Actions, resources, and condition keys for Amazon Nimble Studio

Amazon Nimble Studio (service prefix: nimble) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by Amazon Nimble Studio
Resource types defined by Amazon Nimble Studio
Condition keys for Amazon Nimble Studio

Actions defined by Amazon Nimble Studio

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
AcceptEulas	Grants permission to accept EULAs	Write	eula*
CreateLaunchProfile	Grants permission to create a launch profile	Write	studio*		ec2:CreateNetworkInterface ec2:DescribeNatGateways ec2:DescribeNetworkAcls ec2:DescribeRouteTables ec2:DescribeSubnets ec2:DescribeVpcEndpoints ec2:RunInstances
CreateLaunchProfile	Grants permission to create a launch profile	Write		aws:TagKeys aws:RequestTag/${TagKey}
CreateStreamingImage	Grants permission to create a streaming image	Write	studio*		ec2:DescribeImages ec2:DescribeSnapshots ec2:ModifyInstanceAttribute ec2:ModifySnapshotAttribute ec2:RegisterImage
CreateStreamingImage	Grants permission to create a streaming image	Write		aws:TagKeys aws:RequestTag/${TagKey}
CreateStreamingSession	Grants permission to create a streaming session	Write	launch-profile*		ec2:CreateNetworkInterface ec2:CreateNetworkInterfacePermission nimble:GetLaunchProfile nimble:GetLaunchProfileInitialization nimble:ListEulaAcceptances
CreateStreamingSession	Grants permission to create a streaming session	Write		aws:TagKeys aws:RequestTag/${TagKey}
CreateStreamingSessionStream	Grants permission to create a StreamingSessionStream	Write	streaming-session*
CreateStreamingSessionStream	Grants permission to create a StreamingSessionStream	Write		nimble:requesterPrincipalId
CreateStudio	Grants permission to create a studio	Write	studio*		iam:PassRole sso:CreateManagedApplicationInstance
CreateStudio	Grants permission to create a studio	Write		aws:TagKeys aws:RequestTag/${TagKey}
CreateStudioComponent	Grants permission to create a studio component. A studio component designates a network resource to which a launch profile will provide access	Write	studio*		ds:AuthorizeApplication ds:DescribeDirectories ec2:DescribeSecurityGroups fsx:DescribeFileSystems iam:PassRole
CreateStudioComponent		Write		aws:TagKeys aws:RequestTag/${TagKey}
DeleteLaunchProfile	Grants permission to delete a launch profile	Write	launch-profile*
DeleteLaunchProfileMember	Grants permission to delete a launch profile member	Write	launch-profile*
DeleteStreamingImage	Grants permission to delete a streaming image	Write	streaming-image*		ec2:DeleteSnapshot ec2:DeregisterImage ec2:ModifyInstanceAttribute ec2:ModifySnapshotAttribute
DeleteStreamingSession	Grants permission to delete a streaming session	Write	streaming-session*		ec2:DeleteNetworkInterface
DeleteStreamingSession	Grants permission to delete a streaming session	Write		nimble:requesterPrincipalId
DeleteStudio	Grants permission to delete a studio	Write	studio*		sso:DeleteManagedApplicationInstance
DeleteStudioComponent	Grants permission to delete a studio component	Write	studio-component*		ds:UnauthorizeApplication
DeleteStudioMember	Grants permission to delete a studio member	Write	studio*
GetEula	Grants permission to get a EULA	Read	eula*
GetFeatureMap [permission only]	Grants permission to allow Nimble Studio portal to show the appropriate features for this account	Read
GetLaunchProfile	Grants permission to get a launch profile	Read	launch-profile*
GetLaunchProfileDetails	Grants permission to get a launch profile's details, which includes the summary of studio components and streaming images used by the launch profile	Read	launch-profile*
GetLaunchProfileInitialization	Grants permission to get a launch profile initialization. A launch profile initialization is a dereferenced version of a launch profile, including attached studio component connection information	Read	launch-profile*		ds:DescribeDirectories ec2:DescribeSecurityGroups fsx:DescribeFileSystems
GetLaunchProfileMember	Grants permission to get a launch profile member	Read	launch-profile*
GetStreamingImage	Grants permission to get a streaming image	Read	streaming-image*
GetStreamingSession	Grants permission to get a streaming session	Read	streaming-session*
GetStreamingSession	Grants permission to get a streaming session	Read		nimble:requesterPrincipalId
GetStreamingSessionBackup	Grants permission to get a streaming session backup	Read	streaming-session-backup*
GetStreamingSessionBackup	Grants permission to get a streaming session backup	Read		nimble:requesterPrincipalId
GetStreamingSessionStream	Grants permission to get a streaming session stream	Read	streaming-session*
GetStreamingSessionStream	Grants permission to get a streaming session stream	Read		nimble:requesterPrincipalId
GetStudio	Grants permission to get a studio	Read	studio*
GetStudioComponent	Grants permission to get a studio component	Read	studio-component*
GetStudioMember	Grants permission to get a studio member	Read	studio*
ListEulaAcceptances	Grants permission to list EULA acceptances	Read	eula-acceptance*
ListEulas	Grants permission to list EULAs	Read	eula*
ListLaunchProfileMembers	Grants permission to list launch profile members	Read	launch-profile*
ListLaunchProfiles	Grants permission to list launch profiles	Read	studio*
ListLaunchProfiles	Grants permission to list launch profiles	Read		nimble:principalId nimble:requesterPrincipalId
ListStreamingImages	Grants permission to list streaming images	Read	studio*
ListStreamingSessionBackups	Grants permission to list streaming session backups	Read	studio*
ListStreamingSessionBackups	Grants permission to list streaming session backups	Read		nimble:requesterPrincipalId
ListStreamingSessions	Grants permission to list streaming sessions	Read	studio*
ListStreamingSessions	Grants permission to list streaming sessions	Read		nimble:createdBy nimble:ownedBy nimble:requesterPrincipalId
ListStudioComponents	Grants permission to list studio components	Read	studio*
ListStudioMembers	Grants permission to list studio members	Read	studio*
ListStudios	Grants permission to list all studios	Read
ListTagsForResource	Grants permission to list all tags on a Nimble Studio resource	Read	launch-profile
			streaming-image
			streaming-session
			streaming-session-backup
			studio
			studio-component
PutLaunchProfileMembers	Grants permission to add/update launch profile members	Write	launch-profile*		sso-directory:DescribeUsers
PutStudioLogEvents [permission only]	Grants permission to report metrics and logs for the Nimble Studio portal to monitor application health	Write	studio*
PutStudioMembers	Grants permission to add/update studio members	Write	studio*		sso-directory:DescribeUsers
StartStreamingSession	Grants permission to start a streaming session	Write	streaming-session*		nimble:GetLaunchProfile nimble:GetLaunchProfileMember
			streaming-session-backup
				nimble:requesterPrincipalId
StartStudioSSOConfigurationRepair	Grants permission to repair the studio's AWS IAM Identity Center configuration	Write	studio*		sso:CreateManagedApplicationInstance sso:GetManagedApplicationInstance
StopStreamingSession	Grants permission to stop a streaming session	Write	streaming-session*		nimble:GetLaunchProfile
StopStreamingSession	Grants permission to stop a streaming session	Write		nimble:requesterPrincipalId
TagResource	Grants permission to add or overwrite one or more tags for the specified Nimble Studio resource	Tagging	launch-profile
			streaming-image
			streaming-session
			streaming-session-backup
			studio
			studio-component
				aws:RequestTag/${TagKey} aws:TagKeys aws:ResourceTag/${TagKey}
UntagResource	Grants permission to disassociate one or more tags from the specified Nimble Studio resource	Tagging	launch-profile
			streaming-image
			streaming-session
			streaming-session-backup
			studio
			studio-component
				aws:TagKeys
UpdateLaunchProfile	Grants permission to update a launch profile	Write	launch-profile*		ec2:DescribeNatGateways ec2:DescribeNetworkAcls ec2:DescribeRouteTables ec2:DescribeSubnets ec2:DescribeVpcEndpoints
UpdateLaunchProfileMember	Grants permission to update a launch profile member	Write	launch-profile*
UpdateStreamingImage	Grants permission to update a streaming image	Write	streaming-image*
UpdateStudio	Grants permission to update a studio	Write	studio*		iam:PassRole
UpdateStudioComponent	Grants permission to update a studio component	Write	studio-component*		ds:AuthorizeApplication ds:DescribeDirectories ec2:DescribeSecurityGroups fsx:DescribeFileSystems iam:PassRole

Resource types defined by Amazon Nimble Studio

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types	ARN	Condition keys
studio	`arn:${Partition}:nimble:${Region}:${Account}:studio/${StudioId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys nimble:studioId
streaming-image	`arn:${Partition}:nimble:${Region}:${Account}:streaming-image/${StreamingImageId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys nimble:studioId
studio-component	`arn:${Partition}:nimble:${Region}:${Account}:studio-component/${StudioComponentId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys nimble:studioId
launch-profile	`arn:${Partition}:nimble:${Region}:${Account}:launch-profile/${LaunchProfileId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys nimble:studioId
streaming-session	`arn:${Partition}:nimble:${Region}:${Account}:streaming-session/${StreamingSessionId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys nimble:createdBy nimble:ownedBy
streaming-session-backup	`arn:${Partition}:nimble:${Region}:${Account}:streaming-session-backup/${StreamingSessionBackupId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys nimble:ownedBy
eula	`arn:${Partition}:nimble:${Region}:${Account}:eula/${EulaId}`
eula-acceptance	`arn:${Partition}:nimble:${Region}:${Account}:eula-acceptance/${EulaAcceptanceId}`	nimble:studioId

Condition keys for Amazon Nimble Studio

Amazon Nimble Studio defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters access by a tag key and value pair that is allowed in the request	String
aws:ResourceTag/${TagKey}	Filters access by a tag key and value pair of a resource	String
aws:TagKeys	Filters access by a list of tag keys that are allowed in the request	ArrayOfString
nimble:createdBy	Filters access by the createdBy request parameter or the ID of the creator of the resource	String
nimble:ownedBy	Filters access by the ownedBy request parameter or the ID of the owner of the resource	String
nimble:principalId	Filters access by the principalId request parameter	String
nimble:requesterPrincipalId	Filters access by the ID of the logged in user	String
nimble:studioId	Filters access by a specific studio	ARN

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Network Manager Chat

Amazon One Enterprise