Actions, resources, and condition keys for Amazon S3 Glacier - Service Authorization Reference

Actions, resources, and condition keys for Amazon S3 Glacier

Amazon S3 Glacier (service prefix: glacier) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon S3 Glacier

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AbortMultipartUpload Grants permission to abort a multipart upload identified by the upload ID Write

vault*

AbortVaultLock Grants permission to abort the vault locking process if the vault lock is not in the Locked state Permissions management

vault*

AddTagsToVault Grants permission to add the specified tags to a vault Tagging

vault*

aws:TagKeys

aws:RequestTag/${TagKey}

CompleteMultipartUpload Grants permission to complete a multipart upload process Write

vault*

CompleteVaultLock Grants permission to complete the vault locking process Permissions management

vault*

CreateVault Grants permission to create a new vault with the specified name Write

vault*

DeleteArchive Grants permission to delete an archive from a vault Write

vault*

glacier:ArchiveAgeInDays

DeleteVault Grants permission to delete a vault Write

vault*

DeleteVaultAccessPolicy Grants permission to delete the access policy associated with the specified vault Permissions management

vault*

DeleteVaultNotifications Grants permission to delete the notification configuration set for a vault Write

vault*

DescribeJob Grants permission to get information about a job previously initiated Read

vault*

DescribeVault Grants permission to get information about a vault Read

vault*

GetDataRetrievalPolicy Grants permission to get the data retrieval policy Read
GetJobOutput Grants permission to download the output of the job specified Read

vault*

GetVaultAccessPolicy Grants permission to retrieve the access-policy subresource set on the vault Read

vault*

GetVaultLock Grants permission to retrieve attributes from the lock-policy subresource set on the specified vault Read

vault*

GetVaultNotifications Grants permission to retrieve the notification-configuration subresource set on the vault Read

vault*

InitiateJob Grants permission to initiate a job of the specified type Write

vault*

glacier:ArchiveAgeInDays

InitiateMultipartUpload Grants permission to initiate a multipart upload Write

vault*

InitiateVaultLock Grants permission to initiate the vault locking process Permissions management

vault*

ListJobs Grants permission to list jobs for a vault that are in-progress and jobs that have recently finished List

vault*

ListMultipartUploads Grants permission to list in-progress multipart uploads for the specified vault List

vault*

ListParts Grants permission to list the parts of an archive that have been uploaded in a specific multipart upload List

vault*

ListProvisionedCapacity Grants permission to list the provisioned capacity for the specified AWS account List
ListTagsForVault Grants permission to list all the tags attached to a vault List

vault*

ListVaults Grants permission to list all vaults List
PurchaseProvisionedCapacity Grants permission to purchases a provisioned capacity unit for an AWS account Write
RemoveTagsFromVault Grants permission to remove one or more tags from the set of tags attached to a vault Tagging

vault*

SetDataRetrievalPolicy Grants permission to set and then enacts a data retrieval policy in the region specified in the PUT request Permissions management
SetVaultAccessPolicy Grants permission to configure an access policy for a vault; will overwrite an existing policy Permissions management

vault*

SetVaultNotifications Grants permission to configure vault notifications Write

vault*

UploadArchive Grants permission to upload an archive to a vault Write

vault*

UploadMultipartPart Grants permission to upload a part of an archive Write

vault*

Resource types defined by Amazon S3 Glacier

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
vault arn:${Partition}:glacier:${Region}:${Account}:vaults/${VaultName}

Condition keys for Amazon S3 Glacier

Amazon S3 Glacier defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the tags that are passed in the request String
aws:TagKeys Filters access by the tag keys that are passed in the request ArrayOfString
glacier:ArchiveAgeInDays Filters access by how long an archive has been stored in the vault, in days String
glacier:ResourceTag/ Filters access by a customer-defined tag String