

agentspace*

aws:ResourceTag/${TagKey}

Read

GetAssetFile

Grants permission to get an asset file

agentspace*

aws:ResourceTag/${TagKey}

Read

GetAssociation

Grants permission to get association

agentspace*

aws:ResourceTag/${TagKey}

Read

associations*

GetBacklogTask

Grants permission to get a backlog task

agentspace*

aws:ResourceTag/${TagKey}

Read

GetKnowledgeItem

Grants permission to get a knowledge item

agentspace*

aws:ResourceTag/${TagKey}

Read

GetOperatorApp

Grants permission to get operator auth config for any enabled auth flow

agentspace*

aws:ResourceTag/${TagKey}

Read

GetRecommendation

Grants permission to get a recommendation

agentspace*

aws:ResourceTag/${TagKey}

Read

GetService

Grants permission to get services

service*

aws:ResourceTag/${TagKey}

Read

GetTrigger

Grants permission to get a trigger

agentspace*

aws:ResourceTag/${TagKey}

Read

InitiateChatForCase

Grants permission to initiate a chat for a case

agentspace*

aws:ResourceTag/${TagKey}

Write

ListAccessTokens

Grants permission to list access tokens

agentspace*

aws:ResourceTag/${TagKey}

List

ListAgentSpaces

Grants permission to list agentspace

List

ListAssetFiles

Grants permission to list asset files

agentspace*

aws:ResourceTag/${TagKey}

List

ListAssetTypes

Grants permission to list asset types

List

ListAssetVersions

Grants permission to list asset versions

agentspace*

aws:ResourceTag/${TagKey}

List

ListAssets

Grants permission to list assets

agentspace*

aws:ResourceTag/${TagKey}

List

ListAssociations

Grants permission to list associations

agentspace*

aws:ResourceTag/${TagKey}

List

ListBacklogTasks

Grants permission to list backlog tasks

agentspace*

aws:ResourceTag/${TagKey}

List

ListChats

Grants permission to list chats

agentspace*

aws:ResourceTag/${TagKey}

List

ListExecutions

Grants permission to list executions

agentspace*

aws:ResourceTag/${TagKey}

List

ListGoals

Grants permission to list goals

agentspace*

aws:ResourceTag/${TagKey}

List

ListJournalRecords

Grants permission to list journal records

agentspace*

aws:ResourceTag/${TagKey}

List

ListKnowledgeItemVersions

Grants permission to list knowledge item versions

agentspace*

aws:ResourceTag/${TagKey}

List

ListKnowledgeItems

Grants permission to list knowledge items

agentspace*

aws:ResourceTag/${TagKey}

List

ListPendingMessages

Grants permission to list pending messages

agentspace*

aws:ResourceTag/${TagKey}

List

ListPrivateConnections

Grants permission to list private connections

List

ListRecommendations

Grants permission to list recommendations

agentspace*

aws:ResourceTag/${TagKey}

List

ListServices

Grants permission to list services

List

ListTagsForResource

Grants permission to list tags for a resource

agentspace

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Read

private-connection

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

service

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ListTriggers

Grants permission to list triggers

agentspace*

aws:ResourceTag/${TagKey}

List

ListWebhooks

Grants permission to list webhooks for association

agentspace*

aws:ResourceTag/${TagKey}

List

associations*

RegisterService

Grants permission to register specific service

service*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

RevokeAccessToken

Grants permission to revoke an access token

agentspace*

aws:ResourceTag/${TagKey}

Write

RotateAccessToken

Grants permission to rotate an access token

agentspace*

aws:ResourceTag/${TagKey}

Write

SearchServiceAccessibleResource

Grants permission to look up a registered service accessible resources

Read

SendMessage

Grants permission to send chat messages

agentspace*

aws:ResourceTag/${TagKey}

Write

TagResource

Grants permission to tag a resource

agentspace

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

private-connection

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

service

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UntagResource

Grants permission to untag a resource

agentspace

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

private-connection

aws:ResourceTag/${TagKey}

aws:TagKeys

service

aws:ResourceTag/${TagKey}

aws:TagKeys

UpdateAgentSpace

Grants permission to update agentspace

agentspace*

aws:ResourceTag/${TagKey}

Write

UpdateApprovalAction

Grants permission to update an approval action (approve or reject) for an agent tool invocation

agentspace*

aws:ResourceTag/${TagKey}

Write

UpdateAsset

Grants permission to update an asset

agentspace*

aws:ResourceTag/${TagKey}

Write

UpdateAssetFile

Grants permission to update an asset file

agentspace*

aws:ResourceTag/${TagKey}

Write

UpdateAssociation

Grants permission to update association

agentspace*

aws:ResourceTag/${TagKey}

Write

associations*

UpdateBacklogTask

Grants permission to update a task

agentspace*

aws:ResourceTag/${TagKey}

Write

UpdateGoal

Grants permission to update a goal

agentspace*

aws:ResourceTag/${TagKey}

Write

UpdateKnowledgeItem

Grants permission to update a knowledge item

agentspace*

aws:ResourceTag/${TagKey}

Write

UpdateOperatorAppIdpConfig

Grants permission to update the external Identity Provider configuration for the Operator App

agentspace*

aws:ResourceTag/${TagKey}

Write

UpdatePrivateConnectionCertificate

Grants permission to update a private connection certificate

private-connection*

aws:ResourceTag/${TagKey}

Write

UpdateRecommendation

Grants permission to update a recommendation

agentspace*

aws:ResourceTag/${TagKey}

Write

UpdateTrigger

Grants permission to update a trigger

agentspace*

aws:ResourceTag/${TagKey}

Write

ValidateAwsAssociations

Grants permission to validate aws association

agentspace*

aws:ResourceTag/${TagKey}

Write

Permission-only actions for AWS DevOps Agent Service

The following actions are defined by AWS DevOps Agent Service but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.

Actions Description Resource types (*required) Condition keys Access level

AllowVendedLogDeliveryForResource

Grants permission to authorize vended logs

Permissions management, Write

Resource types defined by AWS DevOps Agent Service

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

agentspace

arn:${Partition}:aidevops:${Region}:${Account}:agentspace/${AgentSpaceId}

aws:ResourceTag/${TagKey}

associations

arn:${Partition}:aidevops:${Region}:${Account}:agentspace/${AgentSpaceId}/association/${AssociationId}

private-connection

arn:${Partition}:aidevops:${Region}:${Account}:private-connection/${Name}

aws:ResourceTag/${TagKey}

service

arn:${Partition}:aidevops:${Region}:${Account}:service/${ServiceId}

aws:ResourceTag/${TagKey}

Condition keys for AWS DevOps Agent Service

AWS DevOps Agent Service defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by the tags that are passed in the request

String

aws:ResourceTag/${TagKey}

Filters access by the tags associated with the resource

String

aws:TagKeys

Filters access by the tag keys that are passed in the request

ArrayOfString