Actions, resources, and condition keys for AWS Batch - Service Authorization Reference

Actions, resources, and condition keys for AWS Batch

AWS Batch (service prefix: batch ) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Batch

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table .

Actions Description Access level Resource types (*required) Condition keys Dependent actions
CancelJob Grants permission to cancel a job in an AWS Batch job queue in your account Write

job*

CreateComputeEnvironment Grants permission to create an AWS Batch compute environment in your account Write

compute-environment*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateJobQueue Grants permission to create an AWS Batch job queue in your account Write

compute-environment*

job-queue*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteComputeEnvironment Grants permission to delete an AWS Batch compute environment in your account Write

compute-environment*

DeleteJobQueue Grants permission to delete an AWS Batch job queue in your account Write

job-queue*

DeregisterJobDefinition Grants permission to deregister an AWS Batch job definition in your account Write

job-definition*

DescribeComputeEnvironments Grants permission to describe one or more AWS Batch compute environments in your account Read
DescribeJobDefinitions Grants permission to describe one or more AWS Batch job definitions in your account Read
DescribeJobQueues Grants permission to describe one or more AWS Batch job queues in your account Read
DescribeJobs Grants permission to describe a list of AWS Batch jobs in your account Read
ListJobs Grants permission to list jobs for a specified AWS Batch job queue in your account List
ListTagsForResource Grants permission to list tags for an AWS Batch resource in your account Read

compute-environment

job

job-definition

job-queue

RegisterJobDefinition Grants permission to register an AWS Batch job definition in your account Write

job-definition*

batch:User

batch:Privileged

batch:Image

batch:LogDriver

batch:AWSLogsGroup

batch:AWSLogsRegion

batch:AWSLogsStreamPrefix

batch:AWSLogsCreateGroup

aws:RequestTag/${TagKey}

aws:TagKeys

SubmitJob Grants permission to submit an AWS Batch job from a job definition in your account Write

job-definition*

job-queue*

aws:RequestTag/${TagKey}

aws:TagKeys

TagResource Grants permission to tag an AWS Batch resource in your account Tagging

compute-environment

job

job-definition

job-queue

aws:RequestTag/${TagKey}

aws:TagKeys

TerminateJob Grants permission to terminate a job in an AWS Batch job queue in your account Write

job*

UntagResource Grants permission to untag an AWS Batch resource in your account Tagging

compute-environment

job

job-definition

job-queue

aws:TagKeys

UpdateComputeEnvironment Grants permission to update an AWS Batch compute environment in your account Write

compute-environment*

UpdateJobQueue Grants permission to update an AWS Batch job queue in your account Write

job-queue*

compute-environment

Resource types defined by AWS Batch

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table .

Resource types ARN Condition keys
compute-environment arn:$ { Partition}:batch:$ { Region}:$ { Account}:compute-environment/$ { ComputeEnvironmentName}

aws:ResourceTag/${TagKey}

job-queue arn:$ { Partition}:batch:$ { Region}:$ { Account}:job-queue/$ { JobQueueName}

aws:ResourceTag/${TagKey}

job-definition arn:$ { Partition}:batch:$ { Region}:$ { Account}:job-definition/$ { JobDefinitionName}:$ { Revision}

aws:ResourceTag/${TagKey}

job arn:$ { Partition}:batch:$ { Region}:$ { Account}:job/$ { jobId}

aws:ResourceTag/${TagKey}

Condition keys for AWS Batch

AWS Batch defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table .

To view the global condition keys that are available to all services, see Available global condition keys .

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access based on the tags that are passed in the request String
aws:ResourceTag/${TagKey} Filters access based on the tags associated with the resource String
aws:TagKeys Filters access based on the tag keys that are passed in the request String
batch:AWSLogsCreateGroup Filters access based on the specified logging driver to determine whether awslogs group will be created for the logs Boolean
batch:AWSLogsGroup Filters access based on the awslogs group where the logs are located String
batch:AWSLogsRegion Filters access based on the region where the logs are sent to String
batch:AWSLogsStreamPrefix Filters access based on the awslogs log stream prefix String
batch:Image Filters access based on the image used to start a container String
batch:LogDriver Filters access based on the log driver used for the container String
batch:Privileged Filter access based on the specified privileged parameter value that determines whether the container is given elevated privileges on the host container instance (similar to the root user) Boolean
batch:User Filters access based on the user name or numeric uid used inside the container String