Actions, resources, and condition keys for AWS Storage Gateway
AWS Storage Gateway (service prefix: storagegateway) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by AWS Storage Gateway
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| ActivateGateway | Grants permission to activate the gateway you previously deployed on your host | Write | |||
| AddCache | Grants permission to configure one or more gateway local disks as cache for a cached-volume gateway | Write | |||
| AddTagsToResource | Grants permission to add one or more tags to the specified resource | Tagging | |||
| AddUploadBuffer | Grants permission to configure one or more gateway local disks as upload buffer for a specified gateway | Write | |||
| AddWorkingStorage | Grants permission to configure one or more gateway local disks as working storage for a gateway | Write | |||
| AssignTapePool | Grants permission to move a tape to the target pool specified | Write | |||
| AssociateFileSystem | Grants permission to associate an Amazon FSx file system with the Amazon FSx file gateway | Write |
ds:DescribeDirectories ec2:DescribeNetworkInterfaces fsx:DescribeFileSystems iam:CreateServiceLinkedRole logs:CreateLogDelivery logs:GetLogDelivery logs:ListLogDeliveries logs:UpdateLogDelivery |
||
| AttachVolume | Grants permission to connect a volume to an iSCSI connection and then attaches the volume to the specified gateway | Write | |||
| BypassGovernanceRetention | Grants permission to allow the governance retention lock on a pool to be bypassed | Write | |||
| CancelArchival | Grants permission to cancel archiving of a virtual tape to the virtual tape shelf (VTS) after the archiving process is initiated | Write | |||
| CancelRetrieval | Grants permission to cancel retrieval of a virtual tape from the virtual tape shelf (VTS) to a gateway after the retrieval process is initiated | Write | |||
| CreateCachediSCSIVolume | Grants permission to create a cached volume on a specified cached gateway. This operation is supported only for the gateway-cached volume architecture | Write | |||
| CreateNFSFileShare | Grants permission to create a NFS file share on an existing file gateway | Write | |||
| CreateSMBFileShare | Grants permission to create a SMB file share on an existing file gateway | Write | |||
| CreateSnapshot | Grants permission to initiate a snapshot of a volume | Write | |||
| CreateSnapshotFromVolumeRecoveryPoint | Grants permission to initiate a snapshot of a gateway from a volume recovery point | Write | |||
| CreateStorediSCSIVolume | Grants permission to create a volume on a specified gateway | Write | |||
| CreateTapePool | Grants permission to create a tape pool | Write | |||
| CreateTapeWithBarcode | Grants permission to create a virtual tape by using your own barcode | Write | |||
| CreateTapes | Grants permission to create one or more virtual tapes. You write data to the virtual tapes and then archive the tapes | Write | |||
| DeleteAutomaticTapeCreationPolicy | Grants permission to delete the automatic tape creation policy configured on a gateway-VTL | Write | |||
| DeleteBandwidthRateLimit | Grants permission to delete the bandwidth rate limits of a gateway | Write | |||
| DeleteChapCredentials | Grants permission to delete Challenge-Handshake Authentication Protocol (CHAP) credentials for a specified iSCSI target and initiator pair | Write | |||
| DeleteFileShare | Grants permission to delete a file share from a file gateway | Write | |||
| DeleteGateway | Grants permission to delete a gateway | Write | |||
| DeleteSnapshotSchedule | Grants permission to delete a snapshot of a volume | Write | |||
| DeleteTape | Grants permission to delete the specified virtual tape | Write | |||
| DeleteTapeArchive | Grants permission to delete the specified virtual tape from the virtual tape shelf (VTS) | Write | |||
| DeleteTapePool | Grants permission to delete the specified tape pool | Write | |||
| DeleteVolume | Grants permission to delete the specified gateway volume that you previously created using the CreateCachediSCSIVolume or CreateStorediSCSIVolume API | Write | |||
| DescribeAvailabilityMonitorTest | Grants permission to get the information about the most recent high availability monitoring test that was performed on the gateway | Read | |||
| DescribeBandwidthRateLimit | Grants permission to get the bandwidth rate limits of a gateway | Read | |||
| DescribeBandwidthRateLimitSchedule | Grants permission to get the bandwidth rate limit schedule of a gateway | Read | |||
| DescribeCache | Grants permission to get information about the cache of a gateway. This operation is supported only for the gateway-cached volume architecture | Read | |||
| DescribeCachediSCSIVolumes | Grants permission to get a description of the gateway volumes specified in the request. This operation is supported only for the gateway-cached volume architecture | Read | |||
| DescribeChapCredentials | Grants permission to get an array of Challenge-Handshake Authentication Protocol (CHAP) credentials information for a specified iSCSI target, one for each target-initiator pair | Read | |||
| DescribeFileSystemAssociations | Grants permission to get a description for one or more file system associations | Read | |||
| DescribeGatewayInformation | Grants permission to get metadata about a gateway such as its name, network interfaces, configured time zone, and the state (whether the gateway is running or not) | Read | |||
| DescribeMaintenanceStartTime | Grants permission to get your gateway's weekly maintenance start time including the day and time of the week | Read | |||
| DescribeNFSFileShares | Grants permission to get a description for one or more file shares from a file gateway | Read | |||
| DescribeSMBFileShares | Grants permission to get a description for one or more file shares from a file gateway | Read | |||
| DescribeSMBSettings | Grants permission to get a description of a Server Message Block (SMB) file share settings from a file gateway | Read | |||
| DescribeSnapshotSchedule | Grants permission to describe the snapshot schedule for the specified gateway volume | Read | |||
| DescribeStorediSCSIVolumes | Grants permission to get the description of the gateway volumes specified in the request | Read | |||
| DescribeTapeArchives | Grants permission to get a description of specified virtual tapes in the virtual tape shelf (VTS) | Read | |||
| DescribeTapeRecoveryPoints | Grants permission to get a list of virtual tape recovery points that are available for the specified gateway-VTL | Read | |||
| DescribeTapes | Grants permission to get a description of the specified Amazon Resource Name (ARN) of virtual tapes | Read | |||
| DescribeUploadBuffer | Grants permission to get information about the upload buffer of a gateway | Read | |||
| DescribeVTLDevices | Grants permission to get a description of virtual tape library (VTL) devices for the specified gateway | Read | |||
| DescribeWorkingStorage | Grants permission to get information about the working storage of a gateway | Read | |||
| DetachVolume | Grants permission to disconnect a volume from an iSCSI connection and then detaches the volume from the specified gateway | Write | |||
| DisableGateway | Grants permission to disable a gateway when the gateway is no longer functioning | Write | |||
| DisassociateFileSystem | Grants permission to disassociate an Amazon FSx file system from an Amazon FSx file gateway | Write | |||
| JoinDomain | Grants permission to enable you to join an Active Directory Domain | Write | |||
| ListAutomaticTapeCreationPolicies | Grants permission to list the automatic tape creation policies configured on the specified gateway-VTL or all gateway-VTLs owned by your AWS account | List | |||
| ListFileShares | Grants permission to get a list of the file shares for a specific file gateway, or the list of file shares owned by your AWS account | List | |||
| ListFileSystemAssociations | Grants permission to get a list of the file system associations for the specified gateway | List | |||
| ListGateways | Grants permission to list gateways owned by an AWS account in a region specified in the request. The returned list is ordered by gateway Amazon Resource Name (ARN) | List | |||
| ListLocalDisks | Grants permission to get a list of the gateway's local disks | List | |||
| ListTagsForResource | Grants permission to get the tags that have been added to the specified resource | List | |||
| ListTapePools | Grants permission to list tape pools owned by your AWS account | List | |||
| ListTapes | Grants permission to list virtual tapes in your virtual tape library (VTL) and your virtual tape shelf (VTS) | List | |||
| ListVolumeInitiators | Grants permission to list iSCSI initiators that are connected to a volume | List | |||
| ListVolumeRecoveryPoints | Grants permission to list the recovery points for a specified gateway | List | |||
| ListVolumes | Grants permission to list the iSCSI stored volumes of a gateway | List | |||
| NotifyWhenUploaded | Grants permission to send you a notification through CloudWatch Events when all files written to your NFS file share have been uploaded to Amazon S3 | Write | |||
| RefreshCache | Grants permission to refresh the cache for the specified file share | Write | |||
| RemoveTagsFromResource | Grants permission to remove one or more tags from the specified resource | Tagging | |||
| ResetCache | Grants permission to reset all cache disks that have encountered a error and makes the disks available for reconfiguration as cache storage | Write | |||
| RetrieveTapeArchive | Grants permission to retrieve an archived virtual tape from the virtual tape shelf (VTS) to a gateway-VTL | Write | |||
| RetrieveTapeRecoveryPoint | Grants permission to retrieve the recovery point for the specified virtual tape | Write | |||
| SetLocalConsolePassword | Grants permission to set the password for your VM local console | Write | |||
| SetSMBGuestPassword | Grants permission to set the password for SMB Guest user | Write | |||
| ShutdownGateway | Grants permission to shut down a gateway | Write | |||
| StartAvailabilityMonitorTest | Grants permission to start a test that verifies that the specified gateway is configured for High Availability monitoring in your host environment | Write | |||
| StartGateway | Grants permission to start a gateway that you previously shut down | Write | |||
| UpdateAutomaticTapeCreationPolicy | Grants permission to update the automatic tape creation policy configured on a gateway-VTL | Write | |||
| UpdateBandwidthRateLimit | Grants permission to update the bandwidth rate limits of a gateway | Write | |||
| UpdateBandwidthRateLimitSchedule | Grants permission to update the bandwidth rate limit schedule of a gateway | Write | |||
| UpdateChapCredentials | Grants permission to update the Challenge-Handshake Authentication Protocol (CHAP) credentials for a specified iSCSI target | Write | |||
| UpdateFileSystemAssociation | Grants permission to update a file system association | Write |
logs:CreateLogDelivery logs:DeleteLogDelivery logs:GetLogDelivery logs:ListLogDeliveries logs:UpdateLogDelivery |
||
| UpdateGatewayInformation | Grants permission to update a gateway's metadata, which includes the gateway's name and time zone | Write | |||
| UpdateGatewaySoftwareNow | Grants permission to update the gateway virtual machine (VM) software | Write | |||
| UpdateMaintenanceStartTime | Grants permission to update a gateway's weekly maintenance start time information, including day and time of the week. The maintenance time is the time in your gateway's time zone | Write | |||
| UpdateNFSFileShare | Grants permission to update a NFS file share | Write | |||
| UpdateSMBFileShare | Grants permission to update a SMB file share | Write | |||
| UpdateSMBFileShareVisibility | Grants permission to update whether the shares on a gateway are visible in a net view or browse list | Write | |||
| UpdateSMBLocalGroups | Grants permission to update the list of Active Directory users and groups that have special permissions for SMB file shares on the gateway | Write | |||
| UpdateSMBSecurityStrategy | Grants permission to update the SMB security strategy on a file gateway | Write | |||
| UpdateSnapshotSchedule | Grants permission to update a snapshot schedule configured for a gateway volume | Write | |||
| UpdateVTLDeviceType | Grants permission to update the type of medium changer in a gateway-VTL | Write |
Resource types defined by AWS Storage Gateway
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| device |
arn:${Partition}:storagegateway:${Region}:${Account}:gateway/${GatewayId}/device/${Vtldevice}
|
|
| fs-association |
arn:${Partition}:storagegateway:${Region}:${Account}:fs-association/${FsaId}
|
|
| gateway |
arn:${Partition}:storagegateway:${Region}:${Account}:gateway/${GatewayId}
|
|
| share |
arn:${Partition}:storagegateway:${Region}:${Account}:share/${ShareId}
|
|
| tape |
arn:${Partition}:storagegateway:${Region}:${Account}:tape/${TapeBarcode}
|
|
| tapepool |
arn:${Partition}:storagegateway:${Region}:${Account}:tapepool/${PoolId}
|
|
| target |
arn:${Partition}:storagegateway:${Region}:${Account}:gateway/${GatewayId}/target/${IscsiTarget}
|
|
| volume |
arn:${Partition}:storagegateway:${Region}:${Account}:gateway/${GatewayId}/volume/${VolumeId}
|
Condition keys for AWS Storage Gateway
AWS Storage Gateway defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by the allowed set of values for each of the tags | String |
| aws:ResourceTag/${TagKey} | Filters access by tag-value associated with the resource | String |
| aws:TagKeys | Filters access by the presence of mandatory tags in the request | ArrayOfString |
