Actions, resources, and condition keys for AWS IoT FleetWise - Service Authorization Reference

Actions, resources, and condition keys for AWS IoT FleetWise

AWS IoT FleetWise (service prefix: iotfleetwise) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS IoT FleetWise

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AssociateVehicleFleet Grants permission to associate the given vehicle to a fleet Write

fleet*

vehicle*

BatchCreateVehicle Grants permission to create a batch of vehicles Write

decodermanifest*

iot:CreateThing

iot:DescribeThing

modelmanifest*

vehicle*

aws:RequestTag/${TagKey}

aws:TagKeys

BatchUpdateVehicle Grants permission to update a batch of vehicles Write

vehicle*

decodermanifest

modelmanifest

iotfleetwise:UpdateToModelManifestArn

iotfleetwise:UpdateToDecoderManifestArn

CreateCampaign Grants permission to create a campaign Write

campaign*

fleet*

signalcatalog*

vehicle*

aws:RequestTag/${TagKey}

aws:TagKeys

iotfleetwise:DestinationArn

CreateDecoderManifest Grants permission to create a decoder manifest for an existing model Write

decodermanifest*

modelmanifest*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateFleet Grants permission to create a fleet Write

fleet*

signalcatalog*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateModelManifest Grants permission to create a model manifest definition Write

modelmanifest*

signalcatalog*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSignalCatalog Grants permission to create a signal catalog Write

signalcatalog*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateStateTemplate Grants permission to create a state template Write

signalcatalog*

statetemplate*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateVehicle Grants permission to create a vehicle Write

decodermanifest*

iot:CreateThing

iot:DescribeThing

modelmanifest*

vehicle*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteCampaign Grants permission to delete a campaign Write

campaign*

DeleteDecoderManifest Grants permission to delete the given decoder manifest Write

decodermanifest*

DeleteFleet Grants permission to delete a fleet Write

fleet*

DeleteModelManifest Grants permission to delete the given model manifest Write

modelmanifest*

DeleteSignalCatalog Grants permission to delete a specific signal catalog Write

signalcatalog*

DeleteStateTemplate Grants permission to delete a state template Write

statetemplate*

DeleteVehicle Grants permission to delete a vehicle Write

vehicle*

DisassociateVehicleFleet Grants permission to disassociate a vehicle from an existing fleet Write

fleet*

vehicle*

GenerateCommandPayload [permission only] Grants permission to generate the payload for running a command on a vehicle Permissions management

vehicle*

statetemplate

iotfleetwise:Signals

GetCampaign Grants permission to get summary information for a given campaign Read

campaign*

GetDecoderManifest Grants permission to get summary information for a given decoder manifest definition Read

decodermanifest*

GetEncryptionConfiguration Grants permission to get KMS-based encryption status for the AWS account Read
GetFleet Grants permission to get summary information for a fleet Read

fleet*

GetLoggingOptions Grants permission to get the logging options for the AWS account Read
GetModelManifest Grants permission to get summary information for a given model manifest definition Read

modelmanifest*

GetRegisterAccountStatus Grants permission to get the account registration status with IoT FleetWise Read
GetSignalCatalog Grants permission to get summary information for a specific signal catalog Read

signalcatalog*

GetStateTemplate Grants permission to get summary information for a given state template Read

statetemplate*

GetVehicle Grants permission to get summary information for a vehicle Read

vehicle*

GetVehicleStatus Grants permission to get the status of the campaigns running on a specific vehicle Read

vehicle*

ImportDecoderManifest Grants permission to import an existing decoder manifest Write

decodermanifest*

ImportSignalCatalog Grants permission to create a signal catalog by importing existing definitions Write

signalcatalog*

aws:RequestTag/${TagKey}

aws:TagKeys

ListCampaigns Grants permission to list campaigns Read
ListDecoderManifestNetworkInterfaces Grants permission to list network interfaces associated to the existing decoder manifest List

decodermanifest*

ListDecoderManifestSignals Grants permission to list decoder manifest signals List

decodermanifest*

ListDecoderManifests Grants permission to list all decoder manifests, with an optional filter on model manifest Read
ListFleets Grants permission to list all fleets Read
ListFleetsForVehicle Grants permission to list all the fleets that the given vehicle is associated with Read

vehicle*

ListModelManifestNodes Grants permission to list all nodes for the given model manifest List

modelmanifest*

ListModelManifests Grants permission to list all model manifests, with an optional filter on signal catalog Read
ListSignalCatalogNodes Grants permission to list all nodes for a given signal catalog Read

signalcatalog*

ListSignalCatalogs Grants permission to list all signal catalogs Read
ListStateTemplates Grants permission to list state templates Read
ListTagsForResource Grants permission to list tags for a resource Read

campaign

decodermanifest

fleet

modelmanifest

signalcatalog

vehicle

ListVehicles Grants permission to list all vehicles, with an optional filter on model manifest Read
ListVehiclesInFleet Grants permission to list vehicles in the given fleet Read

fleet*

PutEncryptionConfiguration Grants permission to enable or disable KMS-based encryption for the AWS account Write
PutLoggingOptions Grants permission to put the logging options for the AWS account Write
RegisterAccount Grants permission to register an AWS account to IoT FleetWise Write

iam:PassRole

TagResource Grants permission to add tags to a resource Tagging

campaign

decodermanifest

fleet

modelmanifest

signalcatalog

statetemplate

vehicle

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to remove tags from a resource Tagging

campaign

decodermanifest

fleet

modelmanifest

signalcatalog

statetemplate

vehicle

aws:TagKeys

UpdateCampaign Grants permission to update the given campaign Write

campaign*

UpdateDecoderManifest Grants permission to update a decoder manifest defnition Write

decodermanifest*

UpdateFleet Grants permission to update the fleet Write

fleet*

UpdateModelManifest Grants permission to update the given model manifest definition Write

modelmanifest*

UpdateSignalCatalog Grants permission to update a specific signal catalog definition Write

signalcatalog*

UpdateStateTemplate Grants permission to update the given state template Write

statetemplate*

UpdateVehicle Grants permission to update the vehicle Write

vehicle*

decodermanifest

modelmanifest

iotfleetwise:UpdateToModelManifestArn

iotfleetwise:UpdateToDecoderManifestArn

Resource types defined by AWS IoT FleetWise

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
campaign arn:${Partition}:iotfleetwise:${Region}:${Account}:campaign/${CampaignName}

aws:ResourceTag/${TagKey}

decodermanifest arn:${Partition}:iotfleetwise:${Region}:${Account}:decoder-manifest/${Name}

aws:ResourceTag/${TagKey}

fleet arn:${Partition}:iotfleetwise:${Region}:${Account}:fleet/${FleetId}

aws:ResourceTag/${TagKey}

modelmanifest arn:${Partition}:iotfleetwise:${Region}:${Account}:model-manifest/${Name}

aws:ResourceTag/${TagKey}

signalcatalog arn:${Partition}:iotfleetwise:${Region}:${Account}:signal-catalog/${Name}

aws:ResourceTag/${TagKey}

vehicle arn:${Partition}:iotfleetwise:${Region}:${Account}:vehicle/${VehicleId}

aws:ResourceTag/${TagKey}

statetemplate arn:${Partition}:iotfleetwise:${Region}:${Account}:state-template/${StateTemplateId}

aws:ResourceTag/${TagKey}

Condition keys for AWS IoT FleetWise

AWS IoT FleetWise defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access by tag key-value pairs attached to the resource String
aws:TagKeys Filters access by the presence of tag keys in the request ArrayOfString
iotfleetwise:DestinationArn Filters access by campaign destination ARN, eg. an S3 bucket ARN or a Timestream ARN ARN
iotfleetwise:Signals Filters access by fully qualified signal names ArrayOfString
iotfleetwise:UpdateToDecoderManifestArn Filters access by a list of IoT FleetWise Decoder Manifest ARNs ARN
iotfleetwise:UpdateToModelManifestArn Filters access by a list of IoT FleetWise Model Manifest ARNs ARN