AWS Resource Access Manager

2019/11/25 - AWS Resource Access Manager - 6 new 5 updated api methods

Changes  AWS RAM provides new APIs to view the permissions granted to principals in a resource share. This release also creates corresponding resource shares for supported services that use resource policies, as well as an API to promote them to standard shares that can be managed in RAM.

ListResourceSharePermissions (new) Link ¶

Lists the AWS RAM permissions that are associated with a resource share.

See also: AWS API Documentation

Request Syntax

client.list_resource_share_permissions(
    resourceShareArn='string',
    nextToken='string',
    maxResults=123
)
type resourceShareArn

string

param resourceShareArn

[REQUIRED]

The Amazon Resource Name (ARN) of the resource share.

type nextToken

string

param nextToken

The token for the next page of results.

type maxResults

integer

param maxResults

The maximum number of results to return with a single call. To retrieve the remaining results, make another call with the returned nextToken value.

rtype

dict

returns

Response Syntax

{
    'permissions': [
        {
            'arn': 'string',
            'version': 'string',
            'defaultVersion': True|False,
            'name': 'string',
            'resourceType': 'string',
            'status': 'string',
            'creationTime': datetime(2015, 1, 1),
            'lastUpdatedTime': datetime(2015, 1, 1)
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • permissions (list) --

      The permissions associated with the resource share.

      • (dict) --

        Information about a permission that is associated with a resource share.

        • arn (string) --

          The ARN of the permission.

        • version (string) --

          The identifier for the version of the permission.

        • defaultVersion (boolean) --

          The identifier for the version of the permission that is set as the default version.

        • name (string) --

          The name of the permission.

        • resourceType (string) --

          The type of resource to which the permission applies.

        • status (string) --

          The current status of the permission.

        • creationTime (datetime) --

          The date and time when the permission was created.

        • lastUpdatedTime (datetime) --

          The date and time when the permission was last updated.

    • nextToken (string) --

      The token to use to retrieve the next page of results. This value is null when there are no more results to return.

AssociateResourceSharePermission (new) Link ¶

Associates a permission with a resource share.

See also: AWS API Documentation

Request Syntax

client.associate_resource_share_permission(
    resourceShareArn='string',
    permissionArn='string',
    replace=True|False,
    clientToken='string'
)
type resourceShareArn

string

param resourceShareArn

[REQUIRED]

The Amazon Resource Name (ARN) of the resource share.

type permissionArn

string

param permissionArn

[REQUIRED]

The ARN of the AWS RAM permission to associate with the resource share.

type replace

boolean

param replace

Indicates whether the permission should replace the permissions that are currently associated with the resource share. Use true to replace the current permissions. Use false to add the permission to the current permission.

type clientToken

string

param clientToken

A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.

rtype

dict

returns

Response Syntax

{
    'returnValue': True|False,
    'clientToken': 'string'
}

Response Structure

  • (dict) --

    • returnValue (boolean) --

      Indicates whether the request succeeded.

    • clientToken (string) --

      A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.

GetPermission (new) Link ¶

Gets the contents of an AWS RAM permission in JSON format.

See also: AWS API Documentation

Request Syntax

client.get_permission(
    permissionArn='string',
    permissionVersion=123
)
type permissionArn

string

param permissionArn

[REQUIRED]

The ARN of the permission.

type permissionVersion

integer

param permissionVersion

The identifier for the version of the permission.

rtype

dict

returns

Response Syntax

{
    'permission': {
        'arn': 'string',
        'version': 'string',
        'defaultVersion': True|False,
        'name': 'string',
        'resourceType': 'string',
        'permission': 'string',
        'creationTime': datetime(2015, 1, 1),
        'lastUpdatedTime': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) --

    • permission (dict) --

      Information about the permission.

      • arn (string) --

        The ARN of the permission.

      • version (string) --

        The identifier for the version of the permission.

      • defaultVersion (boolean) --

        The identifier for the version of the permission that is set as the default version.

      • name (string) --

        The name of the permission.

      • resourceType (string) --

        The resource type to which the permission applies.

      • permission (string) --

        The permission's effect and actions in JSON format. The effect indicates whether the actions are allowed or denied. The actions list the API actions to which the principal is granted or denied access.

      • creationTime (datetime) --

        The date and time when the permission was created.

      • lastUpdatedTime (datetime) --

        The date and time when the permission was last updated.

DisassociateResourceSharePermission (new) Link ¶

Disassociates an AWS RAM permission from a resource share.

See also: AWS API Documentation

Request Syntax

client.disassociate_resource_share_permission(
    resourceShareArn='string',
    permissionArn='string',
    clientToken='string'
)
type resourceShareArn

string

param resourceShareArn

[REQUIRED]

The Amazon Resource Name (ARN) of the resource share.

type permissionArn

string

param permissionArn

[REQUIRED]

The ARN of the permission to disassociate from the resource share.

type clientToken

string

param clientToken

A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.

rtype

dict

returns

Response Syntax

{
    'returnValue': True|False,
    'clientToken': 'string'
}

Response Structure

  • (dict) --

    • returnValue (boolean) --

      Indicates whether the request succeeded.

    • clientToken (string) --

      A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.

ListPermissions (new) Link ¶

Lists the AWS RAM permissions.

See also: AWS API Documentation

Request Syntax

client.list_permissions(
    resourceType='string',
    nextToken='string',
    maxResults=123
)
type resourceType

string

param resourceType

Specifies the resource type for which to list permissions. For example, to list only permissions that apply to EC2 subnets, specify ec2:Subnet .

type nextToken

string

param nextToken

The token for the next page of results.

type maxResults

integer

param maxResults

The maximum number of results to return with a single call. To retrieve the remaining results, make another call with the returned nextToken value.

rtype

dict

returns

Response Syntax

{
    'permissions': [
        {
            'arn': 'string',
            'version': 'string',
            'defaultVersion': True|False,
            'name': 'string',
            'resourceType': 'string',
            'status': 'string',
            'creationTime': datetime(2015, 1, 1),
            'lastUpdatedTime': datetime(2015, 1, 1)
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • permissions (list) --

      Information about the permissions.

      • (dict) --

        Information about a permission that is associated with a resource share.

        • arn (string) --

          The ARN of the permission.

        • version (string) --

          The identifier for the version of the permission.

        • defaultVersion (boolean) --

          The identifier for the version of the permission that is set as the default version.

        • name (string) --

          The name of the permission.

        • resourceType (string) --

          The type of resource to which the permission applies.

        • status (string) --

          The current status of the permission.

        • creationTime (datetime) --

          The date and time when the permission was created.

        • lastUpdatedTime (datetime) --

          The date and time when the permission was last updated.

    • nextToken (string) --

      The token to use to retrieve the next page of results. This value is null when there are no more results to return.

PromoteResourceShareCreatedFromPolicy (new) Link ¶

Resource shares that were created by attaching a policy to a resource are visible only to the resource share owner, and the resource share cannot be modified in AWS RAM.

Use this API action to promote the resource share. When you promote the resource share, it becomes:

  • Visible to all principals that it is shared with.

  • Modifiable in AWS RAM.

See also: AWS API Documentation

Request Syntax

client.promote_resource_share_created_from_policy(
    resourceShareArn='string'
)
type resourceShareArn

string

param resourceShareArn

[REQUIRED]

The ARN of the resource share to promote.

rtype

dict

returns

Response Syntax

{
    'returnValue': True|False
}

Response Structure

  • (dict) --

    • returnValue (boolean) --

      Indicates whether the request succeeded.

CreateResourceShare (updated) Link ¶
Changes (request, response)
Request 
{'permissionArns': ['string']}
Response 
{'resourceShare': {'featureSet': 'CREATED_FROM_POLICY | PROMOTING_TO_STANDARD '
                                 '| STANDARD'}}

Creates a resource share.

See also: AWS API Documentation

Request Syntax

client.create_resource_share(
    name='string',
    resourceArns=[
        'string',
    ],
    principals=[
        'string',
    ],
    tags=[
        {
            'key': 'string',
            'value': 'string'
        },
    ],
    allowExternalPrincipals=True|False,
    clientToken='string',
    permissionArns=[
        'string',
    ]
)
type name

string

param name

[REQUIRED]

The name of the resource share.

type resourceArns

list

param resourceArns

The Amazon Resource Names (ARN) of the resources to associate with the resource share.

  • (string) --

type principals

list

param principals

The principals to associate with the resource share. The possible values are IDs of AWS accounts, the ARN of an OU or organization from AWS Organizations.

  • (string) --

type tags

list

param tags

One or more tags.

  • (dict) --

    Information about a tag.

    • key (string) --

      The key of the tag.

    • value (string) --

      The value of the tag.

type allowExternalPrincipals

boolean

param allowExternalPrincipals

Indicates whether principals outside your AWS organization can be associated with a resource share.

type clientToken

string

param clientToken

A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.

type permissionArns

list

param permissionArns

The ARNs of the permissions to associate with the resource share. If you do not specify an ARN for the permission, AWS RAM automatically attaches the default version of the permission for each resource type.

  • (string) --

rtype

dict

returns

Response Syntax

{
    'resourceShare': {
        'resourceShareArn': 'string',
        'name': 'string',
        'owningAccountId': 'string',
        'allowExternalPrincipals': True|False,
        'status': 'PENDING'|'ACTIVE'|'FAILED'|'DELETING'|'DELETED',
        'statusMessage': 'string',
        'tags': [
            {
                'key': 'string',
                'value': 'string'
            },
        ],
        'creationTime': datetime(2015, 1, 1),
        'lastUpdatedTime': datetime(2015, 1, 1),
        'featureSet': 'CREATED_FROM_POLICY'|'PROMOTING_TO_STANDARD'|'STANDARD'
    },
    'clientToken': 'string'
}

Response Structure

  • (dict) --

    • resourceShare (dict) --

      Information about the resource share.

      • resourceShareArn (string) --

        The Amazon Resource Name (ARN) of the resource share.

      • name (string) --

        The name of the resource share.

      • owningAccountId (string) --

        The ID of the AWS account that owns the resource share.

      • allowExternalPrincipals (boolean) --

        Indicates whether principals outside your AWS organization can be associated with a resource share.

      • status (string) --

        The status of the resource share.

      • statusMessage (string) --

        A message about the status of the resource share.

      • tags (list) --

        The tags for the resource share.

        • (dict) --

          Information about a tag.

          • key (string) --

            The key of the tag.

          • value (string) --

            The value of the tag.

      • creationTime (datetime) --

        The time when the resource share was created.

      • lastUpdatedTime (datetime) --

        The time when the resource share was last updated.

      • featureSet (string) --

        Indicates how the resource share was created. Possible values include:

        • CREATED_FROM_POLICY - Indicates that the resource share was created from an AWS Identity and Access Management (AWS IAM) policy attached to a resource. These resource shares are visible only to the AWS account that created it. They cannot be modified in AWS RAM.

        • PROMOTING_TO_STANDARD - The resource share is in the process of being promoted. For more information, see PromoteResourceShareCreatedFromPolicy.

        • STANDARD - Indicates that the resource share was created in AWS RAM using the console or APIs. These resource shares are visible to all principals. They can be modified in AWS RAM.

    • clientToken (string) --

      A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.

GetResourceShares (updated) Link ¶
Changes (response) 
{'resourceShares': {'featureSet': 'CREATED_FROM_POLICY | PROMOTING_TO_STANDARD '
                                  '| STANDARD'}}

Gets the resource shares that you own or the resource shares that are shared with you.

See also: AWS API Documentation

Request Syntax

client.get_resource_shares(
    resourceShareArns=[
        'string',
    ],
    resourceShareStatus='PENDING'|'ACTIVE'|'FAILED'|'DELETING'|'DELETED',
    resourceOwner='SELF'|'OTHER-ACCOUNTS',
    name='string',
    tagFilters=[
        {
            'tagKey': 'string',
            'tagValues': [
                'string',
            ]
        },
    ],
    nextToken='string',
    maxResults=123
)
type resourceShareArns

list

param resourceShareArns

The Amazon Resource Names (ARN) of the resource shares.

  • (string) --

type resourceShareStatus

string

param resourceShareStatus

The status of the resource share.

type resourceOwner

string

param resourceOwner

[REQUIRED]

The type of owner.

type name

string

param name

The name of the resource share.

type tagFilters

list

param tagFilters

One or more tag filters.

  • (dict) --

    Used to filter information based on tags.

    • tagKey (string) --

      The tag key.

    • tagValues (list) --

      The tag values.

      • (string) --

type nextToken

string

param nextToken

The token for the next page of results.

type maxResults

integer

param maxResults

The maximum number of results to return with a single call. To retrieve the remaining results, make another call with the returned nextToken value.

rtype

dict

returns

Response Syntax

{
    'resourceShares': [
        {
            'resourceShareArn': 'string',
            'name': 'string',
            'owningAccountId': 'string',
            'allowExternalPrincipals': True|False,
            'status': 'PENDING'|'ACTIVE'|'FAILED'|'DELETING'|'DELETED',
            'statusMessage': 'string',
            'tags': [
                {
                    'key': 'string',
                    'value': 'string'
                },
            ],
            'creationTime': datetime(2015, 1, 1),
            'lastUpdatedTime': datetime(2015, 1, 1),
            'featureSet': 'CREATED_FROM_POLICY'|'PROMOTING_TO_STANDARD'|'STANDARD'
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • resourceShares (list) --

      Information about the resource shares.

      • (dict) --

        Describes a resource share.

        • resourceShareArn (string) --

          The Amazon Resource Name (ARN) of the resource share.

        • name (string) --

          The name of the resource share.

        • owningAccountId (string) --

          The ID of the AWS account that owns the resource share.

        • allowExternalPrincipals (boolean) --

          Indicates whether principals outside your AWS organization can be associated with a resource share.

        • status (string) --

          The status of the resource share.

        • statusMessage (string) --

          A message about the status of the resource share.

        • tags (list) --

          The tags for the resource share.

          • (dict) --

            Information about a tag.

            • key (string) --

              The key of the tag.

            • value (string) --

              The value of the tag.

        • creationTime (datetime) --

          The time when the resource share was created.

        • lastUpdatedTime (datetime) --

          The time when the resource share was last updated.

        • featureSet (string) --

          Indicates how the resource share was created. Possible values include:

          • CREATED_FROM_POLICY - Indicates that the resource share was created from an AWS Identity and Access Management (AWS IAM) policy attached to a resource. These resource shares are visible only to the AWS account that created it. They cannot be modified in AWS RAM.

          • PROMOTING_TO_STANDARD - The resource share is in the process of being promoted. For more information, see PromoteResourceShareCreatedFromPolicy.

          • STANDARD - Indicates that the resource share was created in AWS RAM using the console or APIs. These resource shares are visible to all principals. They can be modified in AWS RAM.

    • nextToken (string) --

      The token to use to retrieve the next page of results. This value is null when there are no more results to return.

ListPendingInvitationResources (updated) Link ¶
Changes (response) 
{'resources': {'resourceGroupArn': 'string'}}

Lists the resources in a resource share that is shared with you but that the invitation is still pending for.

See also: AWS API Documentation

Request Syntax

client.list_pending_invitation_resources(
    resourceShareInvitationArn='string',
    nextToken='string',
    maxResults=123
)
type resourceShareInvitationArn

string

param resourceShareInvitationArn

[REQUIRED]

The Amazon Resource Name (ARN) of the invitation.

type nextToken

string

param nextToken

The token for the next page of results.

type maxResults

integer

param maxResults

The maximum number of results to return with a single call. To retrieve the remaining results, make another call with the returned nextToken value.

rtype

dict

returns

Response Syntax

{
    'resources': [
        {
            'arn': 'string',
            'type': 'string',
            'resourceShareArn': 'string',
            'resourceGroupArn': 'string',
            'status': 'AVAILABLE'|'ZONAL_RESOURCE_INACCESSIBLE'|'LIMIT_EXCEEDED'|'UNAVAILABLE'|'PENDING',
            'statusMessage': 'string',
            'creationTime': datetime(2015, 1, 1),
            'lastUpdatedTime': datetime(2015, 1, 1)
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • resources (list) --

      Information about the resources included the resource share.

      • (dict) --

        Describes a resource associated with a resource share.

        • arn (string) --

          The Amazon Resource Name (ARN) of the resource.

        • type (string) --

          The resource type.

        • resourceShareArn (string) --

          The Amazon Resource Name (ARN) of the resource share.

        • resourceGroupArn (string) --

          The ARN of the resource group. This value is returned only if the resource is a resource group.

        • status (string) --

          The status of the resource.

        • statusMessage (string) --

          A message about the status of the resource.

        • creationTime (datetime) --

          The time when the resource was associated with the resource share.

        • lastUpdatedTime (datetime) --

          The time when the association was last updated.

    • nextToken (string) --

      The token to use to retrieve the next page of results. This value is null when there are no more results to return.

ListResources (updated) Link ¶
Changes (response) 
{'resources': {'resourceGroupArn': 'string'}}

Lists the resources that you added to a resource shares or the resources that are shared with you.

See also: AWS API Documentation

Request Syntax

client.list_resources(
    resourceOwner='SELF'|'OTHER-ACCOUNTS',
    principal='string',
    resourceType='string',
    resourceArns=[
        'string',
    ],
    resourceShareArns=[
        'string',
    ],
    nextToken='string',
    maxResults=123
)
type resourceOwner

string

param resourceOwner

[REQUIRED]

The type of owner.

type principal

string

param principal

The principal.

type resourceType

string

param resourceType

The resource type.

Valid values: ec2:CapacityReservation | ec2:Subnet | ec2:TrafficMirrorTarget | ec2:TransitGateway | license-manager:LicenseConfiguration | rds:Cluster | route53resolver:ResolverRule | resource-groups:Group

type resourceArns

list

param resourceArns

The Amazon Resource Names (ARN) of the resources.

  • (string) --

type resourceShareArns

list

param resourceShareArns

The Amazon Resource Names (ARN) of the resource shares.

  • (string) --

type nextToken

string

param nextToken

The token for the next page of results.

type maxResults

integer

param maxResults

The maximum number of results to return with a single call. To retrieve the remaining results, make another call with the returned nextToken value.

rtype

dict

returns

Response Syntax

{
    'resources': [
        {
            'arn': 'string',
            'type': 'string',
            'resourceShareArn': 'string',
            'resourceGroupArn': 'string',
            'status': 'AVAILABLE'|'ZONAL_RESOURCE_INACCESSIBLE'|'LIMIT_EXCEEDED'|'UNAVAILABLE'|'PENDING',
            'statusMessage': 'string',
            'creationTime': datetime(2015, 1, 1),
            'lastUpdatedTime': datetime(2015, 1, 1)
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • resources (list) --

      Information about the resources.

      • (dict) --

        Describes a resource associated with a resource share.

        • arn (string) --

          The Amazon Resource Name (ARN) of the resource.

        • type (string) --

          The resource type.

        • resourceShareArn (string) --

          The Amazon Resource Name (ARN) of the resource share.

        • resourceGroupArn (string) --

          The ARN of the resource group. This value is returned only if the resource is a resource group.

        • status (string) --

          The status of the resource.

        • statusMessage (string) --

          A message about the status of the resource.

        • creationTime (datetime) --

          The time when the resource was associated with the resource share.

        • lastUpdatedTime (datetime) --

          The time when the association was last updated.

    • nextToken (string) --

      The token to use to retrieve the next page of results. This value is null when there are no more results to return.

UpdateResourceShare (updated) Link ¶
Changes (response) 
{'resourceShare': {'featureSet': 'CREATED_FROM_POLICY | PROMOTING_TO_STANDARD '
                                 '| STANDARD'}}

Updates the specified resource share that you own.

See also: AWS API Documentation

Request Syntax

client.update_resource_share(
    resourceShareArn='string',
    name='string',
    allowExternalPrincipals=True|False,
    clientToken='string'
)
type resourceShareArn

string

param resourceShareArn

[REQUIRED]

The Amazon Resource Name (ARN) of the resource share.

type name

string

param name

The name of the resource share.

type allowExternalPrincipals

boolean

param allowExternalPrincipals

Indicates whether principals outside your AWS organization can be associated with a resource share.

type clientToken

string

param clientToken

A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.

rtype

dict

returns

Response Syntax

{
    'resourceShare': {
        'resourceShareArn': 'string',
        'name': 'string',
        'owningAccountId': 'string',
        'allowExternalPrincipals': True|False,
        'status': 'PENDING'|'ACTIVE'|'FAILED'|'DELETING'|'DELETED',
        'statusMessage': 'string',
        'tags': [
            {
                'key': 'string',
                'value': 'string'
            },
        ],
        'creationTime': datetime(2015, 1, 1),
        'lastUpdatedTime': datetime(2015, 1, 1),
        'featureSet': 'CREATED_FROM_POLICY'|'PROMOTING_TO_STANDARD'|'STANDARD'
    },
    'clientToken': 'string'
}

Response Structure

  • (dict) --

    • resourceShare (dict) --

      Information about the resource share.

      • resourceShareArn (string) --

        The Amazon Resource Name (ARN) of the resource share.

      • name (string) --

        The name of the resource share.

      • owningAccountId (string) --

        The ID of the AWS account that owns the resource share.

      • allowExternalPrincipals (boolean) --

        Indicates whether principals outside your AWS organization can be associated with a resource share.

      • status (string) --

        The status of the resource share.

      • statusMessage (string) --

        A message about the status of the resource share.

      • tags (list) --

        The tags for the resource share.

        • (dict) --

          Information about a tag.

          • key (string) --

            The key of the tag.

          • value (string) --

            The value of the tag.

      • creationTime (datetime) --

        The time when the resource share was created.

      • lastUpdatedTime (datetime) --

        The time when the resource share was last updated.

      • featureSet (string) --

        Indicates how the resource share was created. Possible values include:

        • CREATED_FROM_POLICY - Indicates that the resource share was created from an AWS Identity and Access Management (AWS IAM) policy attached to a resource. These resource shares are visible only to the AWS account that created it. They cannot be modified in AWS RAM.

        • PROMOTING_TO_STANDARD - The resource share is in the process of being promoted. For more information, see PromoteResourceShareCreatedFromPolicy.

        • STANDARD - Indicates that the resource share was created in AWS RAM using the console or APIs. These resource shares are visible to all principals. They can be modified in AWS RAM.

    • clientToken (string) --

      A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.