Actions, resources, and condition keys for AWS Storage Gateway - Service Authorization Reference

Actions, resources, and condition keys for AWS Storage Gateway

AWS Storage Gateway (service prefix: storagegateway) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Storage Gateway

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
ActivateGateway Grants permission to activate the gateway you previously deployed on your host Write

aws:RequestTag/${TagKey}

aws:TagKeys

AddCache Grants permission to configure one or more gateway local disks as cache for a cached-volume gateway Write

gateway*

AddTagsToResource Grants permission to add one or more tags to the specified resource Tagging

gateway

share

tape

volume

aws:RequestTag/${TagKey}

aws:TagKeys

AddUploadBuffer Grants permission to configure one or more gateway local disks as upload buffer for a specified gateway Write

gateway*

AddWorkingStorage Grants permission to configure one or more gateway local disks as working storage for a gateway Write

gateway*

AssignTapePool Grants permission to move a tape to the target pool specified Write

tape*

tapepool*

AssociateFileSystem Grants permission to associate an Amazon FSx file system with the Amazon FSx file gateway Write

gateway*

ds:DescribeDirectories

ec2:DescribeNetworkInterfaces

fsx:DescribeFileSystems

iam:CreateServiceLinkedRole

logs:CreateLogDelivery

logs:GetLogDelivery

logs:ListLogDeliveries

logs:UpdateLogDelivery

aws:RequestTag/${TagKey}

aws:TagKeys

AttachVolume Grants permission to connect a volume to an iSCSI connection and then attaches the volume to the specified gateway Write

gateway*

volume*

BypassGovernanceRetention Grants permission to allow the governance retention lock on a pool to be bypassed Write

tapepool*

CancelArchival Grants permission to cancel archiving of a virtual tape to the virtual tape shelf (VTS) after the archiving process is initiated Write

gateway*

tape*

CancelRetrieval Grants permission to cancel retrieval of a virtual tape from the virtual tape shelf (VTS) to a gateway after the retrieval process is initiated Write

gateway*

tape*

CreateCachediSCSIVolume Grants permission to create a cached volume on a specified cached gateway. This operation is supported only for the gateway-cached volume architecture Write

gateway*

volume*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateNFSFileShare Grants permission to create a NFS file share on an existing file gateway Write

gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSMBFileShare Grants permission to create a SMB file share on an existing file gateway Write

gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSnapshot Grants permission to initiate a snapshot of a volume Write

volume*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSnapshotFromVolumeRecoveryPoint Grants permission to initiate a snapshot of a gateway from a volume recovery point Write

volume*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateStorediSCSIVolume Grants permission to create a volume on a specified gateway Write

gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTapePool Grants permission to create a tape pool Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTapeWithBarcode Grants permission to create a virtual tape by using your own barcode Write

gateway*

tapepool*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTapes Grants permission to create one or more virtual tapes. You write data to the virtual tapes and then archive the tapes Write

gateway*

tapepool*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteAutomaticTapeCreationPolicy Grants permission to delete the automatic tape creation policy configured on a gateway-VTL Write

gateway*

DeleteBandwidthRateLimit Grants permission to delete the bandwidth rate limits of a gateway Write

gateway*

DeleteChapCredentials Grants permission to delete Challenge-Handshake Authentication Protocol (CHAP) credentials for a specified iSCSI target and initiator pair Write

target*

DeleteFileShare Grants permission to delete a file share from a file gateway Write

share*

DeleteGateway Grants permission to delete a gateway Write

gateway*

DeleteSnapshotSchedule Grants permission to delete a snapshot of a volume Write

volume*

DeleteTape Grants permission to delete the specified virtual tape Write

gateway*

tape*

DeleteTapeArchive Grants permission to delete the specified virtual tape from the virtual tape shelf (VTS) Write
DeleteTapePool Grants permission to delete the specified tape pool Write

tapepool*

DeleteVolume Grants permission to delete the specified gateway volume that you previously created using the CreateCachediSCSIVolume or CreateStorediSCSIVolume API Write

volume*

DescribeAvailabilityMonitorTest Grants permission to get the information about the most recent high availability monitoring test that was performed on the gateway Read

gateway*

DescribeBandwidthRateLimit Grants permission to get the bandwidth rate limits of a gateway Read

gateway*

DescribeBandwidthRateLimitSchedule Grants permission to get the bandwidth rate limit schedule of a gateway Read

gateway*

DescribeCache Grants permission to get information about the cache of a gateway. This operation is supported only for the gateway-cached volume architecture Read

gateway*

DescribeCachediSCSIVolumes Grants permission to get a description of the gateway volumes specified in the request. This operation is supported only for the gateway-cached volume architecture Read

volume*

DescribeChapCredentials Grants permission to get an array of Challenge-Handshake Authentication Protocol (CHAP) credentials information for a specified iSCSI target, one for each target-initiator pair Read

target*

DescribeFileSystemAssociations Grants permission to get a description for one or more file system associations Read

fs-association*

DescribeGatewayInformation Grants permission to get metadata about a gateway such as its name, network interfaces, configured time zone, and the state (whether the gateway is running or not) Read

gateway*

DescribeMaintenanceStartTime Grants permission to get your gateway's weekly maintenance start time including the day and time of the week Read

gateway*

DescribeNFSFileShares Grants permission to get a description for one or more file shares from a file gateway Read

share*

DescribeSMBFileShares Grants permission to get a description for one or more file shares from a file gateway Read

share*

DescribeSMBSettings Grants permission to get a description of a Server Message Block (SMB) file share settings from a file gateway Read

gateway*

DescribeSnapshotSchedule Grants permission to describe the snapshot schedule for the specified gateway volume Read

volume*

DescribeStorediSCSIVolumes Grants permission to get the description of the gateway volumes specified in the request Read

volume*

DescribeTapeArchives Grants permission to get a description of specified virtual tapes in the virtual tape shelf (VTS) Read
DescribeTapeRecoveryPoints Grants permission to get a list of virtual tape recovery points that are available for the specified gateway-VTL Read

gateway*

DescribeTapes Grants permission to get a description of the specified Amazon Resource Name (ARN) of virtual tapes Read

gateway*

DescribeUploadBuffer Grants permission to get information about the upload buffer of a gateway Read

gateway*

DescribeVTLDevices Grants permission to get a description of virtual tape library (VTL) devices for the specified gateway Read

gateway*

DescribeWorkingStorage Grants permission to get information about the working storage of a gateway Read

gateway*

DetachVolume Grants permission to disconnect a volume from an iSCSI connection and then detaches the volume from the specified gateway Write

volume*

DisableGateway Grants permission to disable a gateway when the gateway is no longer functioning Write

gateway*

DisassociateFileSystem Grants permission to disassociate an Amazon FSx file system from an Amazon FSx file gateway Write

fs-association*

JoinDomain Grants permission to enable you to join an Active Directory Domain Write

gateway*

ListAutomaticTapeCreationPolicies Grants permission to list the automatic tape creation policies configured on the specified gateway-VTL or all gateway-VTLs owned by your AWS account List
ListFileShares Grants permission to get a list of the file shares for a specific file gateway, or the list of file shares owned by your AWS account List
ListFileSystemAssociations Grants permission to get a list of the file system associations for the specified gateway List
ListGateways Grants permission to list gateways owned by an AWS account in a region specified in the request. The returned list is ordered by gateway Amazon Resource Name (ARN) List
ListLocalDisks Grants permission to get a list of the gateway's local disks List

gateway*

ListTagsForResource Grants permission to get the tags that have been added to the specified resource List

gateway

share

tape

volume

ListTapePools Grants permission to list tape pools owned by your AWS account List
ListTapes Grants permission to list virtual tapes in your virtual tape library (VTL) and your virtual tape shelf (VTS) List
ListVolumeInitiators Grants permission to list iSCSI initiators that are connected to a volume List

volume*

ListVolumeRecoveryPoints Grants permission to list the recovery points for a specified gateway List

gateway*

ListVolumes Grants permission to list the iSCSI stored volumes of a gateway List
NotifyWhenUploaded Grants permission to send you a notification through CloudWatch Events when all files written to your NFS file share have been uploaded to Amazon S3 Write

share*

RefreshCache Grants permission to refresh the cache for the specified file share Write

share*

RemoveTagsFromResource Grants permission to remove one or more tags from the specified resource Tagging

gateway

share

tape

volume

aws:TagKeys

ResetCache Grants permission to reset all cache disks that have encountered a error and makes the disks available for reconfiguration as cache storage Write

gateway*

RetrieveTapeArchive Grants permission to retrieve an archived virtual tape from the virtual tape shelf (VTS) to a gateway-VTL Write

gateway*

tape*

RetrieveTapeRecoveryPoint Grants permission to retrieve the recovery point for the specified virtual tape Write

gateway*

tape*

SetLocalConsolePassword Grants permission to set the password for your VM local console Write

gateway*

SetSMBGuestPassword Grants permission to set the password for SMB Guest user Write

gateway*

ShutdownGateway Grants permission to shut down a gateway Write

gateway*

StartAvailabilityMonitorTest Grants permission to start a test that verifies that the specified gateway is configured for High Availability monitoring in your host environment Write

gateway*

StartGateway Grants permission to start a gateway that you previously shut down Write

gateway*

UpdateAutomaticTapeCreationPolicy Grants permission to update the automatic tape creation policy configured on a gateway-VTL Write

gateway*

tapepool*

UpdateBandwidthRateLimit Grants permission to update the bandwidth rate limits of a gateway Write

gateway*

UpdateBandwidthRateLimitSchedule Grants permission to update the bandwidth rate limit schedule of a gateway Write

gateway*

UpdateChapCredentials Grants permission to update the Challenge-Handshake Authentication Protocol (CHAP) credentials for a specified iSCSI target Write

target*

UpdateFileSystemAssociation Grants permission to update a file system association Write

fs-association*

logs:CreateLogDelivery

logs:DeleteLogDelivery

logs:GetLogDelivery

logs:ListLogDeliveries

logs:UpdateLogDelivery

UpdateGatewayInformation Grants permission to update a gateway's metadata, which includes the gateway's name and time zone Write

gateway*

UpdateGatewaySoftwareNow Grants permission to update the gateway virtual machine (VM) software Write

gateway*

UpdateMaintenanceStartTime Grants permission to update a gateway's weekly maintenance start time information, including day and time of the week. The maintenance time is the time in your gateway's time zone Write

gateway*

UpdateNFSFileShare Grants permission to update a NFS file share Write

share*

UpdateSMBFileShare Grants permission to update a SMB file share Write

share*

UpdateSMBFileShareVisibility Grants permission to update whether the shares on a gateway are visible in a net view or browse list Write

gateway*

UpdateSMBLocalGroups Grants permission to update the list of Active Directory users and groups that have special permissions for SMB file shares on the gateway Write

gateway*

UpdateSMBSecurityStrategy Grants permission to update the SMB security strategy on a file gateway Write

gateway*

UpdateSnapshotSchedule Grants permission to update a snapshot schedule configured for a gateway volume Write

volume*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateVTLDeviceType Grants permission to update the type of medium changer in a gateway-VTL Write

device*

Resource types defined by AWS Storage Gateway

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
device arn:${Partition}:storagegateway:${Region}:${Account}:gateway/${GatewayId}/device/${Vtldevice}
fs-association arn:${Partition}:storagegateway:${Region}:${Account}:fs-association/${FsaId}

aws:ResourceTag/${TagKey}

gateway arn:${Partition}:storagegateway:${Region}:${Account}:gateway/${GatewayId}

aws:ResourceTag/${TagKey}

share arn:${Partition}:storagegateway:${Region}:${Account}:share/${ShareId}

aws:ResourceTag/${TagKey}

tape arn:${Partition}:storagegateway:${Region}:${Account}:tape/${TapeBarcode}

aws:ResourceTag/${TagKey}

tapepool arn:${Partition}:storagegateway:${Region}:${Account}:tapepool/${PoolId}

aws:ResourceTag/${TagKey}

target arn:${Partition}:storagegateway:${Region}:${Account}:gateway/${GatewayId}/target/${IscsiTarget}
volume arn:${Partition}:storagegateway:${Region}:${Account}:gateway/${GatewayId}/volume/${VolumeId}

aws:ResourceTag/${TagKey}

Condition keys for AWS Storage Gateway

AWS Storage Gateway defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the allowed set of values for each of the tags String
aws:ResourceTag/${TagKey} Filters access by tag-value associated with the resource String
aws:TagKeys Filters access by the presence of mandatory tags in the request ArrayOfString