Actions, resources, and condition keys for Amazon DataZone - Service Authorization Reference

Actions, resources, and condition keys for Amazon DataZone

Amazon DataZone (service prefix: datazone) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon DataZone

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AcceptPredictions Grants permission to accept prediction Write
AcceptSubscriptionRequest Grants permission to approve a subscription request for a Data Asset Write
AddEntityOwner Grants permission to add an owner to an entity like domain unit Write
AddPolicyGrant Grants permission to add a policy grant Write
AssociateEnvironmentRole Grants permission to associate a role in a default service blueprint environment Write
BatchDeleteLinkedTypes [permission only] Grants permission to remove linked type items from an Amazon DataZone Domain Write

domain*

BatchPutLinkedTypes [permission only] Grants permission to put linked type items to an Amazon DataZone Domain Write

domain*

CancelMetadataGenerationRun Grants permission to cancel metadata generation run Write
CancelSubscription Grants permission to revoke or unsubscribe an approved subscription to Data Asset Write
CreateAsset Grants permission to create asset Write
CreateAssetFilter Grants permission to create asset filter Write
CreateAssetRevision Grants permission to create new revision of an asset Write
CreateAssetType Grants permission to create an asset type Write
CreateConnection Grants permission to create connections Write
CreateDataProduct Grants permission to create data product Write
CreateDataProductRevision Grants permission to create data product revision Write
CreateDataSource Grants permission to create a new DataSource Write
CreateDomain Grants permission to provision a domain which is a top level entity that contains other Amazon DataZone resources Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDomainUnit Grants permission to create a domain unit Write
CreateEnvironment Grants permission to create a collection of configurated resources used to publish and subscribe to data Write
CreateEnvironmentAction Grants permission to create an environment action in a default service blueprint environment Write
CreateEnvironmentBlueprint [permission only] Grants permission to create a custom Environment Blueprint that allow user to add Environments to their Project Write
CreateEnvironmentProfile Grants permission to create a template from a Blueprint that can be used to create a Environment Write
CreateFormType Grants permission to create a form type or a new revision of it Write
CreateGlossary Grants permission to create a business glossary Write
CreateGlossaryTerm Grants permission to create a glossary term Write
CreateGroupProfile Grants permission to create a DataZone group profile for an IAM Identity Center group Write
CreateListingChangeSet Grants permission to create listing change set Write
CreateProject Grants permission to create a Project to enable your team to publish and subscribe to data Write
CreateProjectMembership Grants permission to add a user to a Project Write
CreateProjectProfile Grants permission to create a project profile Write
CreateRule Grants permission to create rule Write
CreateSubscriptionGrant Grants permission to create a grant for an approved subscription on a subscription target Write
CreateSubscriptionRequest Grants permission to create a subscription request for a Data Asset Write
CreateSubscriptionTarget Grants permission to create a subscription target for a Environment in the project Write
CreateUserProfile Grants permission to create a user profile for an existing user in the customers IAM Identity Center Write
DeleteAsset Grants permission to delete an asset Write
DeleteAssetFilter Grants permission to delete asset filter Write
DeleteAssetType Grants permission to delete an asset type Write
DeleteConnection Grants permission to delete connections Write
DeleteDataProduct Grants permission to delete data product Write
DeleteDataSource Grants permission to update existing DataSource Write
DeleteDomain Grants permission to delete a provisioned domain Write

domain*

DeleteDomainSharingPolicy [permission only] Grants permission to delete a resource policy for a DataZone Domain Permissions management
DeleteDomainUnit Grants permission to delete an existing domain unit Write
DeleteEnvironment Grants permission to Delete Environment Write
DeleteEnvironmentAction Grants permission to delete an environment action in a default service blueprint environment Write
DeleteEnvironmentBlueprint [permission only] Grants permission to delete Environment Blueprint Write
DeleteEnvironmentBlueprintConfiguration Grants permission to delete environment blueprint configuration Write
DeleteEnvironmentProfile Grants permission to delete Environment Profile Write
DeleteFormType Grants permission to delete a form type Write
DeleteGlossary Grants permission to delete a business glossary Write
DeleteGlossaryTerm Grants permission to delete a glossary term Write
DeleteListing Grants permission to delete listing Write
DeleteProject Grants permission to delete a Project that enables your team to publish and subscribe to data Write
DeleteProjectMembership Grants permission to remove a user from a project Write
DeleteProjectProfile Grants permission to delete a project profile Write
DeleteRule Grants permission to delete rule Write
DeleteSubscriptionGrant Grants permission to delete a subscription grant from a subscription target Write
DeleteSubscriptionRequest Grants permission to delete a pending subscription request for a Data Asset Write
DeleteSubscriptionTarget Grants permission to delete a subscription target from a Environment in the project Write
DeleteTimeSeriesDataPoints Grants permission to delete existing TimeSeriesDataPoints Write
DisassociateEnvironmentRole Grants permission to disassociate a role in a default service blueprint environment Write
GetAsset Grants permission to retrieve an asset Read
GetAssetFilter Grants permission to get asset filter Read
GetAssetType Grants permission to get an asset type Read
GetConnection Grants permission to get connections Read
GetDataProduct Grants permission to get data product Read
GetDataSource Grants permission to Get a existing DataSource in Amazon DataZone using its identifier Read
GetDataSourceRun Grants permission to get DataSource run job in Amazon DataZone using it's identifier Read
GetDomain Grants permission to retrieve information about a domain Read

domain*

GetDomainExecutionRoleCredentials [permission only] Grants permission to use features that require access to domain execution role credentials Read
GetDomainSharingPolicy [permission only] Grants permission to retrieve a resource policy for a DataZone Domain Read
GetDomainUnit Grants permission to get an existing domain unit Read
GetEnvironment Grants permission to get Environment details Read
GetEnvironmentAction Grants permission to get an environment action in a default service blueprint environment Read
Grants permission to get environment action link Read
GetEnvironmentBlueprint Grants permission to get Environment Blueprint details Read
GetEnvironmentBlueprintConfiguration Grants permission to get environment blueprint configuration Read
GetEnvironmentCredentials Grants permission to get short term credentials that assume the Environment user role Read
GetEnvironmentProfile Grants permission to get Environment Profile details Read
GetFormType Grants permission to get a form type Read
GetGlossary Grants permission to get a business glossary Read
GetGlossaryTerm Grants permission to get a glossary term Read
GetGroupProfile Grants permission to retrieve an existing DataZone group profile Read
GetIamPortalLoginUrl Grants permission to an IAM principal to log into the DataZone Portal Permissions management
GetJobRun Grants permission to get job runs Read
GetLineageEvent Grants permission to get lineage events Read
GetLineageNode Grants permission to get the lineage node Read
GetListing Grants permission to get listing Read
GetMetadataGenerationRun Grants permission to get metadata generation run Read
GetProject Grants permission to get Project details Read
GetProjectProfile Grants permission to get project profile details Read
GetRule Grants permission to get rule Read
GetSubscription Grants permission to retrieve a subscription Read
GetSubscriptionEligibility [permission only] Grants permission to get subscription eligibilty Read
GetSubscriptionGrant Grants permission to retireve a subscription grant Read
GetSubscriptionRequestDetails Grants permission to reject a subscription request for a Data Asset Read
GetSubscriptionTarget Grants permission to retireve details of subscription target Read
GetTimeSeriesDataPoint Grants permission to get an existing TimeSeriesDataPoints in Amazon DataZone using its identifier Read
GetUserProfile Grants permission to retrieve a user profile for an existing user in the DataZone Domain Read
ListAccountEnvironments Grants permission to list Environments across all domains in an AWS Account List
ListAssetFilters Grants permission to list asset filters List
ListAssetRevisions Grants permission to list revisions of an asset List
ListConnections Grants permission to list connections List
ListDataProductRevisions Grants permission to list data product revisions List
ListDataSourceRunActivities Grants permission to list DataSource runs job's activities on Asset List
ListDataSourceRuns Grants permission to list DataSource runs job List
ListDataSources Grants permission to list existing DataSources List
ListDomainUnitsForParent Grants permission to list child domain units for a given parent domain unit List
ListDomains Grants permission to retrieve all domains List
ListEntityOwners Grants permission to list owners of an entity like domain unit List
ListEnvironmentActions Grants permission to list environment actions in a default service blueprint environment List
ListEnvironmentBlueprintConfigurationSummaries [permission only] Grants permission to list environment blueprint configuration summaries List
ListEnvironmentBlueprintConfigurations Grants permission to list environment blueprint configurations List
ListEnvironmentBlueprints Grants permission to list Domain for Environment Blueprints List
ListEnvironmentProfiles Grants permission to list Domain for Environment Profiles List
ListEnvironments Grants permission to show Environments in the Domain List
ListGroupsForUser Grants permission to list all the DataZone group profiles that the DataZone user profile is a member of List
ListJobRuns Grants permission to list job runs List
ListLineageEvents Grants permission to list lineage events List
ListLineageNodeHistory Grants permission to list historical versions of lineage node List
ListLinkedTypes [permission only] Grants permission to list linked type items linked to an Amazon DataZone Domain List

domain*

ListMetadataGenerationRuns Grants permission to list metadata generation runs List
ListNotifications Grants permission to list notifications and events for a datazone user List
ListPolicyGrants Grants permission to list policy grants List
ListProjectMemberships Grants permission to list Project Members List
ListProjectProfiles Grants permission to list project profiles List
ListProjects Grants permission to list Projects List
ListRules Grants permission to list rules List
ListSubscriptionGrants Grants permission to List subscription grants for a subscribed principal List
ListSubscriptionRequests Grants permission to list subscription requests List
ListSubscriptionTargets Grants permission to list subscription targets List
ListSubscriptions Grants permission to list subscriptions List
ListTagsForResource Grants permission to retrieve all tags associated with a resource Read

domain

ListTimeSeriesDataPoints Grants permission to list existing TimeSeriesDataPoints List
ListWarehouseMetadata [permission only] Grants permission to list available Manager Secrets List
PostLineageEvent Grants permission to post lineage events Write
PostTimeSeriesDataPoints Grants permission to post a new TimeSeriesDataPoints Write
ProvisionDomain [permission only] Grants permission to provision domain with default project setup Write
PutDomainSharingPolicy [permission only] Grants permission to add a resource policy for a DataZone Domain Permissions management
PutEnvironmentBlueprintConfiguration Grants permission to put environment blueprint configuration Write
RefreshToken [permission only] Grants permission to refresh token Write
RejectPredictions Grants permission to reject prediction Write
RejectSubscriptionRequest Grants permission to reject a subscription request for a Data Asset Write
RemoveEntityOwner Grants permission to remove an existing owner of an entity like domain unit Write
RemovePolicyGrant Grants permission to remove a policy grant Write
RevokeSubscription Grants permission to revoke a subscription Write
Grants permission to search datazone entities List
SearchGroupProfiles Grants permission to search DataZone group profiles and IAM Identity Center groups List
SearchListings Grants permission to search listings List
SearchRules [permission only] Grants permission to search rules List
SearchTypes Grants permission to search types such asset types and form types in a domain List
SearchUserProfiles Grants permission to search DataZone user profiles, IAM Identity Center users, and DataZone IAM principal profiles List
SsoLogin [permission only] Grants permission to login using SSO Write
SsoLogout [permission only] Grants permission to logout as SSO user Write
StartDataSourceRun Grants permission to start a DataSource run job Write
StartMetadataGenerationRun Grants permission to start metadata generation run Write
StopMetadataGenerationRun Grants permission to stop metadata generation run Write
TagResource Grants permission to add or update tags to a resource Tagging

domain*

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to remove tags associated with a resource Tagging

domain*

aws:TagKeys

UpdateAssetFilter Grants permission to update asset filter Write
UpdateConnection Grants permission to update connections Write
UpdateDataSource Grants permission to update existing DataSource Write
UpdateDataSourceRunActivities [permission only] Grants permission to update data source run activities Write
UpdateDomain Grants permission to update information for a domain Write

domain*

UpdateDomainUnit Grants permission to update an existing domain unit Write
UpdateEnvironment Grants permission to update Environment settings Write
UpdateEnvironmentAction Grants permission to update an environment action in a default service blueprint environment Write
UpdateEnvironmentBlueprint [permission only] Grants permission to update Environment Blueprint settings Write
UpdateEnvironmentConfiguration [permission only] Grants permission to update environment configuration Write
UpdateEnvironmentDeploymentStatus [permission only] Grants permission to update status of the Environment deployment Write
UpdateEnvironmentProfile Grants permission to update EnvironmentProfile configuration Write
UpdateGlossary Grants permission to update a business glossary Write
UpdateGlossaryTerm Grants permission to update a glossary term Write
UpdateGroupProfile Grants permission to update a DataZone group profile Write
UpdateProject Grants permission to update a Project that enables your team to publish and subscribe to data Write
UpdateProjectProfile Grants permission to update a project profile Write
UpdateRule Grants permission to update rule Write
UpdateSubscriptionGrantStatus Grants permission to update a subscription grant status for custom grants Write
UpdateSubscriptionRequest Grants permission to update business reason for subscription request for a Data Asset Write
UpdateSubscriptionTarget Grants permission to update a subscription target Write
UpdateUserProfile Grants permission to update a DataZone user profile Write
ValidatePassRole [permission only] Grants permission to validate pass role Write

Resource types defined by Amazon DataZone

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
domain arn:${Partition}:datazone:${Region}:${Account}:domain/${DomainId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon DataZone

Amazon DataZone defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the tags that are passed in the request String
aws:ResourceTag/${TagKey} Filters access by the tags associated with the resource String
aws:TagKeys Filters access by the tag keys that are passed in the request ArrayOfString