AWS Cloud Map API permissions reference
When you set up access control and write
a permissions policy that you can attach to an IAM identity (identity-based policies), you
can use the following list as a reference. The list includes each AWS Cloud Map API action and
the actions that you must grant permissions access to. You specify the actions in the
Action field for the policy. For details about the resource value you must
specify in the Resource field or the IAM policy, see Actions, resources, and condition keys for AWS Cloud Map in the Service
Authorization Reference.
You can use AWS Cloud Map–specific condition keys in your IAM policies for some operations. For more information, see Condition keys for AWS Cloud Map in the Service Authorization Reference.
To specify an action, use the servicediscovery prefix followed by the API
action name, for example, servicediscovery:CreatePublicDnsNamespace and
route53:CreateHostedZone.
Required permissions for AWS Cloud Map actions
- CreateHttpNamespace
-
Required permissions (API action):
-
servicediscovery:CreateHttpNamespace
-
- CreatePrivateDnsNamespace
-
Required permissions (API action):
-
servicediscovery:CreatePrivateDnsNamespace -
route53:CreateHostedZone -
route53:GetHostedZone -
route53:ListHostedZonesByName -
ec2:DescribeVpcs -
ec2:DescribeRegions
-
- CreatePublicDnsNamespace
-
Required permissions (API action):
-
servicediscovery:CreatePublicDnsNamespace -
route53:CreateHostedZone -
route53:GetHostedZone -
route53:ListHostedZonesByName
-
- CreateService
-
Required Permissions (API Action):
servicediscovery:CreateService - DeleteNamespace
-
Required permissions (API action):
-
servicediscovery:DeleteNamespace
-
- DeleteService
-
Required Permissions (API Action):
servicediscovery:DeleteService - DeregisterInstance
-
Required permissions (API action):
-
servicediscovery:DeregisterInstance -
route53:GetHealthCheck -
route53:DeleteHealthCheck -
route53:UpdateHealthCheck -
route53:ChangeResourceRecordSets
-
- DiscoverInstances
-
Required Permissions (API Action):
servicediscovery:DiscoverInstances - GetInstance
-
Required Permissions (API Action):
servicediscovery:GetInstance - GetInstancesHealthStatus
-
Required Permissions (API Action):
servicediscovery:GetInstancesHealthStatus - GetNamespace
-
Required Permissions (API Action):
servicediscovery:GetNamespace - GetOperation
-
Required Permissions (API Action):
servicediscovery:GetOperation - GetService
-
Required Permissions (API Action):
servicediscovery:GetService - ListInstances
-
Required Permissions (API Action):
servicediscovery:ListInstances - ListNamespaces
-
Required Permissions (API Action):
servicediscovery:ListNamespaces - ListOperations
-
Required Permissions (API Action):
servicediscovery:ListOperations - ListServices
-
Required Permissions (API Action):
servicediscovery:ListServices - ListTagsForResource
-
Required Permissions (API Action):
servicediscovery:ListTagsForResource - RegisterInstance
-
Required permissions (API action):
-
servicediscovery:RegisterInstance -
route53:GetHealthCheck -
route53:CreateHealthCheck -
route53:UpdateHealthCheck -
route53:ChangeResourceRecordSets -
ec2:DescribeInstances
-
- TagResource
-
Required Permissions (API Action):
servicediscovery:TagResource - UntagResource
-
Required Permissions (API Action):
servicediscovery:UntagResource - UpdateHttpNamespace
-
Required Permissions (API Action):
servicediscovery:UpdateHttpNamespace - UpdateInstanceCustomHealthStatus
-
Required Permissions (API Action):
servicediscovery:UpdateInstanceCustomHealthStatus - UpdatePrivateDnsNamespace
-
Required permissions (API action):
-
servicediscovery:UpdatePrivateDnsNamespace -
route53:ChangeResourceRecordSets
-
- UpdatePublicDnsNamespace
-
Required permissions (API action):
-
servicediscovery:UpdatePublicDnsNamespace -
route53:ChangeResourceRecordSets
-
- UpdateService
-
Required permissions (API action):
-
servicediscovery:UpdateService -
route53:GetHealthCheck -
route53:CreateHealthCheck -
route53:DeleteHealthCheck -
route53:UpdateHealthCheck -
route53:ChangeResourceRecordSets
-
