Actions, resources, and condition keys for Amazon Location - Service Authorization Reference

Actions, resources, and condition keys for Amazon Location

Amazon Location (service prefix: geo) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Location

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AssociateTrackerConsumer Grants permission to create an association between a geofence-collection and a tracker resource Write

tracker*

BatchDeleteDevicePositionHistory Grants permission to delete a batch of device position histories from a tracker resource Write

tracker*

geo:DeviceIds

BatchDeleteGeofence Grants permission to delete a batch of geofences from a geofence collection Write

geofence-collection*

geo:GeofenceIds

BatchEvaluateGeofences Grants permission to evaluate device positions against the position of geofences in a given geofence collection Write

geofence-collection*

BatchGetDevicePosition Grants permission to send a batch request to retrieve device positions Read

tracker*

geo:DeviceIds

BatchPutGeofence Grants permission to send a batch request for adding geofences into a given geofence collection Write

geofence-collection*

geo:GeofenceIds

BatchUpdateDevicePosition Grants permission to upload a position update for one or more devices to a tracker resource Write

tracker*

geo:DeviceIds

CalculateRoute Grants permission to calculate routes using a given route calculator resource Read

route-calculator*

CalculateRouteMatrix Grants permission to calculate a route matrix using a given route calculator resource Read

route-calculator*

CreateGeofenceCollection Grants permission to create a geofence-collection Write

geofence-collection*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateKey Grants permission to create an API key resource Write

api-key*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateMap Grants permission to create a map resource Write

map*

aws:RequestTag/${TagKey}

aws:TagKeys

CreatePlaceIndex Grants permission to create a place index resource Write

place-index*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRouteCalculator Grants permission to create a route calculator resource Write

route-calculator*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTracker Grants permission to create a tracker resource Write

tracker*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteGeofenceCollection Grants permission to delete a geofence-collection Write

geofence-collection*

DeleteKey Grants permission to delete an API key resource Write

api-key*

DeleteMap Grants permission to delete a map resource Write

map*

DeletePlaceIndex Grants permission to delete a place index resource Write

place-index*

DeleteRouteCalculator Grants permission to delete a route calculator resource Write

route-calculator*

DeleteTracker Grants permission to delete a tracker resource Write

tracker*

DescribeGeofenceCollection Grants permission to retrieve geofence collection details Read

geofence-collection*

DescribeKey Grants permission to retrieve API key resource details and secret Read

api-key*

DescribeMap Grants permission to retrieve map resource details Read

map*

DescribePlaceIndex Grants permission to retrieve place-index resource details Read

place-index*

DescribeRouteCalculator Grants permission to retrieve route calculator resource details Read

route-calculator*

DescribeTracker Grants permission to retrieve a tracker resource details Read

tracker*

DisassociateTrackerConsumer Grants permission to remove the association between a tracker resource and a geofence-collection Write

tracker*

ForecastGeofenceEvents Grants permission to forecast events for geofences stored in a given geofence collection Read

geofence-collection*

GetDevicePosition Grants permission to retrieve the latest device position Read

tracker*

geo:DeviceIds

GetDevicePositionHistory Grants permission to retrieve the device position history Read

tracker*

geo:DeviceIds

GetGeofence Grants permission to retrieve the geofence details from a geofence-collection Read

geofence-collection*

geo:GeofenceIds

GetMapGlyphs Grants permission to retrieve the glyph file for a map resource Read

map*

GetMapSprites Grants permission to retrieve the sprite file for a map resource Read

map*

GetMapStyleDescriptor Grants permission to retrieve the map style descriptor from a map resource Read

map*

GetMapTile Grants permission to retrieve the map tile from the map resource Read

map*

GetPlace Grants permission to find a place by its unique ID Read

place-index*

ListDevicePositions Grants permission to retrieve a list of devices and their latest positions from the given tracker resource Read

tracker*

ListGeofenceCollections Grants permission to lists geofence-collections List

geofence-collection*

ListGeofences Grants permission to list geofences stored in a given geofence collection Read

geofence-collection*

ListKeys Grants permission to list API key resources List

api-key*

ListMaps Grants permission to list map resources List

map*

ListPlaceIndexes Grants permission to return a list of place index resources List

place-index*

ListRouteCalculators Grants permission to return a list of route calculator resources List

route-calculator*

ListTagsForResource Grants permission to list the tags (metadata) which you have assigned to the resource Read

api-key

geofence-collection

map

place-index

route-calculator

tracker

ListTrackerConsumers Grants permission to retrieve a list of geofence collections currently associated to the given tracker resource Read

tracker*

ListTrackers Grants permission to return a list of tracker resources List

tracker*

PutGeofence Grants permission to add a new geofence or update an existing geofence to a given geofence-collection Write

geofence-collection*

geo:GeofenceIds

SearchPlaceIndexForPosition Grants permission to reverse geocodes a given coordinate Read

place-index*

SearchPlaceIndexForSuggestions Grants permission to generate suggestions for addresses and points of interest based on partial or misspelled free-form text Read

place-index*

SearchPlaceIndexForText Grants permission to geocode free-form text, such as an address, name, city or region Read

place-index*

TagResource Grants permission to adds to or modifies the tags of the given resource. Tags are metadata which can be used to manage a resource Tagging

api-key

geofence-collection

map

place-index

route-calculator

tracker

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to remove the given tags (metadata) from the resource Tagging

api-key

geofence-collection

map

place-index

route-calculator

tracker

aws:TagKeys

UpdateGeofenceCollection Grants permission to update a geofence collection Write

geofence-collection*

UpdateKey Grants permission to update an API key resource Write

api-key*

UpdateMap Grants permission to update a map resource Write

map*

UpdatePlaceIndex Grants permission to update a place index resource Write

place-index*

UpdateRouteCalculator Grants permission to update a route calculator resource Write

route-calculator*

UpdateTracker Grants permission to update a tracker resource Write

tracker*

VerifyDevicePosition Grants permission to verify a device position Read

tracker*

geo:DeviceIds

Resource types defined by Amazon Location

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
api-key arn:${Partition}:geo:${Region}:${Account}:api-key/${KeyName}

aws:ResourceTag/${TagKey}

geofence-collection arn:${Partition}:geo:${Region}:${Account}:geofence-collection/${GeofenceCollectionName}

aws:ResourceTag/${TagKey}

geo:GeofenceIds

map arn:${Partition}:geo:${Region}:${Account}:map/${MapName}

aws:ResourceTag/${TagKey}

place-index arn:${Partition}:geo:${Region}:${Account}:place-index/${IndexName}

aws:ResourceTag/${TagKey}

route-calculator arn:${Partition}:geo:${Region}:${Account}:route-calculator/${CalculatorName}

aws:ResourceTag/${TagKey}

tracker arn:${Partition}:geo:${Region}:${Account}:tracker/${TrackerName}

aws:ResourceTag/${TagKey}

geo:DeviceIds

Condition keys for Amazon Location

Amazon Location defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by a tag's key and value in a request String
aws:ResourceTag/${TagKey} Filters access by the presence of tag key-value pairs in the request String
aws:TagKeys Filters access by the tag keys in a request ArrayOfString
geo:DeviceIds Filters access by the presence of device ids in the request ArrayOfString
geo:GeofenceIds Filters access by the presence of geofence ids in the request ArrayOfString