Actions, resources, and condition keys for AWS IoT Core for LoRaWAN - Service Authorization Reference

Actions, resources, and condition keys for AWS IoT Core for LoRaWAN

AWS IoT Core for LoRaWAN (service prefix: iotwireless ) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS IoT Core for LoRaWAN

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table .

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AssociateAwsAccountWithPartnerAccount Grants permission to link partner accounts with Aws account Write

SidewalkAccount*

aws:RequestTag/${TagKey}

aws:TagKeys

AssociateWirelessDeviceWithThing Grants permission to associate the wireless device with AWS IoT thing for a given wirelessDeviceId Write

WirelessDevice*

iot:DescribeThing

thing*

AssociateWirelessGatewayWithCertificate Grants permission to associate a WirelessGateway with the IoT Core Identity certificate Write

WirelessGateway*

cert*

AssociateWirelessGatewayWithThing Grants permission to associate the wireless gateway with AWS IoT thing for a given wirelessGatewayId Write

WirelessGateway*

iot:DescribeThing

thing*

CreateDestination Grants permission to create a Destination resource Write

Destination*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDeviceProfile Grants permission to create a DeviceProfile resource Write

DeviceProfile*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateServiceProfile Grants permission to create a ServiceProfile resource Write

ServiceProfile*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateWirelessDevice Grants permission to create a WirelessDevice resource with given Destination Write

Destination*

WirelessDevice*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateWirelessGateway Grants permission to create a WirelessGateway resource Write

WirelessGateway*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateWirelessGatewayTask Grants permission to create a task for a given WirelessGateway Write

WirelessGateway*

CreateWirelessGatewayTaskDefinition Grants permission to create a WirelessGateway task definition Write

WirelessGatewayTaskDefinition*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteDestination Grants permission to delete a Destination Write

Destination*

DeleteDeviceProfile Grants permission to delete a DeviceProfile Write

DeviceProfile*

DeleteServiceProfile Grants permission to delete a ServiceProfile Write

ServiceProfile*

DeleteWirelessDevice Grants permission to delete a WirelessDevice Write

WirelessDevice*

DeleteWirelessGateway Grants permission to delete a WirelessGateway Write

WirelessGateway*

DeleteWirelessGatewayTask Grants permission to delete task for a given WirelessGateway Write

WirelessGateway*

DeleteWirelessGatewayTaskDefinition Grants permission to delete a WirelessGateway task definition Write

WirelessGatewayTaskDefinition*

DisassociateAwsAccountFromPartnerAccount Grants permission to disassociate an AWS account from a partner account Write

SidewalkAccount*

DisassociateWirelessDeviceFromThing Grants permission to disassociate a wireless device from a AWS IoT thing Write

WirelessDevice*

iot:DescribeThing

thing*

DisassociateWirelessGatewayFromCertificate Grants permission to disassociate a WirelessGateway from a IoT Core Identity certificate Write

WirelessGateway*

cert*

DisassociateWirelessGatewayFromThing Grants permission to disassociate a WirelessGateway from a IoT Core thing Write

WirelessGateway*

iot:DescribeThing

thing*

GetDestination Grants permission to get the Destination Read

Destination*

GetDeviceProfile Grants permission to get the DeviceProfile Read

DeviceProfile*

GetPartnerAccount Grants permission to get the associated PartnerAccount Read

SidewalkAccount*

GetServiceEndpoint Grants permission to retrieve the customer account specific endpoint for CUPS protocol connection or LoRaWAN Network Server (LNS) protocol connection, and optionally server trust certificate in PEM format Read
GetServiceProfile Grants permission to get the ServiceProfile Read

ServiceProfile*

GetWirelessDevice Grants permission to get the WirelessDevice Read

WirelessDevice*

GetWirelessDeviceStatistics Grants permission to get statistics info for a given WirelessDevice Read

WirelessDevice*

GetWirelessGateway Grants permission to get the WirelessGateway Read

WirelessGateway*

GetWirelessGatewayCertificate Grants permission to get the IoT Core Identity certificate id associated with the WirelessGateway Read

WirelessGateway*

GetWirelessGatewayFirmwareInformation Grants permission to get Current firmware version and other information for the WirelessGateway Read

WirelessGateway*

GetWirelessGatewayStatistics Grants permission to get statistics info for a given WirelessGateway Read

WirelessGateway*

GetWirelessGatewayTask Grants permission to get the task for a given WirelessGateway Read

WirelessGateway*

GetWirelessGatewayTaskDefinition Grants permission to get the given WirelessGateway task definition Read

WirelessGatewayTaskDefinition*

ListDestinations List information of available Destinations based on the AWS account. List
ListDeviceProfiles Grants permission to list information of available DeviceProfiles based on the AWS account List
ListPartnerAccounts Grants permission to list the available partner accounts List
ListServiceProfiles Grants permission to list information of available ServiceProfiles based on the AWS account List
ListTagsForResource Grants permission to list all tags for a given resource List

Destination

DeviceProfile

ServiceProfile

SidewalkAccount

WirelessDevice

WirelessGateway

WirelessGatewayTaskDefinition

ListWirelessDevices Grants permission to list information of available WirelessDevices based on the AWS account List
ListWirelessGatewayTaskDefinitions Grants permission to list information of available WirelessGateway task definitions based on the AWS account List
ListWirelessGateways Grants permission to list information of available WirelessGateways based on the AWS account List
SendDataToWirelessDevice Grants permission to send the decrypted application data frame to the target device Write

WirelessDevice*

TagResource Grants permission to tag a given resource Tagging

Destination

DeviceProfile

ServiceProfile

SidewalkAccount

WirelessDevice

WirelessGateway

WirelessGatewayTaskDefinition

aws:RequestTag/${TagKey}

aws:TagKeys

TestWirelessDevice Grants permission to simulate a provisioned device to send an uplink data with payload of 'Hello' Write

WirelessDevice*

UntagResource Grants permission to remove the given tags from the resource Tagging

Destination

DeviceProfile

ServiceProfile

SidewalkAccount

WirelessDevice

WirelessGateway

WirelessGatewayTaskDefinition

aws:TagKeys

UpdateDestination Grants permission to update a Destination resource Write

Destination*

UpdatePartnerAccount Grants permission to update a partner account Write

SidewalkAccount*

UpdateWirelessDevice Grants permission to update a WirelessDevice resource Write

WirelessDevice*

UpdateWirelessGateway Grants permission to update a WirelessGateway resource Write

WirelessGateway*

Resource types defined by AWS IoT Core for LoRaWAN

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table .

Resource types ARN Condition keys
WirelessDevice arn:$ { Partition}:iotwireless:$ { Region}:$ { Account}:WirelessDevice/$ { WirelessDeviceId}

aws:ResourceTag/${TagKey}

WirelessGateway arn:$ { Partition}:iotwireless:$ { Region}:$ { Account}:WirelessGateway/$ { WirelessGatewayId}

aws:ResourceTag/${TagKey}

DeviceProfile arn:$ { Partition}:iotwireless:$ { Region}:$ { Account}:DeviceProfile/$ { DeviceProfileId}

aws:ResourceTag/${TagKey}

ServiceProfile arn:$ { Partition}:iotwireless:$ { Region}:$ { Account}:ServiceProfile/$ { ServiceProfileId}

aws:ResourceTag/${TagKey}

Destination arn:$ { Partition}:iotwireless:$ { Region}:$ { Account}:Destination/$ { DestinationName}

aws:ResourceTag/${TagKey}

SidewalkAccount arn:$ { Partition}:iotwireless:$ { Region}:$ { Account}:SidewalkAccount/$ { SidewalkId}

aws:ResourceTag/${TagKey}

WirelessGatewayTaskDefinition arn:$ { Partition}:iotwireless:$ { Region}:$ { Account}:WirelessGatewayTaskDefinition/$ { WirelessGatewayTaskDefinitionId}

aws:ResourceTag/${TagKey}

thing arn:$ { Partition}:iot:$ { Region}:$ { Account}:thing/$ { ThingName}
cert arn:$ { Partition}:iot:$ { Region}:$ { Account}:cert/$ { Certificate}

Condition keys for AWS IoT Core for LoRaWAN

AWS IoT Core for LoRaWAN defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table .

To view the global condition keys that are available to all services, see Available global condition keys .

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by a tag key that is present in the request that the user makes to IoT Wireless String
aws:ResourceTag/${TagKey} Filters access by tag key component of a tag attached to an IoT Wireless resource String
aws:TagKeys Filters access based on the list of all the tag key names associated with the resource in the request String