View a markdown version of this page

Actions, resources, and condition keys for AWS Signin - Service Authorization Reference

Actions, resources, and condition keys for AWS Signin

AWS Signin (service prefix: signin) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by AWS Signin

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

DeleteConsoleAuthorizationConfiguration

signin:DeleteConsoleAuthorizationConfiguration

Write

DeleteResourcePermissionStatement

signin:DeleteResourcePermissionStatement

Write

GetConsoleAuthorizationConfiguration

signin:GetConsoleAuthorizationConfiguration

Read

GetResourcePolicy

signin:GetResourcePolicy

Read

ListResourcePermissionStatements

signin:ListResourcePermissionStatements

List

PutConsoleAuthorizationConfiguration

signin:PutConsoleAuthorizationConfiguration

Write

PutResourcePermissionStatement

signin:PutResourcePermissionStatement

Write

Actions defined by AWS Signin

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

Authenticate

Grants permission to authenticate to the AWS Management Console

console*

signin:PrincipalArn

Read

AuthorizeOAuth2Access

Grants permission to authenticate through a browser and obtain an OAuth 2.0 authorization code for credential exchange

console*

Read

oauth2-public-client-localhost*

signin:OAuthClientId

signin:OAuthRedirectUri

oauth2-public-client-remote*

signin:OAuthClientId

signin:OAuthRedirectUri

oauth2-resource-service-principal*

signin:OAuthClientId

signin:OAuthRedirectUri

CreateOAuth2PublicClient

Grants permission to dynamically register an OAuth 2.0 public client for use with AWS Sign-In

oauth2-public-client-registration*

signin:OAuthRedirectUri

Write

CreateOAuth2Token

Grants permission to exchange an authorization code for OAuth 2.0 access token and refresh token that can be used to access AWS services from developer tools and applications

console*

Read

oauth2-public-client-localhost*

signin:OAuthClientAuthentication

signin:OAuthClientId

signin:OAuthGrantType

signin:OAuthRedirectUri

oauth2-public-client-remote*

signin:OAuthClientAuthentication

signin:OAuthClientId

signin:OAuthGrantType

signin:OAuthRedirectUri

oauth2-resource-service-principal*

signin:OAuthClientAuthentication

signin:OAuthClientId

signin:OAuthGrantType

signin:OAuthRedirectUri

CreateTrustedIdentityPropagationApplicationForConsole

Grants permission to create an Identity Center application that represents the AWS Management Console on an Identity Center organization instance

Write

DeleteConsoleAuthorizationConfiguration

Grants permission to disable console authorization configuration for an AWS account or organization

Write

DeleteResourcePermissionStatement

Grants permission to remove a permission statement from the account's SignIn Resource Based Policy

Write

GetConsoleAuthorizationConfiguration

Grants permission to retrieve console authorization configuration for an AWS account or organization

Read

GetResourcePolicy

Grants permission to retrieve SignIn Resource Based Policy document that is attached with your account

Read

IntrospectOAuth2Token

Grants permission to inspect the metadata and active state of an OAuth 2.0 access token or refresh token

oauth2-public-client-localhost*

signin:OAuthClientId

signin:OAuthTokenType

Read

oauth2-public-client-remote*

signin:OAuthClientId

signin:OAuthTokenType

oauth2-resource-service-principal*

signin:OAuthClientId

signin:OAuthTokenType

ListResourcePermissionStatements

Grants permission to list the SignIn Resource Based Policy statements in your account

List

ListTrustedIdentityPropagationApplicationsForConsole

Grants permission to list all Identity Center applications that represent the AWS Management Console

List

PutConsoleAuthorizationConfiguration

Grants permission to enable console authorization configuration for an AWS account or organization

Write

PutResourcePermissionStatement

Grants permission to create a permission statement in the account's SignIn resource-based policy

Write

RevokeOAuth2Token

Grants permission to revoke an OAuth 2.0 refresh token and its associated refresh tokens

oauth2-public-client-localhost*

signin:OAuthTokenType

Write

oauth2-public-client-remote*

signin:OAuthTokenType

oauth2-resource-service-principal*

signin:OAuthTokenType

Permission-only actions for AWS Signin

The following actions are defined by AWS Signin but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.

Actions Description Resource types (*required) Condition keys Access level

CreateAccount

Grants permission to create an AWS account through the AWS Management Console sign-up flow

console*

Write

Resource types defined by AWS Signin

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

console

arn:${Partition}:signin:::console/${ConsoleName}

oauth2-public-client-localhost

arn:${Partition}:signin:${Region}:${Account}:oauth2/public-client/localhost

oauth2-public-client-registration

arn:${Partition}:signin:${Region}::external-client/dcr/*

oauth2-public-client-remote

arn:${Partition}:signin:${Region}:${Account}:oauth2/public-client/remote

oauth2-resource-service-principal

arn:${Partition}:signin:${Region}:${Account}:service-principal/${ServicePrincipalName}

Condition keys for AWS Signin

AWS Signin defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

signin:OAuthClientAuthentication

Filters access by the client authentication method used in the OAuth token request

String

signin:OAuthClientId

Filters access by the OAuth client ID used in the authorization or token request

String

signin:OAuthGrantType

Filters access by the OAuth grant type used in the token request

String

signin:OAuthRedirectUri

Filters access by the redirect URI specified in the OAuth authorization request

String

signin:OAuthTokenType

Filters access by the type of OAuth token being operated on

String

signin:PrincipalArn

Filters access by the principal ARN during pre-authentication console sign-in

ARN