Actions, resources, and condition keys for Amazon DataZone
Amazon DataZone (service prefix: datazone
) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon DataZone
You can specify the following actions in the Action
element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource
element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource
element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition
element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
---|---|---|---|---|---|
AcceptPredictions | Grants permission to accept prediction | Write | |||
AcceptSubscriptionRequest | Grants permission to approve a subscription request for a Data Asset | Write | |||
AddEntityOwner | Grants permission to add an owner to an entity like domain unit | Write | |||
AddPolicyGrant | Grants permission to add a policy grant | Write | |||
AssociateEnvironmentRole | Grants permission to associate a role in a default service blueprint environment | Write | |||
BatchDeleteLinkedTypes [permission only] | Grants permission to remove linked type items from an Amazon DataZone Domain | Write | |||
BatchPutLinkedTypes [permission only] | Grants permission to put linked type items to an Amazon DataZone Domain | Write | |||
CancelMetadataGenerationRun | Grants permission to cancel metadata generation run | Write | |||
CancelSubscription | Grants permission to revoke or unsubscribe an approved subscription to Data Asset | Write | |||
CreateAsset | Grants permission to create asset | Write | |||
CreateAssetFilter | Grants permission to create asset filter | Write | |||
CreateAssetRevision | Grants permission to create new revision of an asset | Write | |||
CreateAssetType | Grants permission to create an asset type | Write | |||
CreateConnection | Grants permission to create connections | Write | |||
CreateDataProduct | Grants permission to create data product | Write | |||
CreateDataProductRevision | Grants permission to create data product revision | Write | |||
CreateDataSource | Grants permission to create a new DataSource | Write | |||
CreateDomain | Grants permission to provision a domain which is a top level entity that contains other Amazon DataZone resources | Write | |||
CreateDomainUnit | Grants permission to create a domain unit | Write | |||
CreateEnvironment | Grants permission to create a collection of configurated resources used to publish and subscribe to data | Write | |||
CreateEnvironmentAction | Grants permission to create an environment action in a default service blueprint environment | Write | |||
CreateEnvironmentBlueprint [permission only] | Grants permission to create a custom Environment Blueprint that allow user to add Environments to their Project | Write | |||
CreateEnvironmentProfile | Grants permission to create a template from a Blueprint that can be used to create a Environment | Write | |||
CreateFormType | Grants permission to create a form type or a new revision of it | Write | |||
CreateGlossary | Grants permission to create a business glossary | Write | |||
CreateGlossaryTerm | Grants permission to create a glossary term | Write | |||
CreateGroupProfile | Grants permission to create a DataZone group profile for an IAM Identity Center group | Write | |||
CreateListingChangeSet | Grants permission to create listing change set | Write | |||
CreateProject | Grants permission to create a Project to enable your team to publish and subscribe to data | Write | |||
CreateProjectMembership | Grants permission to add a user to a Project | Write | |||
CreateProjectProfile | Grants permission to create a project profile | Write | |||
CreateRule | Grants permission to create rule | Write | |||
CreateSubscriptionGrant | Grants permission to create a grant for an approved subscription on a subscription target | Write | |||
CreateSubscriptionRequest | Grants permission to create a subscription request for a Data Asset | Write | |||
CreateSubscriptionTarget | Grants permission to create a subscription target for a Environment in the project | Write | |||
CreateUserProfile | Grants permission to create a user profile for an existing user in the customers IAM Identity Center | Write | |||
DeleteAsset | Grants permission to delete an asset | Write | |||
DeleteAssetFilter | Grants permission to delete asset filter | Write | |||
DeleteAssetType | Grants permission to delete an asset type | Write | |||
DeleteConnection | Grants permission to delete connections | Write | |||
DeleteDataProduct | Grants permission to delete data product | Write | |||
DeleteDataSource | Grants permission to update existing DataSource | Write | |||
DeleteDomain | Grants permission to delete a provisioned domain | Write | |||
DeleteDomainSharingPolicy [permission only] | Grants permission to delete a resource policy for a DataZone Domain | Permissions management | |||
DeleteDomainUnit | Grants permission to delete an existing domain unit | Write | |||
DeleteEnvironment | Grants permission to Delete Environment | Write | |||
DeleteEnvironmentAction | Grants permission to delete an environment action in a default service blueprint environment | Write | |||
DeleteEnvironmentBlueprint [permission only] | Grants permission to delete Environment Blueprint | Write | |||
DeleteEnvironmentBlueprintConfiguration | Grants permission to delete environment blueprint configuration | Write | |||
DeleteEnvironmentProfile | Grants permission to delete Environment Profile | Write | |||
DeleteFormType | Grants permission to delete a form type | Write | |||
DeleteGlossary | Grants permission to delete a business glossary | Write | |||
DeleteGlossaryTerm | Grants permission to delete a glossary term | Write | |||
DeleteListing | Grants permission to delete listing | Write | |||
DeleteProject | Grants permission to delete a Project that enables your team to publish and subscribe to data | Write | |||
DeleteProjectMembership | Grants permission to remove a user from a project | Write | |||
DeleteProjectProfile | Grants permission to delete a project profile | Write | |||
DeleteRule | Grants permission to delete rule | Write | |||
DeleteSubscriptionGrant | Grants permission to delete a subscription grant from a subscription target | Write | |||
DeleteSubscriptionRequest | Grants permission to delete a pending subscription request for a Data Asset | Write | |||
DeleteSubscriptionTarget | Grants permission to delete a subscription target from a Environment in the project | Write | |||
DeleteTimeSeriesDataPoints | Grants permission to delete existing TimeSeriesDataPoints | Write | |||
DisassociateEnvironmentRole | Grants permission to disassociate a role in a default service blueprint environment | Write | |||
GetAsset | Grants permission to retrieve an asset | Read | |||
GetAssetFilter | Grants permission to get asset filter | Read | |||
GetAssetType | Grants permission to get an asset type | Read | |||
GetConnection | Grants permission to get connections | Read | |||
GetDataProduct | Grants permission to get data product | Read | |||
GetDataSource | Grants permission to Get a existing DataSource in Amazon DataZone using its identifier | Read | |||
GetDataSourceRun | Grants permission to get DataSource run job in Amazon DataZone using it's identifier | Read | |||
GetDomain | Grants permission to retrieve information about a domain | Read | |||
GetDomainExecutionRoleCredentials [permission only] | Grants permission to use features that require access to domain execution role credentials | Read | |||
GetDomainSharingPolicy [permission only] | Grants permission to retrieve a resource policy for a DataZone Domain | Read | |||
GetDomainUnit | Grants permission to get an existing domain unit | Read | |||
GetEnvironment | Grants permission to get Environment details | Read | |||
GetEnvironmentAction | Grants permission to get an environment action in a default service blueprint environment | Read | |||
GetEnvironmentActionLink [permission only] | Grants permission to get environment action link | Read | |||
GetEnvironmentBlueprint | Grants permission to get Environment Blueprint details | Read | |||
GetEnvironmentBlueprintConfiguration | Grants permission to get environment blueprint configuration | Read | |||
GetEnvironmentCredentials | Grants permission to get short term credentials that assume the Environment user role | Read | |||
GetEnvironmentProfile | Grants permission to get Environment Profile details | Read | |||
GetFormType | Grants permission to get a form type | Read | |||
GetGlossary | Grants permission to get a business glossary | Read | |||
GetGlossaryTerm | Grants permission to get a glossary term | Read | |||
GetGroupProfile | Grants permission to retrieve an existing DataZone group profile | Read | |||
GetIamPortalLoginUrl | Grants permission to an IAM principal to log into the DataZone Portal | Permissions management | |||
GetJobRun | Grants permission to get job runs | Read | |||
GetLineageEvent | Grants permission to get lineage events | Read | |||
GetLineageNode | Grants permission to get the lineage node | Read | |||
GetListing | Grants permission to get listing | Read | |||
GetMetadataGenerationRun | Grants permission to get metadata generation run | Read | |||
GetProject | Grants permission to get Project details | Read | |||
GetProjectProfile | Grants permission to get project profile details | Read | |||
GetRule | Grants permission to get rule | Read | |||
GetSubscription | Grants permission to retrieve a subscription | Read | |||
GetSubscriptionEligibility [permission only] | Grants permission to get subscription eligibilty | Read | |||
GetSubscriptionGrant | Grants permission to retireve a subscription grant | Read | |||
GetSubscriptionRequestDetails | Grants permission to reject a subscription request for a Data Asset | Read | |||
GetSubscriptionTarget | Grants permission to retireve details of subscription target | Read | |||
GetTimeSeriesDataPoint | Grants permission to get an existing TimeSeriesDataPoints in Amazon DataZone using its identifier | Read | |||
GetUserProfile | Grants permission to retrieve a user profile for an existing user in the DataZone Domain | Read | |||
ListAccountEnvironments | Grants permission to list Environments across all domains in an AWS Account | List | |||
ListAssetFilters | Grants permission to list asset filters | List | |||
ListAssetRevisions | Grants permission to list revisions of an asset | List | |||
ListConnections | Grants permission to list connections | List | |||
ListDataProductRevisions | Grants permission to list data product revisions | List | |||
ListDataSourceRunActivities | Grants permission to list DataSource runs job's activities on Asset | List | |||
ListDataSourceRuns | Grants permission to list DataSource runs job | List | |||
ListDataSources | Grants permission to list existing DataSources | List | |||
ListDomainUnitsForParent | Grants permission to list child domain units for a given parent domain unit | List | |||
ListDomains | Grants permission to retrieve all domains | List | |||
ListEntityOwners | Grants permission to list owners of an entity like domain unit | List | |||
ListEnvironmentActions | Grants permission to list environment actions in a default service blueprint environment | List | |||
ListEnvironmentBlueprintConfigurationSummaries [permission only] | Grants permission to list environment blueprint configuration summaries | List | |||
ListEnvironmentBlueprintConfigurations | Grants permission to list environment blueprint configurations | List | |||
ListEnvironmentBlueprints | Grants permission to list Domain for Environment Blueprints | List | |||
ListEnvironmentProfiles | Grants permission to list Domain for Environment Profiles | List | |||
ListEnvironments | Grants permission to show Environments in the Domain | List | |||
ListGroupsForUser | Grants permission to list all the DataZone group profiles that the DataZone user profile is a member of | List | |||
ListJobRuns | Grants permission to list job runs | List | |||
ListLineageEvents | Grants permission to list lineage events | List | |||
ListLineageNodeHistory | Grants permission to list historical versions of lineage node | List | |||
ListLinkedTypes [permission only] | Grants permission to list linked type items linked to an Amazon DataZone Domain | List | |||
ListMetadataGenerationRuns | Grants permission to list metadata generation runs | List | |||
ListNotifications | Grants permission to list notifications and events for a datazone user | List | |||
ListPolicyGrants | Grants permission to list policy grants | List | |||
ListProjectMemberships | Grants permission to list Project Members | List | |||
ListProjectProfiles | Grants permission to list project profiles | List | |||
ListProjects | Grants permission to list Projects | List | |||
ListRules | Grants permission to list rules | List | |||
ListSubscriptionGrants | Grants permission to List subscription grants for a subscribed principal | List | |||
ListSubscriptionRequests | Grants permission to list subscription requests | List | |||
ListSubscriptionTargets | Grants permission to list subscription targets | List | |||
ListSubscriptions | Grants permission to list subscriptions | List | |||
ListTagsForResource | Grants permission to retrieve all tags associated with a resource | Read | |||
ListTimeSeriesDataPoints | Grants permission to list existing TimeSeriesDataPoints | List | |||
ListWarehouseMetadata [permission only] | Grants permission to list available Manager Secrets | List | |||
PostLineageEvent | Grants permission to post lineage events | Write | |||
PostTimeSeriesDataPoints | Grants permission to post a new TimeSeriesDataPoints | Write | |||
ProvisionDomain [permission only] | Grants permission to provision domain with default project setup | Write | |||
PutDomainSharingPolicy [permission only] | Grants permission to add a resource policy for a DataZone Domain | Permissions management | |||
PutEnvironmentBlueprintConfiguration | Grants permission to put environment blueprint configuration | Write | |||
RefreshToken [permission only] | Grants permission to refresh token | Write | |||
RejectPredictions | Grants permission to reject prediction | Write | |||
RejectSubscriptionRequest | Grants permission to reject a subscription request for a Data Asset | Write | |||
RemoveEntityOwner | Grants permission to remove an existing owner of an entity like domain unit | Write | |||
RemovePolicyGrant | Grants permission to remove a policy grant | Write | |||
RevokeSubscription | Grants permission to revoke a subscription | Write | |||
Search | Grants permission to search datazone entities | List | |||
SearchGroupProfiles | Grants permission to search DataZone group profiles and IAM Identity Center groups | List | |||
SearchListings | Grants permission to search listings | List | |||
SearchRules [permission only] | Grants permission to search rules | List | |||
SearchTypes | Grants permission to search types such asset types and form types in a domain | List | |||
SearchUserProfiles | Grants permission to search DataZone user profiles, IAM Identity Center users, and DataZone IAM principal profiles | List | |||
SsoLogin [permission only] | Grants permission to login using SSO | Write | |||
SsoLogout [permission only] | Grants permission to logout as SSO user | Write | |||
StartDataSourceRun | Grants permission to start a DataSource run job | Write | |||
StartMetadataGenerationRun | Grants permission to start metadata generation run | Write | |||
StopMetadataGenerationRun | Grants permission to stop metadata generation run | Write | |||
TagResource | Grants permission to add or update tags to a resource | Tagging | |||
UntagResource | Grants permission to remove tags associated with a resource | Tagging | |||
UpdateAssetFilter | Grants permission to update asset filter | Write | |||
UpdateConnection | Grants permission to update connections | Write | |||
UpdateDataSource | Grants permission to update existing DataSource | Write | |||
UpdateDataSourceRunActivities [permission only] | Grants permission to update data source run activities | Write | |||
UpdateDomain | Grants permission to update information for a domain | Write | |||
UpdateDomainUnit | Grants permission to update an existing domain unit | Write | |||
UpdateEnvironment | Grants permission to update Environment settings | Write | |||
UpdateEnvironmentAction | Grants permission to update an environment action in a default service blueprint environment | Write | |||
UpdateEnvironmentBlueprint [permission only] | Grants permission to update Environment Blueprint settings | Write | |||
UpdateEnvironmentConfiguration [permission only] | Grants permission to update environment configuration | Write | |||
UpdateEnvironmentDeploymentStatus [permission only] | Grants permission to update status of the Environment deployment | Write | |||
UpdateEnvironmentProfile | Grants permission to update EnvironmentProfile configuration | Write | |||
UpdateGlossary | Grants permission to update a business glossary | Write | |||
UpdateGlossaryTerm | Grants permission to update a glossary term | Write | |||
UpdateGroupProfile | Grants permission to update a DataZone group profile | Write | |||
UpdateProject | Grants permission to update a Project that enables your team to publish and subscribe to data | Write | |||
UpdateProjectProfile | Grants permission to update a project profile | Write | |||
UpdateRule | Grants permission to update rule | Write | |||
UpdateSubscriptionGrantStatus | Grants permission to update a subscription grant status for custom grants | Write | |||
UpdateSubscriptionRequest | Grants permission to update business reason for subscription request for a Data Asset | Write | |||
UpdateSubscriptionTarget | Grants permission to update a subscription target | Write | |||
UpdateUserProfile | Grants permission to update a DataZone user profile | Write | |||
ValidatePassRole [permission only] | Grants permission to validate pass role | Write |
Resource types defined by Amazon DataZone
The following resource types are defined by this service and can be used in the Resource
element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
Resource types | ARN | Condition keys |
---|---|---|
domain |
arn:${Partition}:datazone:${Region}:${Account}:domain/${DomainId}
|
Condition keys for Amazon DataZone
Amazon DataZone defines the following condition keys that can be used in the Condition
element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
Condition keys | Description | Type |
---|---|---|
aws:RequestTag/${TagKey} | Filters access by the tags that are passed in the request | String |
aws:ResourceTag/${TagKey} | Filters access by the tags associated with the resource | String |
aws:TagKeys | Filters access by the tag keys that are passed in the request | ArrayOfString |