Action Description Resources Conditions
Adds the specified IAM role to the specified instance profile.
  • arn:aws:iam::$account:instance-profile/$instance-profile-name
Adds the specified user to the specified group.
  • arn:aws:iam::$account:group/$group-name
Adds a new client ID (also known as audience) to the list of client IDs already registered for the specified IAM OpenID Connect (OIDC) provider resource.
  • arn:aws:iam::$account:oidc-provider/$provider-name
Attaches the specified managed policy to the specified IAM group.
  • arn:aws:iam::$account:group/$group-name
Attaches the specified managed policy to the specified IAM role.
  • arn:aws:iam::$account:role/$role-name
Attaches the specified managed policy to the specified user.
  • arn:aws:iam::$account:user/$user-name
Changes the password of the IAM user who is calling this action.
  • arn:aws:iam::$account:user/$user-name
Creates a new AWS secret access key and corresponding AWS access key ID for the specified user.
  • arn:aws:iam::$account:user/$user-name
Creates an alias for your AWS account.
  • *
Creates a new group.
  • arn:aws:iam::$account:group/$group-name
Creates a new instance profile.
  • arn:aws:iam::$account:instance-profile/$instance-profile-name
Creates a password for the specified user, giving the user the ability to access AWS services through the AWS Management Console.
  • arn:aws:iam::$account:user/$user-name
Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC).
  • arn:aws:iam::$account:oidc-provider/$provider-name
Creates a new managed policy for your AWS account.
  • arn:aws:iam::$account:policy/$policy-name
Creates a new version of the specified managed policy.
  • arn:aws:iam::$account:policy/$policy-name
Creates a new role for your AWS account.
  • arn:aws:iam::$account:role/$role-name
Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.
  • arn:aws:iam::$account:saml-provider/$provider-name
Creates a new IAM user for your AWS account.
  • arn:aws:iam::$account:user/$user-name
Creates a new virtual MFA device for the AWS account.
  • arn:aws:iam::$account:mfa/$virtual-device-name
Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.
  • arn:aws:iam::$account:user/$user-name
Deletes the access key pair associated with the specified IAM user.
  • arn:aws:iam::$account:user/$user-name
Deletes the specified AWS account alias.
  • *
Deletes the password policy for the AWS account.
  • *
Deletes the specified IAM group.
  • arn:aws:iam::$account:group/$group-name
Deletes the specified inline policy that is embedded in the specified IAM group.
  • arn:aws:iam::$account:group/$group-name
Deletes the specified instance profile.
  • arn:aws:iam::$account:instance-profile/$instance-profile-name
Deletes the password for the specified IAM user, which terminates the user's ability to access AWS services through the AWS Management Console.
  • arn:aws:iam::$account:user/$user-name
Deletes an OpenID Connect identity provider (IdP) resource object in IAM.
  • arn:aws:iam::$account:oidc-provider/$provider-name
Deletes the specified managed policy.
  • arn:aws:iam::$account:policy/$policy-name
Deletes the specified version from the specified managed policy.
  • arn:aws:iam::$account:policy/$policy-name
Deletes the specified role.
  • arn:aws:iam::$account:role/$role-name
Deletes the specified inline policy that is embedded in the specified IAM role.
  • arn:aws:iam::$account:role/$role-name
Deletes a SAML provider resource in IAM.
  • arn:aws:iam::$account:saml-provider/$provider-name
Deletes the specified SSH public key.
  • arn:aws:iam::$account:user/$user-name
Deletes the specified server certificate.
  • arn:aws:iam::$account:server-certificate/$certificate-name
Deletes a signing certificate associated with the specified IAM user.
  • arn:aws:iam::$account:user/$user-name
Deletes the specified IAM user.
  • arn:aws:iam::$account:user/$user-name
Deletes the specified inline policy that is embedded in the specified IAM user.
  • arn:aws:iam::$account:user/$user-name
Deletes a virtual MFA device.
  • arn:aws:iam::$account:mfa/$virtual-device-name
Removes the specified managed policy from the specified IAM group.
  • arn:aws:iam::$account:group/$group-name
Removes the specified managed policy from the specified role.
  • arn:aws:iam::$account:role/$role-name
Removes the specified managed policy from the specified user.
  • arn:aws:iam::$account:group/$user-name
Enables the specified MFA device and associates it with the specified IAM user.
  • arn:aws:iam::$account:user/$user-name
Generates a credential report for the AWS account.
  • *
Retrieves information about when the specified access key was last used.
  • arn:aws:iam::$account:user/$user-name
Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another.
  • *
Retrieves the password policy for the AWS account.
  • *
Retrieves information about IAM entity usage and IAM quotas in the AWS account.
  • *
Gets a list of all of the context keys referenced in the input policies.
  • *
Gets a list of all of the context keys referenced in all of the IAM policies attached to the specified IAM entity.
  • *
Retrieves a credential report for the AWS account.
  • *
Returns a list of IAM users that are in the specified IAM group.
  • arn:aws:iam::$account:group/$group-name
Retrieves the specified inline policy document that is embedded in the specified IAM group.
  • arn:aws:iam::$account:group/$group-name
Retrieves information about the specified instance profile, including the instance profile's path, GUID, ARN, and role.
  • arn:aws:iam::$account:instance-profile/$instance-profile-name
Retrieves the user name and password-creation date for the specified IAM user.
  • arn:aws:iam::$account:user/$user-name
Returns information about the specified OpenID Connect (OIDC) provider resource object in IAM.
  • arn:aws:iam::$account:oidc-provider/$provider-name
Retrieves information about the specified managed policy, including the policy's default version and the total number of IAM users, groups, and roles to which the policy is attached.
  • arn:aws:iam::$account:policy/$policy-name
Retrieves information about the specified version of the specified managed policy, including the policy document.
  • arn:aws:iam::$account:policy/$policy-name
Retrieves information about the specified role, including the role's path, GUID, ARN, and the role's trust policy that grants permission to assume the role.
  • arn:aws:iam::$account:role/$role-name
Retrieves the specified inline policy document that is embedded with the specified IAM role.
  • arn:aws:iam::$account:role/$role-name
Returns the SAML provider metadocument that was uploaded when the IAM SAML provider resource object was created or updated.
  • arn:aws:iam::$account:saml-provider/$provider-name
Retrieves the specified SSH public key, including metadata about the key.
  • arn:aws:iam::$account:user/$user-name
Retrieves information about the specified server certificate stored in IAM.
  • arn:aws:iam::$account:server-certificate/$certificate-name
View access advisor information, this is an IAM policy permission only, not an API action that can be called.
  • *
Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.
  • arn:aws:iam::$account:user/$user-name
Retrieves the specified inline policy document that is embedded in the specified IAM user.
  • arn:aws:iam::$account:user/$user-name
Returns information about the access key IDs associated with the specified IAM user.
  • arn:aws:iam::$account:user/$user-name
Lists the account alias associated with the AWS account (Note: you can have only one).
  • *
Lists all managed policies that are attached to the specified IAM group.
  • arn:aws:iam::$account:group/$group-name
Lists all managed policies that are attached to the specified IAM role.
  • arn:aws:iam::$account:role/$role-name
Lists all managed policies that are attached to the specified IAM user.
  • arn:aws:iam::$account:user/$user-name
Lists all IAM users, groups, and roles that the specified managed policy is attached to.
  • arn:aws:iam::$account:policy/$policy-name
Lists the names of the inline policies that are embedded in the specified IAM group.
  • arn:aws:iam::$account:group/$group-name
Lists the IAM groups that have the specified path prefix.
  • *
Lists the IAM groups that the specified IAM user belongs to.
  • arn:aws:iam::$account:user/$user-name
Lists the instance profiles that have the specified path prefix.
  • arn:aws:iam::$account:instance-profile/$instance-profile-name
Lists the instance profiles that have the specified associated IAM role.
  • arn:aws:iam::$account:role/$role-name
Lists the MFA devices for an IAM user.
  • arn:aws:iam::$account:user/$user-name
Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account.
  • *
Lists all the managed policies that are available in your AWS account, including your own customer-defined managed policies and all AWS managed policies.
  • *
View access advisor information, this is an IAM policy permission only, not an API action that can be called.
  • *
Lists information about the versions of the specified managed policy, including the version that is currently set as the policy's default version.
  • arn:aws:iam::$account:policy/$policy-name
Lists the names of the inline policies that are embedded in the specified IAM role.
  • arn:aws:iam::$account:role/$role-name
Lists the IAM roles that have the specified path prefix.
  • *
Lists the SAML provider resource objects defined in IAM in the account.
  • *
Returns information about the SSH public keys associated with the specified IAM user.
  • arn:aws:iam::$account:user/$user-name
Lists the server certificates stored in IAM that have the specified path prefix.
  • *
Returns information about the signing certificates associated with the specified IAM user.
  • arn:aws:iam::$account:user/$user-name
Lists the names of the inline policies embedded in the specified IAM user.
  • arn:aws:iam::$account:user/$user-name
Lists the IAM users that have the specified path prefix.
  • *
Lists the virtual MFA devices defined in the AWS account by assignment status.
  • *
Adds or updates an inline policy document that is embedded in the specified IAM group.
  • arn:aws:iam::$account:group/$group-name
Adds or updates an inline policy document that is embedded in the specified IAM role.
  • arn:aws:iam::$account:role/$role-name
Adds or updates an inline policy document that is embedded in the specified IAM user.
  • arn:aws:iam::$account:user/$user-name
Removes the specified client ID (also known as audience) from the list of client IDs registered for the specified IAM OpenID Connect (OIDC) provider resource object.
  • arn:aws:iam::$account:oidc-provider/$provider-name
Removes the specified IAM role from the specified EC2 instance profile.
  • arn:aws:iam::$account:instance-profile/$instance-profile-name
Removes the specified user from the specified group.
  • arn:aws:iam::$account:group/$group-name
Synchronizes the specified MFA device with its IAM resource object on the AWS servers.
  • arn:aws:iam::$account:user/$user-name
Sets the specified version of the specified policy as the policy's default (operative) version.
  • arn:aws:iam::$account:policy/$policy-name
Simulate how a set of IAM policies and optionally a resource-based policy works with a list of API actions and AWS resources to determine the policies' effective permissions.
  • *
Simulate how a set of IAM policies attached to an IAM entity works with a list of API actions and AWS resources to determine the policies' effective permissions.
  • *
Changes the status of the specified access key from Active to Inactive, or vice versa.
  • arn:aws:iam::$account:user/$user-name
Updates the password policy settings for the AWS account.
  • *
Updates the policy that grants an IAM entity permission to assume a role.
  • arn:aws:iam::$account:role/$role-name
Updates the name and/or the path of the specified IAM group.
  • arn:aws:iam::$account:group/$group-name
Changes the password for the specified IAM user.
  • arn:aws:iam::$account:user/$user-name
Replaces the existing list of server certificate thumbprints associated with an OpenID Connect (OIDC) provider resource object with a new list of thumbprints.
  • arn:aws:iam::$account:oidc-provider/$provider-name
Updates the metadata document for an existing SAML provider resource object.
  • arn:aws:iam::$account:saml-provider/$provider-name
Sets the status of an IAM user's SSH public key to active or inactive.
  • arn:aws:iam::$account:user/$user-name
Updates the name and/or the path of the specified server certificate stored in IAM.
  • arn:aws:iam::$account:server-certificate/$certificate-name
Changes the status of the specified user signing certificate from active to disabled, or vice versa.
  • arn:aws:iam::$account:user/$user-name
Updates the name and/or the path of the specified IAM user.
  • arn:aws:iam::$account:user/$user-name
Uploads an SSH public key and associates it with the specified IAM user.
  • arn:aws:iam::$account:user/$user-name
Uploads a server certificate entity for the AWS account.
  • arn:aws:iam::$account:server-certificate/$certificate-name
Uploads an X.509 signing certificate and associates it with the specified IAM user.
  • arn:aws:iam::$account:user/$user-name
View access advisor information, this is an IAM policy permission only, not an API action that can be called.
  • *
View access advisor information, this is an IAM policy permission only, not an API action that can be called.
  • *
This is an IAM policy permission only, not an API action that can be called.
  • arn:aws:iam::$account:role/$role-name
Creates an IAM role that is linked to a specific AWS service.
  • arn:aws:iam::$account:role/$role-name
Generates a set of credentials consisting of a user name and password that can be used to access the service specified in the request.
  • arn:aws:iam::$account:user/$user-name
Submits a service-linked role deletion request.
  • arn:aws:iam::$account:role/$role-name
Deletes the specified service-specific credential.
  • arn:aws:iam::$account:user/$user-name
Retrieves the status of your service-linked role deletion.
  • ???
Returns information about the service-specific credentials associated with the specified IAM user.
  • arn:aws:iam::$account:user/$user-name
Resets the password for a service-specific credential.
  • arn:aws:iam::$account:user/$user-name
Modifies the description of a role.
  • arn:aws:iam::$account:role/$role-name
Sets the status of a service-specific credential to Active or Inactive.
  • arn:aws:iam::$account:user/$user-name