Permissions list
Permissions are simply an action tied to a Resource. There are different permissions available to allow you to control what your users can do.
S3 Permissions
| Action | Description | Resource |
|---|---|---|
| AbortMultipartUpload | Grants permission to abort a multipart upload | object |
| CreateBucket | Grants permission to create a new bucket | bucket |
| DeleteBucket | Grants permission to delete a bucket | bucket |
| DeleteObject | Grants permission to delete an object from a bucket | object |
| DeleteObjectVersion | Grants permission to delete a specific version of an object from a bucket | object |
| GetBucketLocation | Grants permission to return the Region that an Astran S3 bucket resides in | bucket |
| GetBucketVersioning | Grants permission to return the versioning state of an Astran S3 bucket | bucket |
| GetObject | Grants permission to retrieve an object from a bucket | object |
| GetObjectVersion | Grants permission to retrieve a specific version of an object from a bucket | object |
| ListAllMyBuckets | Grants permission to list all buckets owned by the authenticated sender of the request | |
| ListBucket | Grants permission to list some or all of the objects in an Astran S3 bucket (up to 1000) | bucket |
| ListBucketMultipartUploads | Grants permission to list in-progress multipart uploads | bucket |
| ListBucketVersions | Grants permission to list the versions from a bucket | object |
| ListMultipartUploadParts | Grants permission to list the parts that have been uploaded for a specific multipart upload | object |
| PutBucketVersioning | Grants permission to set the versioning state of an existing Amazon S3 bucket | bucket |
| PutObject | Grants permission to add an object to a bucket | object |
IAM Permissions
| Action | Description | Resource |
|---|---|---|
| AddClientIDToOpenIDConnectProvider | Grants permission to add a new client ID (audience) to the list of registered IDs for the specified IAM OpenID Connect (OIDC) provider resource | oidc-provider |
| AttachRolePolicy | Grants permission to attach a managed policy to the specified IAM role | role |
| CreateAccessKey | Grants permission to create access key and secret access key for the specified IAM user | user |
| CreateOpenIDConnectProvider | Grants permission to create an IAM resource that describes an identity provider (IdP) that supports OpenID Connect (OIDC) | oidc-provider |
| CreatePolicy | Grants permission to create a new managed policy | policy |
| CreatePolicyVersion | Grants permission to create a new version of the specified managed policy | policy |
| CreateRole | Grants permission to create a new role | role |
| DeleteAccessKey | Grants permission to delete the access key pair that is associated with the specified IAM user | user |
| DeleteOpenIDConnectProvider | Grants permission to delete an OpenID Connect identity provider (IdP) resource object in IAM | oidc-provider |
| DeletePolicy | Grants permission to delete the specified managed policy and remove it from any IAM entities (users, groups, or roles) to which it is attached | policy |
| DeletePolicyVersion | Grants permission to delete a version from the specified managed policy | policy |
| DeleteRole | Grants permission to delete the specified role | role |
| DetachRolePolicy | Grants permission to detach a managed policy from the specified role | role |
| GetOpenIDConnectProvider | Grants permission to retrieve information about the specified OpenID Connect (OIDC) provider resource in IAM | oidc-provider |
| GetPolicy | Grants permission to retrieve information about the specified managed policy, including the policy's default version and the total number of identities to which the policy is attached | policy |
| GetPolicyVersion | Grants permission to retrieve information about a version of the specified managed policy, including the policy document | policy |
| GetRole | Grants permission to retrieve information about the specified role, including the role's path, GUID, ARN, and the role's trust policy | role |
| ListAccessKeys | Grants permission to list information about the access key IDs that are associated with the specified IAM user | user |
| ListAttachedRolePolicies | Grants permission to list all managed policies that are attached to the specified IAM role | role |
| ListEntitiesForPolicy | Grants permission to list all IAM identities to which the specified managed policy is attached | policy |
| ListOpenIDConnectProviders | Grants permission to list information about the IAM OpenID Connect (OIDC) provider resource objects that are defined in the AWS account | |
| ListPolicies | Grants permission to list all managed policies | |
| ListPolicyVersions | Grants permission to list information about the versions of the specified managed policy, including the version that is currently set as the policy's default version | policy |
| ListRoles | Grants permission to list the IAM roles that have the specified path prefix | |
| RemoveClientIDFromOpenIDConnectProvider | Grants permission to remove the client ID (audience) from the list of client IDs in the specified IAM OpenID Connect (OIDC) provider resource | oidc-provider |
| SetDefaultPolicyVersion | Grants permission to set the version of the specified policy as the policy's default version | policy |
| UpdateAccessKey | Grants permission to update the status of the specified access key as Active or Inactive | user |
| UpdateOpenIDConnectProviderThumbprint | Grants permission to update the entire list of server certificate thumbprints that are associated with an OpenID Connect (OIDC) provider resource | oidc-provider |
| UpdateRole | Grants permission to update the description or maximum session duration setting of a role | role |
STS Permissions
caution
STS actions may only be used in trust policies when creating roles, they can't be used in managed policies.
| Action | Description | Resource |
|---|---|---|
| AssumeRoleWithWebIdentity | Grants permission to obtain a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider | role |
| TagSession | Grants permission to add tags to a STS session | role |
CK Permissions
caution
The continuity kit permissions only applies to the checklist and the metadata of the continuity kits. It does not apply to the data in the kit. If you need to manage permissions for the data in the kit, you need to use S3 permissions.
| Action | Description | Resource |
|---|---|---|
| CreateKit | Grants permission to create a continuity kit. | kit |
| DeleteKit | Grants permission to delete a continuity kit. | kit |
| GetKit | Grants permission to retrieve a continuity kit. | kit |
| ListKit | Grants permission to list continuity kits. | |
| UpdateKit | Grants permission to update a continuity kit. | kit |