Example Policies for AWS Data Pipeline - AWS Data Pipeline

AWS Data Pipeline is no longer available to new customers. Existing customers of AWS Data Pipeline can continue to use the service as normal. Learn more

Example Policies for AWS Data Pipeline

The following examples demonstrate how to grant users full or restricted access to pipelines.

Example 1: Grant users read-only access based on a tag

The following policy allows users to use the read-only AWS Data Pipeline API actions, but only with pipelines that have the tag "environment=production".

The ListPipelines API action does not support tag-based authorization.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "datapipeline:Describe*", "datapipeline:GetPipelineDefinition", "datapipeline:ValidatePipelineDefinition", "datapipeline:QueryObjects" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "datapipeline:Tag/environment": "production" } } } ] }

Example 2: Grant users full access based on a tag

The following policy allows users to use all AWS Data Pipeline API actions, with the exception of ListPipelines, but only with pipelines that have the tag "environment=test".

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "datapipeline:*" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "datapipeline:Tag/environment": "test" } } } ] }

Example 3: Grant the pipeline owner full access

The following policy allows users to use all the AWS Data Pipeline API actions, but only with their own pipelines.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "datapipeline:*" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "datapipeline:PipelineCreator": "${aws:userid}" } } } ] }

Example 4: Grant users access to the AWS Data Pipeline console

The following policy allows users to create and manage a pipeline using the AWS Data Pipeline console.

This policy includes the action for PassRole permissions for specific resources tied to the roleARN that AWS Data Pipeline needs. For more information about the identity-based (IAM) PassRole permission, see the blog post Granting Permission to Launch EC2 Instances with IAM Roles (PassRole Permission).

{ "Version": "2012-10-17", "Statement": [{ "Action": [ "cloudwatch:*", "datapipeline:*", "dynamodb:DescribeTable", "elasticmapreduce:AddJobFlowSteps", "elasticmapreduce:ListInstance*", "iam:AddRoleToInstanceProfile", "iam:CreateInstanceProfile", "iam:GetInstanceProfile", "iam:GetRole", "iam:GetRolePolicy", "iam:ListInstanceProfiles", "iam:ListInstanceProfilesForRole", "iam:ListRoles", "rds:DescribeDBInstances", "rds:DescribeDBSecurityGroups", "redshift:DescribeClusters", "redshift:DescribeClusterSecurityGroups", "s3:List*", "sns:ListTopics" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/DataPipelineDefaultResourceRole", "arn:aws:iam::*:role/DataPipelineDefaultRole" ] } ] }