@cloud-copilot/iam-data
Version:
298 lines • 9.22 kB
JSON
{
"assumerole": {
"name": "AssumeRole",
"description": "Grants permission to obtain a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "role",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"aws:TagKeys",
"aws:RequestTag/${TagKey}",
"sts:TransitiveTagKeys",
"sts:ExternalId",
"sts:RoleSessionName",
"iam:ResourceTag/${TagKey}",
"sts:SourceIdentity",
"cognito-identity.amazonaws.com:amr",
"cognito-identity.amazonaws.com:aud",
"cognito-identity.amazonaws.com:sub",
"www.amazon.com:app_id",
"www.amazon.com:user_id",
"graph.facebook.com:app_id",
"graph.facebook.com:id",
"accounts.google.com:aud",
"accounts.google.com:sub",
"saml:namequalifier",
"saml:sub",
"saml:sub_type"
],
"dependentActions": []
},
"assumerolewithsaml": {
"name": "AssumeRoleWithSAML",
"description": "Grants permission to obtain a set of temporary security credentials for users who have been authenticated via a SAML authentication response",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "role",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"saml:namequalifier",
"saml:sub",
"saml:sub_type",
"saml:aud",
"saml:iss",
"saml:doc",
"saml:cn",
"saml:commonName",
"saml:eduorghomepageuri",
"saml:eduorgidentityauthnpolicyuri",
"saml:eduorglegalname",
"saml:eduorgsuperioruri",
"saml:eduorgwhitepagesuri",
"saml:edupersonaffiliation",
"saml:edupersonassurance",
"saml:edupersonentitlement",
"saml:edupersonnickname",
"saml:edupersonorgdn",
"saml:edupersonorgunitdn",
"saml:edupersonprimaryaffiliation",
"saml:edupersonprimaryorgunitdn",
"saml:edupersonprincipalname",
"saml:edupersonscopedaffiliation",
"saml:edupersontargetedid",
"saml:givenName",
"saml:mail",
"saml:name",
"saml:organizationStatus",
"saml:primaryGroupSID",
"saml:surname",
"saml:uid",
"saml:x500UniqueIdentifier",
"aws:TagKeys",
"aws:RequestTag/${TagKey}",
"sts:TransitiveTagKeys",
"sts:SourceIdentity",
"sts:RoleSessionName"
],
"dependentActions": []
},
"assumerolewithwebidentity": {
"name": "AssumeRoleWithWebIdentity",
"description": "Grants permission to obtain a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "role",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"cognito-identity.amazonaws.com:amr",
"cognito-identity.amazonaws.com:aud",
"cognito-identity.amazonaws.com:sub",
"www.amazon.com:app_id",
"www.amazon.com:user_id",
"graph.facebook.com:app_id",
"graph.facebook.com:id",
"accounts.google.com:aud",
"accounts.google.com:oaud",
"accounts.google.com:sub",
"aws:TagKeys",
"aws:RequestTag/${TagKey}",
"sts:TransitiveTagKeys",
"sts:SourceIdentity",
"sts:RoleSessionName"
],
"dependentActions": []
},
"assumeroot": {
"name": "AssumeRoot",
"description": "Grants permission to obtain a set of temporary security credentials that you can use to perform privileged tasks in member accounts in your organization",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "root-user",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sts:TaskPolicyArn"
],
"dependentActions": []
},
"decodeauthorizationmessage": {
"name": "DecodeAuthorizationMessage",
"description": "Grants permission to decode additional information about the authorization status of a request from an encoded message returned in response to an AWS request",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"getaccesskeyinfo": {
"name": "GetAccessKeyInfo",
"description": "Grants permission to obtain details about the access key id passed as a parameter to the request",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"getcalleridentity": {
"name": "GetCallerIdentity",
"description": "Grants permission to obtain details about the IAM identity whose credentials are used to call the API",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"getdelegatedaccesstoken": {
"name": "GetDelegatedAccessToken",
"description": "Returns temporary security credentials for accessing an AWS account after temporary delegation request approval. This API requires the tradeInToken provided upon request delegation approval and is intended to be used only by Amazon or AWS Partners",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"getfederationtoken": {
"name": "GetFederationToken",
"description": "Grants permission to obtain a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "federated-user",
"required": false,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"aws:TagKeys",
"aws:RequestTag/${TagKey}"
],
"dependentActions": []
},
"getservicebearertoken": {
"name": "GetServiceBearerToken",
"isPermissionOnly": true,
"description": "Grants permission to obtain a STS bearer token for an AWS root user, IAM role, or an IAM user",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [
"sts:AWSServiceName",
"sts:DurationSeconds"
],
"dependentActions": []
},
"getsessiontoken": {
"name": "GetSessionToken",
"description": "Grants permission to obtain a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for an AWS account or IAM user",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"getwebidentitytoken": {
"name": "GetWebIdentityToken",
"description": "Grants permission to obtain a short-lived, publicly verifiable JSON Web Token (JWT) that represents the calling IAM principal's identity",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"sts:DurationSeconds",
"sts:IdentityTokenAudience",
"sts:SigningAlgorithm",
"aws:TagKeys",
"aws:RequestTag/${TagKey}"
],
"dependentActions": []
},
"setcontext": {
"name": "SetContext",
"isPermissionOnly": true,
"description": "Grants permission to set context keys on a STS session",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "role",
"required": false,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "self-session",
"required": false,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sts:RequestContext/${ContextKey}",
"sts:RequestContextProviders"
],
"dependentActions": []
},
"setsourceidentity": {
"name": "SetSourceIdentity",
"isPermissionOnly": true,
"description": "Grants permission to set a source identity on a STS session",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "role",
"required": false,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"sts:SourceIdentity"
],
"dependentActions": []
},
"taggetwebidentitytoken": {
"name": "TagGetWebIdentityToken",
"isPermissionOnly": true,
"description": "Grants permission to add tags to the JSON Web Token (JWT) generated by the GetWebIdentityToken API",
"accessLevel": "Tagging",
"resourceTypes": [],
"conditionKeys": [
"aws:TagKeys",
"aws:RequestTag/${TagKey}"
],
"dependentActions": []
},
"tagsession": {
"name": "TagSession",
"isPermissionOnly": true,
"description": "Grants permission to add tags to a STS session",
"accessLevel": "Tagging",
"resourceTypes": [
{
"name": "role",
"required": false,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"aws:TagKeys",
"aws:RequestTag/${TagKey}",
"sts:TransitiveTagKeys",
"saml:aud"
],
"dependentActions": []
}
}