# Directory Service API permissions: Actions, resources, and conditions reference
When you are setting up [Access control](iam_auth_access.md#access_control) and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the [Directory Service API permissions: Actions, resources, and conditions reference](#UsingWithDS_IAM_ResourcePermissions) table as a reference. Each API entry in the table includes the following:
+ The name of each API operation
+ Each API operation's corresponding action or actions in which you can grant permissions to perform the action
+ The AWS resource in which you can grant the permissions
You specify the actions in the policy's `Action` field and the resource value in the policy's `Resource` field. To specify an action, use the `ds:` prefix followed by the API operation name (for example, `ds:CreateDirectory`). Some AWS applications may require use of nonpublic Directory Service API operations such as `ds:AuthorizeApplication`, `ds:CheckAlias`, `ds:CreateIdentityPoolDirectory`, `ds:GetAuthorizedApplicationDetails`, `ds:UpdateAuthorizedApplication`, and `ds:UnauthorizeApplication` in their policies.
Some Directory Service APIs can only be called through the AWS Management Console. They are not public APIs, in the sense they cannot be called programmatically, and they are not provided by any SDK. They accept user credentials. These API operations include `ds:DisableRoleAccess`, `ds:EnableRoleAccess`, and `ds:UpdateDirectory`.
You can use AWS global condition keys in your Directory Service and Directory Service Data policies to express conditions. For a complete list of AWS keys, see [Available Global Condition Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys) in the *IAM User Guide*.
## Directory Service API and required permissions for actions
| Directory Service API Operations | Required Permissions (API Actions) | Resources |
| --- | --- | --- |
| [AcceptSharedDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_AcceptSharedDirectory.html) | ds:AcceptSharedDirectory | \$1 |
| [AddIpRoutes](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_AddIpRoutes.html) | `ds:AddIpRoutes` `ec2:DescribeSecurityGroup` `ec2:AuthorizeSecurityGroupIngress` `ec2:AuthorizeSecurityGroupEgress` | \$1 |
| [AddTagsToResource](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_AddTagsToResource.html) | ds:AddTagsToResource`ec2:CreateTags` | \$1 |
| [CancelSchemaExtension](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CancelSchemaExtension.html) | ds:CancelSchemaExtension | \$1 |
| [ConnectDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ConnectDirectory.html) | `ds:ConnectDirectory` `ec2:DescribeSubnets` `ec2:DescribeVpcs` `ec2:CreateSecurityGroup` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:AuthorizeSecurityGroupIngress` `ec2:AuthorizeSecurityGroupEgress` `ec2:CreateTags` | \$1 |
| [CreateAlias](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateAlias.html) | `ds:CreateAlias` | \$1 |
| [CreateComputer](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateComputer.html) | `ds:CreateComputer` | \$1 |
| [CreateConditionalForwarder](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateConditionalForwarder.html) | `ds:CreateConditionalForwarder` | \$1 |
| [CreateDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateDirectory.html) | `ds:CreateDirectory` `ec2:DescribeSubnets` `ec2:DescribeVpcs` `ec2:CreateSecurityGroup` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:AuthorizeSecurityGroupIngress` `ec2:AuthorizeSecurityGroupEgress` `ec2:CreateTags` | \$1 |
| [CreateLogSubscription](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateLogSubscription.html) | ds:CreateLogSubscription | \$1 |
| [CreateMicrosoftAD](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateMicrosoftAD.html) | `ds:CreateMicrosoftAD` `ec2:DescribeSubnets` `ec2:DescribeVpcs` `ec2:CreateSecurityGroup` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:AuthorizeSecurityGroupIngress` `ec2:AuthorizeSecurityGroupEgress` `ec2:RevokeSecurityGroupEgress` `ec2:CreateTags` | \$1 |
| [CreateSnapshot](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateSnapshot.html) | `ds:CreateSnapshot` | \$1 |
| [CreateTrust](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateTrust.html) | `ds:CreateTrust` | \$1 |
| [DeleteConditionalForwarder](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteConditionalForwarder.html) | `ds:DeleteConditionalForwarder` | \$1 |
| [DeleteDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteDirectory.html) | `ds:DeleteDirectory` `ec2:DescribeNetworkInterfaces` `ec2:DeleteSecurityGroup` `ec2:DeleteNetworkInterface` `ec2:RevokeSecurityGroupIngress` `ec2:RevokeSecurityGroupEgress` `ec2:DeleteTags` | \$1 |
| [DeleteLogSubscription](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteLogSubscription.html) | ds:DeleteLogSubscription | \$1 |
| [DeleteSnapshot](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteSnapshot.html) | `ds:DeleteSnapshot` | \$1 |
| [DeleteTrust](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteTrust.html) | `ds:DeleteTrust` | \$1 |
| [DeregisterEventTopic](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeregisterEventTopic.html) | `ds:DeregisterEventTopic` | \$1 |
| [DescribeConditionalForwarders](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeConditionalForwarders.html) | `ds:DescribeConditionalForwarders` | \$1 |
| [DescribeDirectories](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeDirectories.html) | `ds:DescribeDirectories` | \$1 |
| [DescribeDomainControllers](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeDomainControllers.html) | ds:DescribeDomainControllers | \$1 |
| [DescribeEventTopics](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeEventTopics.html) | `ds:DescribeEventTopics` | \$1 |
| [DescribeSharedDirectories](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeSharedDirectories.html) | ds:DescribeSharedDirectories | \$1 |
| [DescribeSnapshots](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeSnapshots.html) | `ds:DescribeSnapshots` | \$1 |
| [DescribeTrusts](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeTrusts.html) | `ds:DescribeTrusts` | \$1 |
| [DisableRadius](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DisableRadius.html) | `ds:DisableRadius` | \$1 |
| [DisableSso](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DisableSso.html) | `ds:DisableSso` | \$1 |
| [EnableRadius](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_EnableRadius.html) | `ds:EnableRadius` | \$1 |
| [EnableSso](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_EnableSso.html) | `ds:EnableSso` | \$1 |
| [GetDirectoryLimits](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_GetDirectoryLimits.html) | `ds:GetDirectoryLimits` | \$1 |
| [GetSnapshotLimits](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_GetSnapshotLimits.html) | `ds:GetSnapshotLimits` | \$1 |
| [ListIpRoutes](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ListIpRoutes.html) | `ds:ListIpRoutes` | \$1 |
| [ListLogSubscriptions](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ListLogSubscriptions.html) | ds:ListLogSubscriptions | \$1 |
| [ListSchemaExtensions](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ListSchemaExtensions.html) | `ds:ListSchemaExtensions` | \$1 |
| [ListTagsForResource](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ListTagsForResource.html) | `ds:ListTagsForResource` | \$1 |
| [RegisterEventTopic](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RegisterEventTopic.html) | `ds:RegisterEventTopic` `sns:GetTopicAttributes` | \$1 |
| [RejectSharedDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RejectSharedDirectory.html) | ds:RejectSharedDirectory | \$1 |
| [RemoveIpRoutes](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RemoveIpRoutes.html) | `ds:RemoveIpRoutes` | \$1 |
| [RemoveTagsFromResource](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RemoveTagsFromResource.html) | `ds:RemoveTagsFromResource` `ec2:DeleteTags` | \$1 |
| [ResetUserPassword](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ResetUserPassword.html) | ds:ResetUserPassword | \$1 |
| [RestoreFromSnapshot](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RestoreFromSnapshot.html) | `ds:RestoreFromSnapshot` | \$1 |
| [ShareDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ShareDirectory.html) | `ds:ShareDirectory` `organizations:DescribeAccount` `organizations:DescribeOrganization` `organizations:ListAWSServiceAccessForOrganization` | \$1 |
| [StartSchemaExtension](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_StartSchemaExtension.html) | `ds:StartSchemaExtension` | \$1 |
| [UnshareDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UnshareDirectory.html) | ds:UnshareDirectory | \$1 |
| [UpdateConditionalForwarder](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UpdateConditionalForwarder.html) | `ds:UpdateConditionalForwarder` | \$1 |
| [UpdateNumberOfDomainControllers](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UpdateNumberOfDomainControllers.html) | `ds:UpdateNumberOfDomainControllers` `ec2:DescribeSubnets` `ec2:DescribeVpcs` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:DeleteNetworkInterface` | \$1 |
| [UpdateRadius](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UpdateRadius.html) | `ds:UpdateRadius` | \$1 |
| [UpdateTrust](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UpdateTrust.html) | ds:UpdateTrust | \$1 |
| [VerifyTrust](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_VerifyTrust.html) | `ds:VerifyTrust` | \$1 |
## AWS Directory Service Data API and required permissions for actions
**Note**
To specify an action, use the `ds-data:` prefix followed by the name of the API operation (for example, `ds-data:AddGroupMember`).
| Directory Service Data API Operations | Required Permissions (API Actions) | Resources |
| --- | --- | --- |
| [AddGroupMember](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_AddGroupMember.html) | `ds-data:AddGroupMember` | \$1 |
| [CreateGroup](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_CreateGroup.html) | `ds-data:CreateGroup` | \$1 |
| [CreateUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_CreateUser.html) | `ds-data:CreateUser` | \$1 |
| [DeleteGroup](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_DeleteGroup.html) | `ds-data:DeleteGroup` | \$1 |
| [DeleteUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/DeleteUser.html) | `ds-data:DeleteUser` | \$1 |
| [DescribeGroup](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_DescribeGroup.html) | `ds-data:DescribeGroup` | \$1 |
| [DescribeUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_DescribeUser.html) | `ds-data:DescribeUser` | \$1 |
| [DisableUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_DisableUser.html) | `ds-data:DisableUser` | \$1 |
| [ListGroups](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_ListGroups.html) | `ds-data:ListGroups` | \$1 |
| [ListGroupMembers](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_ListGroupMembers.html) | `ds-data:ListGroupMembers` | \$1 |
| [ListGroupsForMember](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_ListGroupsForMember.html) | `ds-data:ListGroupsForMember` | \$1 |
| [ListUsers](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_ListUsers.html) | `ds-data:ListUsers` | \$1 |
| [RemoveGroupMember](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_RemoveGroupMember.html) | `ds-data:RemoveGroupMember` | \$1 |
| [SearchGroups](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_SearchGroups.html) | `ds-data:DescribeGroup` `ds-data:SearchGroups` | \$1 |
| [SearchUsers](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_SearchUsers.html) | `ds-data:DescribeUser` `ds-data:SearchUsers` | \$1 |
| [UpdateGroup](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_UpdateGroup.html) | `ds-data:UpdateGroup` | \$1 |
| [UpdateUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_UpdateUser.html) | `ds-data:UpdateUser` | \$1 |
## Related Topics
+ [Access control](iam_auth_access.md#access_control)