Supported resource-level permissions for AWS Batch API actions
The term resource-level permissions refers to the ability to specify the resources that users are allowed to perform actions on. AWS Batch has partial support for resource-level permissions. For some AWS Batch actions, you can control when users are allowed to use those actions based on conditions that must be met. You can also control based on the specific resources that users are allowed to use. For example, you can grant users permissions to submit jobs, but only to a specific job queue and only with a specific job definition.
The following list describes the AWS Batch API actions that currently support resource-level permissions. The list also describes the supported resources, resource ARNs, and condition keys for each action.
Important
If an AWS Batch API action isn't listed in this list, then it doesn't support resource-level permissions. If an AWS Batch API action doesn't support resource-level permissions, you can grant users permission to use the action. However, you must include a wildcard (*) for the resource element of your policy statement.
- Actions
-
CancelJob, CreateComputeEnvironment, CreateJobQueue, CreateSchedulingPolicy, DeleteComputeEnvironment, DeleteJobQueue, DeleteSchedulingPolicy, DeregisterJobDefinition, GetJobQueueSnapshot, ListTagsForResource, RegisterJobDefinition, SubmitJob, TagResource, TerminateJob, UntagResource, UpdateComputeEnvironment, UpdateSchedulingPolicy, UpdateJobQueue
- CancelJob
-
Cancels a job in an AWS Batch queue.
- Resource
-
- Job
-
arn:aws:batch:
region:account:job/jobId- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- CreateComputeEnvironment
-
Creates an AWS Batch compute environment.
- Resource
-
- Compute Environment
-
arn:aws:batch:
region:account:compute-environment/compute-environment-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Condition keys
-
aws:RequestTag/${TagKey}(String)-
Filters actions based on the tags that are passed in the request.
aws:TagKeys(String)-
Filters actions based on the tag keys that are passed in the request.
- CreateJobQueue
-
Creates an AWS Batch job queue.
- Resource
-
- Compute Environment
-
arn:aws:batch:
region:account:compute-environment/compute-environment-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Job Queue
-
arn:aws:batch:
region:account:job-queue/queue-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Scheduling Policy
-
arn:aws:batch:
region:account:scheduling-policy/scheduling-policy-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Condition keys
-
aws:RequestTag/${TagKey}(String)-
Filters actions based on the tags that are passed in the request.
aws:TagKeys(String)-
Filters actions based on the tag keys that are passed in the request.
- DeleteComputeEnvironment
-
Deletes an AWS Batch compute environment.
- Resource
-
- Compute Environment
-
arn:aws:batch:
region:account:compute-environment/compute-environment-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- CreateSchedulingPolicy
-
Creates an AWS Batch scheduling policy.
- Resource
-
- Scheduling Policy
-
arn:aws:batch:
region:account:scheduling-policy/scheduling-policy-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Condition keys
-
aws:RequestTag/${TagKey}(String)-
Filters actions based on the tags that are passed in the request.
aws:TagKeys(String)-
Filters actions based on the tag keys that are passed in the request.
- DeleteJobQueue
-
Deletes the specified job queue. Deleting the job queue eventually deletes all of the jobs in the queue. Jobs are deleted at a rate of about 16 jobs each second.
- Resource
-
- Job Queue
-
arn:aws:batch:
region:account:job-queue/queue-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- DeleteSchedulingPolicy
-
Deletes the specified scheduling policy.
- Resource
-
- Scheduling Policy
-
arn:aws:batch:
region:account:scheduling-policy/scheduling-policy-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- DeregisterJobDefinition
-
Deregisters an AWS Batch job definition.
- Resource
-
- Job Definition
-
arn:aws:batch:
region:account:job-definition/definition-name:revision- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- GetJobQueueSnapshot
-
Provides a list of the first 100
RUNNABLEjobs associated to a single job queue.- Resource
-
- Job Queue
-
arn:aws:batch:
region:account:job-queue/queue-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
-
Lists the tags for the specified resource.
- Resource
-
- Compute Environment
-
arn:aws:batch:
region:account:compute-environment/compute-environment-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Job
-
arn:aws:batch:
region:account:job/jobId- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Job Definition
-
arn:aws:batch:
region:account:job-definition/definition-name:revision- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Job Queue
-
arn:aws:batch:
region:account:job-queue/queue-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Scheduling Policy
-
arn:aws:batch:
region:account:scheduling-policy/scheduling-policy-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- RegisterJobDefinition
-
Registers an AWS Batch definition.
- Resource
-
- Job Definition
-
arn:aws:batch:
region:account:job-definition/definition-name
- Condition keys
-
batch:AWSLogsCreateGroup(Boolean)-
When this parameter is true, the
awslogs-groupis created for the logs. batch:AWSLogsGroup(String)-
The
awslogsgroup where the logs are located. batch:AWSLogsRegion(String)-
The Region where the logs are sent to.
batch:AWSLogsStreamPrefix(String)-
The
awslogslog stream prefix. batch:Image(String)-
The Docker image used to start a job.
batch:LogDriver(String)-
The log driver used for the job.
batch:Privileged(Boolean)-
When this parameter is true, the container for the job is given elevated permissions on the host container instance.
batch:User(String)-
The user name or numeric uid to use inside the container for the job.
aws:RequestTag/${TagKey}(String)-
Filters actions based on the tags that are passed in the request.
aws:TagKeys(String)-
Filters actions based on the tag keys that are passed in the request.
- SubmitJob
-
Submits an AWS Batch job from a job definition.
- Resource
-
- Job
-
arn:aws:batch:
region:account:job/jobId- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Job Definition
-
arn:aws:batch:
region:account:job-definition/definition-name[:revision]- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
Note
This key can only be used when the job definition Amazon Resource Name (ARN) is in the format
arn:aws:batch:region:account_number:job-definition/definition-name:revision.
- Job Queue
-
arn:aws:batch:
region:account:job-queue/queue-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- TagResource
-
Tags the specified resource.
- Resource
-
- Compute Environment
-
arn:aws:batch:
region:account:compute-environment/compute-environment-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Job
-
arn:aws:batch:
region:account:job/jobId- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Job Definition
-
arn:aws:batch:
region:account:job-definition/definition-name:revision- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Job Queue
-
arn:aws:batch:
region:account:job-queue/queue-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Scheduling Policy
-
arn:aws:batch:
region:account:scheduling-policy/scheduling-policy-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Condition keys
-
aws:RequestTag/${TagKey}(String)-
Filters actions based on the tags that are passed in the request.
aws:TagKeys(String)-
Filters actions based on the tag keys that are passed in the request.
- TerminateJob
-
Terminates a job in an AWS Batch job queue.
- Resource
-
- Job
-
arn:aws:batch:
region:account:job/jobId- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- UntagResource
-
Untags the resource that's specified.
- Resource
-
- Compute Environment
-
arn:aws:batch:
region:account:compute-environment/compute-environment-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Job
-
arn:aws:batch:
region:account:job/jobId- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Job Definition
-
arn:aws:batch:
region:account:job-definition/definition-name:revision- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Job Queue
-
arn:aws:batch:
region:account:job-queue/queue-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Scheduling Policy
-
arn:aws:batch:
region:account:scheduling-policy/scheduling-policy-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Condition keys
-
aws:TagKeys(String)-
Filters actions based on the tag keys that are passed in the request.
- UpdateComputeEnvironment
-
Updates an AWS Batch compute environment.
- Resource
-
- Compute Environment
-
arn:aws:batch:
region:account:compute-environment/compute-environment-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- UpdateJobQueue
-
Updates a job queue.
- Resource
-
- Job Queue
-
arn:aws:batch:
region:account:job-queue/queue-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- Scheduling Policy
-
arn:aws:batch:
region:account:scheduling-policy/scheduling-policy-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
- UpdateSchedulingPolicy
-
Updates a scheduling policy.
- Resource
-
- Scheduling Policy
-
arn:aws:batch:
region:account:scheduling-policy/scheduling-policy-name- Condition keys
-
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
Condition keys for AWS Batch API actions
AWS Batch defines the following condition keys that are used in the Condition
element of an IAM policy. You can use these keys to refine the conditions that the policy
statement applies to. To view the global condition keys that are available to all services, see
available
global condition keys in the IAM User Guide.
batch:AWSLogsCreateGroup(Boolean)-
When this parameter is true, the
awslogs-groupis created for the logs. batch:AWSLogsGroup(String)-
The
awslogsgroup where the logs are located. batch:AWSLogsRegion(String)-
The AWS Region where the logs are sent to.
batch:AWSLogsStreamPrefix(String)-
The
awslogslog stream prefix. batch:Image(String)-
The Docker image used to start a job.
batch:LogDriver(String)-
The log driver used for the job.
batch:Privileged(Boolean)-
When this parameter is true, the container for the job is given elevated permissions on the host container instance (similar to the root user).
aws:ResourceTag/${TagKey}(String)-
Filters actions based on the tags that are associated with the resource.
aws:RequestTag/${TagKey}(String)-
Filters actions based on the tags that are passed in the request.
-
Filters actions based on the
shareIdentifierparameter sent to SubmitJob. aws:TagKeys(String)-
Filters actions based on the tag keys that are passed in the request.
batch:User(String)-
The user name or numeric user ID (uid) to use inside the container for the job.
