Actions, resources, and condition keys for Amazon S3 Tables

Amazon S3 Tables (service prefix: s3tables) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by Amazon S3 Tables
Resource types defined by Amazon S3 Tables
Condition keys for Amazon S3 Tables

Actions defined by Amazon S3 Tables

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys
CreateNamespace	Grants permission to create a namespace	Write	TableBucket*
CreateTable	Grants permission to create a table	Write	TableBucket*
CreateTable	Grants permission to create a table	Write		s3tables:namespace
CreateTableBucket	Grants permission to create a table bucket	Write	TableBucket*
DeleteNamespace	Grants permission to delete a namespace	Write	TableBucket*
DeleteNamespace	Grants permission to delete a namespace	Write		s3tables:namespace
DeleteTable	Grants permission to delete a table	Write	Table*
DeleteTable	Grants permission to delete a table	Write		s3tables:namespace s3tables:tableName
DeleteTableBucket	Grants permission to delete a table bucket	Write	TableBucket*
DeleteTableBucketPolicy	Grants permission to delete a policy on a table bucket	Permissions management	TableBucket*
DeleteTablePolicy	Grants permission to delete a policy on a table	Permissions management	Table*
DeleteTablePolicy	Grants permission to delete a policy on a table	Permissions management		s3tables:namespace s3tables:tableName
GetNamespace	Grants permission to get a namespace	Read	TableBucket*
GetNamespace	Grants permission to get a namespace	Read		s3tables:namespace
GetTable	Grants permission to retrieve a table	Read	Table*
GetTable	Grants permission to retrieve a table	Read		s3tables:namespace s3tables:tableName
GetTableBucket	Grants permission to retrieve a table bucket	Read	TableBucket*
GetTableBucketMaintenanceConfiguration	Grants permission to retrieve a maintenance configuration on a table bucket	Read	TableBucket*
GetTableBucketPolicy	Grants permission to retrieve a policy on a table bucket	Read	TableBucket*
GetTableData	Grants permission to read metadata and data objects from a table storage endpoint using S3 APIs	Read	Table*
GetTableData		Read		s3tables:namespace s3tables:tableName
GetTableMaintenanceConfiguration	Grants permission to retrieve a maintenance configuration on a table	Read	Table*
GetTableMaintenanceConfiguration		Read		s3tables:namespace s3tables:tableName
GetTableMaintenanceJobStatus	Grants permission to retrieve the status of maintenance jobs on a table	Read	Table*
GetTableMaintenanceJobStatus		Read		s3tables:namespace s3tables:tableName
GetTableMetadataLocation	Grants permission to retrieve the metadata location of a table	Read	Table*
GetTableMetadataLocation		Read		s3tables:namespace s3tables:tableName
GetTablePolicy	Grants permission to retrieve a policy on a table	Read	Table*
GetTablePolicy	Grants permission to retrieve a policy on a table	Read		s3tables:namespace s3tables:tableName
ListNamespaces	Grants permission to list namespaces	List	TableBucket*
ListTableBuckets	Grants permission to list table buckets	List
ListTables	Grants permission to list tables	List	TableBucket*
ListTables	Grants permission to list tables	List		s3tables:namespace
PutTableBucketMaintenanceConfiguration	Grants permission to put a maintenance configuration on a table bucket	Write	TableBucket*
PutTableBucketPolicy	Grants permission to create or overwrite a policy on a table bucket	Permissions management	TableBucket*
PutTableData	Grants permission to write metadata and data objects to a table storage endpoint using S3 APIs	Write	Table*
PutTableData		Write		s3tables:namespace s3tables:tableName
PutTableMaintenanceConfiguration	Grants permission to put a maintenance configuration on a table	Write	Table*
PutTableMaintenanceConfiguration		Write		s3tables:namespace s3tables:tableName
PutTablePolicy	Grants permission to create or overwrite a policy on a table	Permissions management	Table*
PutTablePolicy		Permissions management		s3tables:namespace s3tables:tableName
RenameTable	Grants permission to rename a table or move a table across namespaces	Write	Table*
RenameTable		Write		s3tables:namespace
UpdateTableMetadataLocation	Grants permission to update the metadata location of a table	Write	Table*
UpdateTableMetadataLocation		Write		s3tables:namespace s3tables:tableName

Resource types defined by Amazon S3 Tables

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys

TableBucket arn:${Partition}:s3tables:${Region}:${Account}:bucket/${TableBucketName}

Resource types	ARN	Condition keys
TableBucket	`arn:${Partition}:s3tables:${Region}:${Account}:bucket/${TableBucketName}`
Table	`arn:${Partition}:s3tables:${Region}:${Account}:bucket/${TableBucketName}/table/${TableID}`	s3tables:namespace s3tables:tableName

Table

arn:${Partition}:s3tables:${Region}:${Account}:bucket/${TableBucketName}/table/${TableID}

s3tables:namespace

s3tables:tableName

Condition keys for Amazon S3 Tables

Amazon S3 Tables defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
s3tables:namespace	Filters access by the namespaces created in the table bucket	String
s3tables:tableName	Filters access by the name of the tables in the table bucket	String

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Amazon S3 on Outposts

Amazon SageMaker