Reputation: 1559
How to look up the IAM Actions needed for a given AWS API call?
Is there a way to look up the permissions you'll need enabled in order to make a call to the AWS API?
For example, I want to call PutMetricAlarm on the CloudWatch API so I should need at least the Action cloudwatch:PutMetricAlarm Allowed on that resource. But what else is the minimum I need?
Upvotes: 1
Views: 285
Answers (1)
Reputation: 7417
There is a one-to-one relationship between actions defined in the API and IAM actions.
In your example with PutMetricAlarm, no other permission than cloudwatch:PutMetricAlarm is needed.
The IAM action name (the part after the :) is always identical to the name of the action in the API.
The prefix (the part before the :) is a constant for each service but is not always identical to the service name (e.g. CloudWatch Logs is logs, Firewall Manager is fms).
Also note that the prefix and the action name are case insensitive.
Good references:
- Actions, Resources, and Condition Keys for AWS Services
- AWS Policy Generator
- Complete AWS IAM Reference (cloudonaut)
Upvotes: 1
Related Questions
- Using AWS API: Given IAM User, Get Current Effective IAM Policy Document
- Is there a way to programmatically list all of the available actions for an AWS service?
- Can I search existing IAM policies for a specific action?
- Creating custom AWS IAM actions
- How to get AWS policy needed to run a specific CLI command?
- How to list all actions IAM role can perform on S3 bucket
- How do I find out what AWS actions do I need to grant for a CLI command?
- AWS IAM requests
- Why some AWS IAM actions require all resources
- How can I query my IAM capabilities?