Resource: Restrict to job definition prefix on job submission

Use the following policy to submit jobs to any job queue with any job definition name that starts with JobDefA.

Important

When scoping resource-level access for job submission, you must provide both job queue and job definition resource types.

Accounting for job definition revisions

Important

A policy that references only the job definition name without a revision number or wildcard (for example, job-definition/my-job-def) does not match SubmitJob requests, because the request ARN includes the revision (for example, job-definition/my-job-def:1). Use a wildcard to match all revisions.

The following examples show how to use wildcards and revision numbers in resource ARNs for the SubmitJob action.

Example: Allow a specific job definition revision

The following policy allows job submissions using only revision 1 of the specified job definition.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "batch:SubmitJob",
      "Resource": [
        "arn:aws:batch:us-east-1:111122223333:job-definition/my-job-def:1",
        "arn:aws:batch:us-east-1:111122223333:job-queue/*"
      ]
    }
  ]
}

Example: Allow all revisions of a job definition

The following policy allows job submissions using any revision of the specified job definition. The :* pattern matches any revision number.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "batch:SubmitJob",
      "Resource": [
        "arn:aws:batch:us-east-1:111122223333:job-definition/my-job-def:*",
        "arn:aws:batch:us-east-1:111122223333:job-queue/*"
      ]
    }
  ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Resource: Restrict user, image, privilege, role

Restrict to a job queue