# Use Signer actions in IAM
Administrators who set up access control and write permissions policies that they attach to an IAM identity (identity-based policies) can use the following table as a reference. The first column in the table lists each AWS Signer API operation. You specify actions in a policy's `Action` element. You can use the IAM policy elements in your ACM policies to express conditions. For a complete list, see [IAM JSON policy element reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys) in the *IAM User Guide*.
**Note**
To specify an action, use the `signer` prefix followed by the API operation name (for example, `signer:StartSigningJob`).
**AWS Signer API Operations and Permissions**
| API Operation | Required Permissions (API Actions) |
| --- | --- |
| [https://docs.aws.amazon.com/signer/latest/api/API_AddProfilePermission.html](https://docs.aws.amazon.com/signer/latest/api/API_AddProfilePermission.html) | `signer:AddProfilePermission` |
| [https://docs.aws.amazon.com/signer/latest/api/API_CancelSigningProfile.html](https://docs.aws.amazon.com/signer/latest/api/API_CancelSigningProfile.html) | `signer:CancelSigningProfile` |
| [https://docs.aws.amazon.com/signer/latest/api/API_DescribeSigningJob.html](https://docs.aws.amazon.com/signer/latest/api/API_DescribeSigningJob.html) | `signer:DescribeSigningJob` |
| [https://docs.aws.amazon.com/signer/latest/api/API_GetRevocationStatus.html](https://docs.aws.amazon.com/signer/latest/api/API_GetRevocationStatus.html) | `signer:GetRevocationStatus` |
| [https://docs.aws.amazon.com/signer/latest/api/API_GetSigningPlatform.html](https://docs.aws.amazon.com/signer/latest/api/API_GetSigningPlatform.html) | `signer:GetSigningPlatform` |
| [https://docs.aws.amazon.com/signer/latest/api/API_GetSigningProfile.html](https://docs.aws.amazon.com/signer/latest/api/API_GetSigningProfile.html) | `signer:GetSigningProfile` |
| [https://docs.aws.amazon.com/signer/latest/api/API_ListProfilePermissions.html](https://docs.aws.amazon.com/signer/latest/api/API_ListProfilePermissions.html) | `signer:ListProfilePermissions` |
| [https://docs.aws.amazon.com/signer/latest/api/API_ListSigningJobs.html](https://docs.aws.amazon.com/signer/latest/api/API_ListSigningJobs.html) | `signer:ListSigningJobs` |
| [https://docs.aws.amazon.com/signer/latest/api/API_ListSigningPlatforms.html](https://docs.aws.amazon.com/signer/latest/api/API_ListSigningPlatforms.html) | `signer:ListSigningPlatforms` |
| [https://docs.aws.amazon.com/signer/latest/api/API_ListSigningProfiles.html](https://docs.aws.amazon.com/signer/latest/api/API_ListSigningProfiles.html) | `signer:ListSigningProfiles` |
| [https://docs.aws.amazon.com/signer/latest/api/API_ListTagsForResource.html](https://docs.aws.amazon.com/signer/latest/api/API_ListTagsForResource.html) | `signer:ListTagsForResource` |
| [https://docs.aws.amazon.com/signer/latest/api/API_PutSigningProfile.html](https://docs.aws.amazon.com/signer/latest/api/API_PutSigningProfile.html) | `signer:PutSigningProfile` |
| [https://docs.aws.amazon.com/signer/latest/api/API_RemoveProfilePermission.html](https://docs.aws.amazon.com/signer/latest/api/API_RemoveProfilePermission.html) | `signer:RemoveProfilePermission` |
| [https://docs.aws.amazon.com/signer/latest/api/API_RevokeSignature.html](https://docs.aws.amazon.com/signer/latest/api/API_RevokeSignature.html) | `signer:RevokeSignature` |
| [https://docs.aws.amazon.com/signer/latest/api/API_RevokeSigningProfile.html](https://docs.aws.amazon.com/signer/latest/api/API_RevokeSigningProfile.html) | `signer:RevokeSigningProfile` |
| [https://docs.aws.amazon.com/signer/latest/api/API_SignPayload.html](https://docs.aws.amazon.com/signer/latest/api/API_SignPayload.html) | `signer:SignPayload` |
| [https://docs.aws.amazon.com/signer/latest/api/API_StartSigningJob.html](https://docs.aws.amazon.com/signer/latest/api/API_StartSigningJob.html) | `signer:StartSigningJob` |
| [https://docs.aws.amazon.com/signer/latest/api/API_TagResource.html](https://docs.aws.amazon.com/signer/latest/api/API_TagResource.html) | `signer:TagResource` |
| [https://docs.aws.amazon.com/signer/latest/api/API_UntagResource.html](https://docs.aws.amazon.com/signer/latest/api/API_UntagResource.html) | `signer:UntagResource` |
For the actions `StartSigningJob`, `GetSigningProfile`, `CancelSigningProfile`,`RevokeSigningProfile`, and `SignPayload`, use the `signer:ProfileVersion` condition key to limit what version of a signing profile a principal has access to.
**AWS Signer API Condition Keys**
| Condition Key | Description | APIs |
| --- | --- | --- |
| `signer:ProfileVersion` | Limit access to a specific version of a Signing Profile | [https://docs.aws.amazon.com/signer/latest/api/API_StartSigningJob.html](https://docs.aws.amazon.com/signer/latest/api/API_StartSigningJob.html)
[https://docs.aws.amazon.com/signer/latest/api/API_GetSigningProfile.html](https://docs.aws.amazon.com/signer/latest/api/API_GetSigningProfile.html)
[https://docs.aws.amazon.com/signer/latest/api/API_CancelSigningProfile.html](https://docs.aws.amazon.com/signer/latest/api/API_CancelSigningProfile.html)
[https://docs.aws.amazon.com/signer/latest/api/API_RevokeSigningProfile.html](https://docs.aws.amazon.com/signer/latest/api/API_RevokeSigningProfile.html)
[https://docs.aws.amazon.com/signer/latest/api/API_SignPayload.html](https://docs.aws.amazon.com/signer/latest/api/API_SignPayload.html) |