Actions, resources, and condition keys for AWS OpsWorks
AWS OpsWorks (service prefix: opsworks) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by AWS OpsWorks
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AssignInstance | Grants permission to assign a registered instance to a layer | Write | |||
| AssignVolume | Grants permission to assign one of the stack's registered Amazon EBS volumes to a specified instance | Write | |||
| AssociateElasticIp | Grants permission to associate one of the stack's registered Elastic IP addresses with a specified instance | Write | |||
| AttachElasticLoadBalancer | Grants permission to attach an Elastic Load Balancing load balancer to a specified layer | Write | |||
| CloneStack | Grants permission to create a clone of a specified stack | Write | |||
| CreateApp | Grants permission to create an app for a specified stack | Write | |||
| CreateDeployment | Grants permission to run deployment or stack commands | Write | |||
| CreateInstance | Grants permission to create an instance in a specified stack | Write | |||
| CreateLayer | Grants permission to create a layer | Write | |||
| CreateStack | Grants permission to create a new stack | Write | |||
| CreateUserProfile | Grants permission to create a new user profile | Write | |||
| DeleteApp | Grants permission to delete a specified app | Write | |||
| DeleteInstance | Grants permission to delete a specified instance, which terminates the associated Amazon EC2 instance | Write | |||
| DeleteLayer | Grants permission to delete a specified layer | Write | |||
| DeleteStack | Grants permission to delete a specified stack | Write | |||
| DeleteUserProfile | Grants permission to delete a user profile | Write | |||
| DeregisterEcsCluster | Grants permission to delete a user profile | Write | |||
| DeregisterElasticIp | Grants permission to deregister a specified Elastic IP address | Write | |||
| DeregisterInstance | Grants permission to deregister a registered Amazon EC2 or on-premises instance | Write | |||
| DeregisterRdsDbInstance | Grants permission to deregister an Amazon RDS instance | Write | |||
| DeregisterVolume | Grants permission to deregister an Amazon EBS volume | Write | |||
| DescribeAgentVersions | Grants permission to describe the available AWS OpsWorks agent versions | List | |||
| DescribeApps | Grants permission to request a description of a specified set of apps | List | |||
| DescribeCommands | Grants permission to describe the results of specified commands | List | |||
| DescribeDeployments | Grants permission to request a description of a specified set of deployments | List | |||
| DescribeEcsClusters | Grants permission to describe Amazon ECS clusters that are registered with a stack | List | |||
| DescribeElasticIps | Grants permission to describe Elastic IP addresses | List | |||
| DescribeElasticLoadBalancers | Grants permission to describe a stack's Elastic Load Balancing instances | List | |||
| DescribeInstances | Grants permission to request a description of a set of instances | List | |||
| DescribeLayers | Grants permission to request a description of one or more layers in a specified stack | List | |||
| DescribeLoadBasedAutoScaling | Grants permission to describe load-based auto scaling configurations for specified layers | List | |||
| DescribeMyUserProfile | Grants permission to describe a user's SSH information | List | |||
| DescribeOperatingSystems | Grants permission to describe the operating systems that are supported by AWS OpsWorks Stacks | List | |||
| DescribePermissions | Grants permission to describe the permissions for a specified stack | List | |||
| DescribeRaidArrays | Grants permission to describe an instance's RAID arrays | List | |||
| DescribeRdsDbInstances | Grants permission to describe Amazon RDS instances | List | |||
| DescribeServiceErrors | Grants permission to describe AWS OpsWorks service errors | List | |||
| DescribeStackProvisioningParameters | Grants permission to request a description of a stack's provisioning parameters | List | |||
| DescribeStackSummary | Grants permission to describe the number of layers and apps in a specified stack, and the number of instances in each state, such as running_setup or online | List | |||
| DescribeStacks | Grants permission to request a description of one or more stacks | List | |||
| DescribeTimeBasedAutoScaling | Grants permission to describe time-based auto scaling configurations for specified instances | List | |||
| DescribeUserProfiles | Grants permission to describe specified users | List | |||
| DescribeVolumes | Grants permission to describe an instance's Amazon EBS volumes | List | |||
| DetachElasticLoadBalancer | Grants permission to detache a specified Elastic Load Balancing instance from its layer | Write | |||
| DisassociateElasticIp | Grants permission to disassociate an Elastic IP address from its instance | Write | |||
| GetHostnameSuggestion | Grants permission to get a generated host name for the specified layer, based on the current host name theme | Read | |||
| GrantAccess | Grants permission to grant RDP access to a Windows instance for a specified time period | Write | |||
| ListTags | Grants permission to return a list of tags that are applied to the specified stack or layer | List | |||
| RebootInstance | Grants permission to reboot a specified instance | Write | |||
| RegisterEcsCluster | Grants permission to register a specified Amazon ECS cluster with a stack | Write | |||
| RegisterElasticIp | Grants permission to register an Elastic IP address with a specified stack | Write | |||
| RegisterInstance | Grants permission to register instances with a specified stack that were created outside of AWS OpsWorks | Write | |||
| RegisterRdsDbInstance | Grants permission to register an Amazon RDS instance with a stack | Write | |||
| RegisterVolume | Grants permission to register an Amazon EBS volume with a specified stack | Write | |||
| SetLoadBasedAutoScaling | Grants permission to specify the load-based auto scaling configuration for a specified layer | Write | |||
| SetPermission | Grants permission to specify a user's permissions | Permissions management | |||
| SetTimeBasedAutoScaling | Grants permission to specify the time-based auto scaling configuration for a specified instance | Write | |||
| StartInstance | Grants permission to start a specified instance | Write | |||
| StartStack | Grants permission to start a stack's instances | Write | |||
| StopInstance | Grants permission to stop a specified instance | Write | |||
| StopStack | Grants permission to stop a specified stack | Write | |||
| TagResource | Grants permission to apply tags to a specified stack or layer | Tagging | |||
| UnassignInstance | Grants permission to unassign a registered instance from all of it's layers | Write | |||
| UnassignVolume | Grants permission to unassign an assigned Amazon EBS volume | Write | |||
| UntagResource | Grants permission to remove tags from a specified stack or layer | Tagging | |||
| UpdateApp | Grants permission to update a specified app | Write | |||
| UpdateElasticIp | Grants permission to update a registered Elastic IP address's name | Write | |||
| UpdateInstance | Grants permission to update a specified instance | Write | |||
| UpdateLayer | Grants permission to update a specified layer | Write | |||
| UpdateMyUserProfile | Grants permission to update a user's SSH public key | Write | |||
| UpdateRdsDbInstance | Grants permission to update an Amazon RDS instance | Write | |||
| UpdateStack | Grants permission to update a specified stack | Write | |||
| UpdateUserProfile | Grants permission to update a specified user profile | Permissions management | |||
| UpdateVolume | Grants permission to update an Amazon EBS volume's name or mount point | Write |
Resource types defined by AWS OpsWorks
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| stack |
arn:${Partition}:opsworks:${Region}:${Account}:stack/${StackId}/
|
Condition keys for AWS OpsWorks
OpsWorks has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available keys for conditions.
