Actions, resources, and condition keys for AWS Deadline Cloud

AWS Deadline Cloud (service prefix: deadline) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by AWS Deadline Cloud
Resource types defined by AWS Deadline Cloud
Condition keys for AWS Deadline Cloud

Actions defined by AWS Deadline Cloud

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
AssociateMemberToFarm	Grants permission to associate a member to a farm	Permissions management	farm*		identitystore:DescribeGroup identitystore:DescribeUser identitystore:ListGroupMembershipsForMember
AssociateMemberToFarm	Grants permission to associate a member to a farm	Permissions management		deadline:AssociatedMembershipLevel deadline:MembershipLevel
AssociateMemberToFleet	Grants permission to associate a member to a fleet	Permissions management	fleet*		identitystore:DescribeGroup identitystore:DescribeUser identitystore:ListGroupMembershipsForMember
AssociateMemberToFleet	Grants permission to associate a member to a fleet	Permissions management		deadline:AssociatedMembershipLevel deadline:MembershipLevel
AssociateMemberToJob	Grants permission to associate a member to a job	Permissions management	job*		identitystore:DescribeGroup identitystore:DescribeUser identitystore:ListGroupMembershipsForMember
AssociateMemberToJob	Grants permission to associate a member to a job	Permissions management		deadline:AssociatedMembershipLevel deadline:MembershipLevel
AssociateMemberToQueue	Grants permission to associate a member to a queue	Permissions management	queue*		identitystore:DescribeGroup identitystore:DescribeUser identitystore:ListGroupMembershipsForMember
AssociateMemberToQueue	Grants permission to associate a member to a queue	Permissions management		deadline:AssociatedMembershipLevel deadline:MembershipLevel
AssumeFleetRoleForRead	Grants permission to assume a fleet role for read-only access	Write	fleet*		identitystore:ListGroupMembershipsForMember
AssumeFleetRoleForWorker	Grants permission to assume a fleet role for a worker	Write	worker*
AssumeQueueRoleForRead	Grants permission to assume a queue role for read-only access	Write	queue*		identitystore:ListGroupMembershipsForMember
AssumeQueueRoleForUser	Grants permission to assume a queue role for a user	Write	queue*		identitystore:ListGroupMembershipsForMember
AssumeQueueRoleForWorker	Grants permission to assume a queue role for a worker	Write	queue*
AssumeQueueRoleForWorker	Grants permission to assume a queue role for a worker	Write	worker*
BatchGetJobEntity	Grants permission to get a job entity for a worker	Read	worker*
CopyJobTemplate	Grants permission to copy a job template to an Amazon S3 bucket	Write	job*		identitystore:ListGroupMembershipsForMember s3:PutObject
CreateBudget	Grants permission to create a budget	Write	budget*		identitystore:ListGroupMembershipsForMember
CreateFarm	Grants permission to create a farm	Write	farm*		deadline:TagResource
CreateFarm	Grants permission to create a farm	Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateFleet	Grants permission to create a fleet	Write	fleet*		deadline:TagResource iam:PassRole identitystore:ListGroupMembershipsForMember logs:CreateLogGroup
CreateFleet	Grants permission to create a fleet	Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateJob	Grants permission to create a job	Write	job*		identitystore:ListGroupMembershipsForMember
CreateLicenseEndpoint	Grants permission to create a license endpoint for licensed software or products	Write	license-endpoint*		deadline:TagResource ec2:CreateTags ec2:CreateVpcEndpoint ec2:DescribeVpcEndpoints
CreateLicenseEndpoint		Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateMonitor	Grants permission to create a monitor	Write	monitor*		iam:PassRole sso:CreateApplication sso:DeleteApplication sso:PutApplicationAssignmentConfiguration sso:PutApplicationAuthenticationMethod sso:PutApplicationGrant
CreateQueue	Grants permission to create a queue	Write	queue*		deadline:TagResource iam:PassRole identitystore:ListGroupMembershipsForMember logs:CreateLogGroup s3:ListBucket
CreateQueue	Grants permission to create a queue	Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateQueueEnvironment	Grants permission to create a queue environment	Write	queue*		identitystore:ListGroupMembershipsForMember
CreateQueueFleetAssociation	Grants permission to create a queue-fleet association	Write	fleet*		identitystore:ListGroupMembershipsForMember
CreateQueueFleetAssociation	Grants permission to create a queue-fleet association	Write	queue*
CreateStorageProfile	Grants permission to create a storage profile for a farm	Write	farm*		identitystore:ListGroupMembershipsForMember
CreateWorker	Grants permission to create a worker	Write	worker*
DeleteBudget	Grants permission to delete a budget	Write	budget*		identitystore:ListGroupMembershipsForMember
DeleteFarm	Grants permission to delete a farm	Write	farm*		identitystore:ListGroupMembershipsForMember
DeleteFleet	Grants permission to delete a fleet	Write	fleet*		identitystore:ListGroupMembershipsForMember
DeleteLicenseEndpoint	Grants permission to delete a license endpoint	Write	license-endpoint*		ec2:DeleteVpcEndpoints ec2:DescribeVpcEndpoints
DeleteMeteredProduct	Grants permission to delete a metered product	Write	metered-product*
DeleteMonitor	Grants permission to delete a monitor	Write	monitor*		sso:DeleteApplication
DeleteQueue	Grants permission to delete a queue	Write	queue*		identitystore:ListGroupMembershipsForMember
DeleteQueueEnvironment	Grants permission to delete a queue environment	Write	queue*		identitystore:ListGroupMembershipsForMember
DeleteQueueFleetAssociation	Grants permission to delete a queue-fleet association	Write	fleet*		identitystore:ListGroupMembershipsForMember
DeleteQueueFleetAssociation	Grants permission to delete a queue-fleet association	Write	queue*
DeleteStorageProfile	Grants permission to delete a storage profile	Write	farm*		identitystore:ListGroupMembershipsForMember
DeleteWorker	Grants permission to delete a worker	Write	worker*
DisassociateMemberFromFarm	Grants permission to disassociate a member from a farm	Permissions management	farm*		identitystore:ListGroupMembershipsForMember
DisassociateMemberFromFarm	Grants permission to disassociate a member from a farm	Permissions management		deadline:AssociatedMembershipLevel
DisassociateMemberFromFleet	Grants permission to disassociate a member from a fleet	Permissions management	fleet*		identitystore:ListGroupMembershipsForMember
DisassociateMemberFromFleet	Grants permission to disassociate a member from a fleet	Permissions management		deadline:AssociatedMembershipLevel
DisassociateMemberFromJob	Grants permission to disassociate a member from a job	Permissions management	job*		identitystore:ListGroupMembershipsForMember
DisassociateMemberFromJob	Grants permission to disassociate a member from a job	Permissions management		deadline:AssociatedMembershipLevel
DisassociateMemberFromQueue	Grants permission to disassociate a member from a queue	Permissions management	queue*		identitystore:ListGroupMembershipsForMember
DisassociateMemberFromQueue	Grants permission to disassociate a member from a queue	Permissions management		deadline:AssociatedMembershipLevel
GetApplicationVersion	Grants permission to get the latest version of an application	Read	monitor*
GetBudget	Grants permission to get a budget	Read	budget*		identitystore:ListGroupMembershipsForMember
GetFarm	Grants permission to get a farm	Read	farm*		identitystore:ListGroupMembershipsForMember
GetFleet	Grants permission to get a fleet	Read	fleet*		identitystore:ListGroupMembershipsForMember
GetJob	Grants permission to get a job	Read	job*		identitystore:ListGroupMembershipsForMember
GetLicenseEndpoint	Grants permission to get a license endpoint	Read	license-endpoint*
GetMonitor	Grants permission to get a monitor	Read	monitor*
GetQueue	Grants permission to get a queue	Read	queue*		identitystore:ListGroupMembershipsForMember
GetQueueEnvironment	Grants permission to get a queue environment	Read	queue*		identitystore:ListGroupMembershipsForMember
GetQueueFleetAssociation	Grants permission to get a queue-fleet association	Read	fleet*		identitystore:ListGroupMembershipsForMember
GetQueueFleetAssociation	Grants permission to get a queue-fleet association	Read	queue*
GetSession	Grants permission to get a session for a job	Read	job*		identitystore:ListGroupMembershipsForMember
GetSessionAction	Grants permission to get a session action for a job	Read	job*		identitystore:ListGroupMembershipsForMember
GetSessionsStatisticsAggregation	Grants permission to get all collected statistics for sessions	Read	farm		identitystore:ListGroupMembershipsForMember
			fleet
			queue
GetStep	Grants permission to get a step in a job	Read	job*		identitystore:ListGroupMembershipsForMember
GetStorageProfile	Grants permission to get a storage profile	Read	farm*		identitystore:ListGroupMembershipsForMember
GetStorageProfileForQueue	Grants permission to get a storage profile for a queue	Read	queue*		identitystore:ListGroupMembershipsForMember
GetTask	Grants permission to get a job task	Read	job*		identitystore:ListGroupMembershipsForMember
GetWorker	Grants permission to get a worker	Read	worker*		identitystore:ListGroupMembershipsForMember
ListAvailableMeteredProducts	Grants permission to list all available metered products within a license endpoint	List
ListBudgets	Grants permission to list all budgets for a farm	List	budget*		identitystore:ListGroupMembershipsForMember
ListFarmMembers	Grants permission to list all members of a farm	List	farm*		identitystore:ListGroupMembershipsForMember
ListFarms	Grants permission to list all farms	List	farm*		identitystore:DescribeGroup identitystore:DescribeUser identitystore:ListGroupMembershipsForMember
ListFarms	Grants permission to list all farms	List		deadline:PrincipalId deadline:RequesterPrincipalId
ListFleetMembers	Grants permission to list all members of a fleet	List	fleet*		identitystore:ListGroupMembershipsForMember
ListFleets	Grants permission to list all fleets	List	fleet*		identitystore:DescribeGroup identitystore:DescribeUser identitystore:ListGroupMembershipsForMember
ListFleets	Grants permission to list all fleets	List		deadline:PrincipalId deadline:RequesterPrincipalId
ListJobMembers	Grants permission to list all members of a job	List	job*		identitystore:ListGroupMembershipsForMember
ListJobs	Grants permission to list all jobs in a queue	List	job*		identitystore:DescribeGroup identitystore:DescribeUser identitystore:ListGroupMembershipsForMember
ListJobs	Grants permission to list all jobs in a queue	List		deadline:PrincipalId deadline:RequesterPrincipalId
ListLicenseEndpoints	Grants permission to list all license endpoints	List	license-endpoint*
ListMeteredProducts	Grants permission to list all metered products in a license endpoint	List	metered-product*
ListMonitors	Grants permission to list all monitors	List	monitor*
ListQueueEnvironments	Grants permission to list all queue environments to which a queue is associated	List	queue*		identitystore:ListGroupMembershipsForMember
ListQueueFleetAssociations	Grants permission to list all queue-fleet associations	List	farm		identitystore:ListGroupMembershipsForMember
			fleet
			queue
ListQueueMembers	Grants permission to list all members in a queue	List	queue*		identitystore:ListGroupMembershipsForMember
ListQueues	Grants permission to list all queues on a farm	List	queue*		identitystore:DescribeGroup identitystore:DescribeUser identitystore:ListGroupMembershipsForMember
ListQueues	Grants permission to list all queues on a farm	List		deadline:PrincipalId deadline:RequesterPrincipalId
ListSessionActions	Grants permission to list all session actions for a job	List	job*		identitystore:ListGroupMembershipsForMember
ListSessions	Grants permission to list all sessions for a job	List	job*		identitystore:ListGroupMembershipsForMember
ListSessionsForWorker	Grants permission to list all sessions for a worker	List	worker*		identitystore:ListGroupMembershipsForMember
ListStepConsumers	Grants permission to list the step consumers for a job step	List	job*		identitystore:ListGroupMembershipsForMember
ListStepDependencies	Grants permission to list dependencies for a job step	List	job*		identitystore:ListGroupMembershipsForMember
ListSteps	Grants permission to list all steps for a job	List	job*		identitystore:ListGroupMembershipsForMember
ListStorageProfiles	Grants permission to list all storage profiles in a farm	List	farm*		identitystore:ListGroupMembershipsForMember
ListStorageProfilesForQueue	Grants permission to list all storage profiles in a queue	List	queue*		identitystore:ListGroupMembershipsForMember
ListTagsForResource	Grants permission to list all tags on specified Deadline Cloud resources	List	farm
			fleet
			license-endpoint
			queue
ListTasks	Grants permission to list all tasks for a job	List	job*		identitystore:ListGroupMembershipsForMember
ListWorkers	Grants permission to list all workers in a fleet	List	worker*		identitystore:ListGroupMembershipsForMember
PutMeteredProduct	Grants permission to add a metered product to a license endpoint	Write	metered-product*
SearchJobs	Grants permission to search for jobs in multiple queues	List	queue*		identitystore:ListGroupMembershipsForMember
SearchSteps	Grants permission to search the steps within a single job or to search the steps for multiple queues	List	job		identitystore:ListGroupMembershipsForMember
SearchSteps		List	queue
SearchTasks	Grants permission to search the tasks within a single job or to search the tasks for multiple queues	List	job		identitystore:ListGroupMembershipsForMember
SearchTasks		List	queue
SearchWorkers	Grants permission to search for workers in multiple fleets	List	fleet*		identitystore:ListGroupMembershipsForMember
StartSessionsStatisticsAggregation	Grants permission to get all collected statistics for sessions	Read	fleet		identitystore:ListGroupMembershipsForMember
StartSessionsStatisticsAggregation		Read	queue
TagResource	Grants permission to add or overwrite one or more tags for the specified Deadline Cloud resource	Tagging	farm
			fleet
			license-endpoint
			queue
				aws:RequestTag/${TagKey} aws:TagKeys
UntagResource	Grants permission to disassociate one or more tags from the specified Deadline Cloud resource	Tagging	farm
			fleet
			license-endpoint
			queue
				aws:TagKeys
UpdateBudget	Grants permission to update a budget	Write	budget*		identitystore:ListGroupMembershipsForMember
UpdateFarm	Grants permission to update a farm	Write	farm*		identitystore:ListGroupMembershipsForMember
UpdateFleet	Grants permission to update a fleet	Write	fleet*		iam:PassRole identitystore:ListGroupMembershipsForMember
UpdateJob	Grants permission to update a job	Write	job*		identitystore:ListGroupMembershipsForMember
UpdateMonitor	Grants permission to update a monitor	Write	monitor*		iam:PassRole sso:PutApplicationGrant sso:UpdateApplication
UpdateQueue	Grants permission to update a queue	Write	queue*		iam:PassRole identitystore:ListGroupMembershipsForMember
UpdateQueueEnvironment	Grants permission to update a queue environment	Write	queue*		identitystore:ListGroupMembershipsForMember
UpdateQueueFleetAssociation	Grants permission to update a queue-fleet association	Write	fleet*		identitystore:ListGroupMembershipsForMember
UpdateQueueFleetAssociation	Grants permission to update a queue-fleet association	Write	queue*
UpdateSession	Grants permission to update a session for a job	Write	job*		identitystore:ListGroupMembershipsForMember
UpdateStep	Grants permission to update a step for a job	Write	job*		identitystore:ListGroupMembershipsForMember
UpdateStorageProfile	Grants permission to update a storage profile for a farm	Write	farm*		identitystore:ListGroupMembershipsForMember
UpdateTask	Grants permission to update a task	Write	job*		identitystore:ListGroupMembershipsForMember
UpdateWorker	Grants permission to update a worker	Write	worker*		logs:CreateLogStream
UpdateWorkerSchedule	Grants permission to update the schedule for a worker	Write	worker*		logs:CreateLogStream

Resource types defined by AWS Deadline Cloud

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types	ARN	Condition keys
budget	`arn:${Partition}:deadline:${Region}:${Account}:farm/${FarmId}/budget/${BudgetId}`	deadline:FarmMembershipLevels
farm	`arn:${Partition}:deadline:${Region}:${Account}:farm/${FarmId}`	aws:ResourceTag/${TagKey} deadline:FarmMembershipLevels
fleet	`arn:${Partition}:deadline:${Region}:${Account}:farm/${FarmId}/fleet/${FleetId}`	aws:ResourceTag/${TagKey} deadline:FarmMembershipLevels deadline:FleetMembershipLevels
job	`arn:${Partition}:deadline:${Region}:${Account}:farm/${FarmId}/queue/${QueueId}/job/${JobId}`	deadline:FarmMembershipLevels deadline:JobMembershipLevels deadline:QueueMembershipLevels
license-endpoint	`arn:${Partition}:deadline:${Region}:${Account}:license-endpoint/${LicenseEndpointId}`	aws:ResourceTag/${TagKey}
metered-product	`arn:${Partition}:deadline:${Region}:${Account}:license-endpoint/${LicenseEndpointId}/metered-product/${ProductId}`
monitor	`arn:${Partition}:deadline:${Region}:${Account}:monitor/${MonitorId}`
queue	`arn:${Partition}:deadline:${Region}:${Account}:farm/${FarmId}/queue/${QueueId}`	aws:ResourceTag/${TagKey} deadline:FarmMembershipLevels deadline:QueueMembershipLevels
worker	`arn:${Partition}:deadline:${Region}:${Account}:farm/${FarmId}/fleet/${FleetId}/worker/${WorkerId}`	deadline:FarmMembershipLevels deadline:FleetMembershipLevels

Condition keys for AWS Deadline Cloud

AWS Deadline Cloud defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters access by the tags that are passed in the request	String
aws:ResourceTag/${TagKey}	Filters access by the tags associated with the resource	String
aws:TagKeys	Filters access by the tag keys that are passed in the request	ArrayOfString
deadline:AssociatedMembershipLevel	Filters access by the associated membership level of the principal provided in the request	String
deadline:FarmMembershipLevels	Filters access by membership levels on the farm	ArrayOfString
deadline:FleetMembershipLevels	Filters access by membership levels on the fleet	ArrayOfString
deadline:JobMembershipLevels	Filters access by membership levels on the job	ArrayOfString
deadline:MembershipLevel	Filters access by the membership level passed in the request	String
deadline:PrincipalId	Filters access by the principle ID provided in the request	String
deadline:QueueMembershipLevels	Filters access by membership levels on the queue	ArrayOfString
deadline:RequesterPrincipalId	Filters access by the user calling the Deadline Cloud API	String

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Amazon DataZone

AWS DeepComposer