Change log of AWS IAM permissions

2025-11-18

15 new actions, 1 new resource, 3 new conditions

Additions

Actions

CreateWorkflow
- Description: Grants permission to create a new workflow
- Access: Write
- Conditions:
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
DeleteWorkflow
- Description: Grants permission to delete a workflow
- Access: Write
- Resources:
  Name: Workflow
  
  Required: Yes
GetTaskInstance
- Description: Grants permission to retrieve the task details for a workflow run
- Access: Read
- Resources:
  Name: Workflow
  
  Required: Yes
GetWorkflow
- Description: Grants permission to retrieve details about a workflow
- Access: Read
- Resources:
  Name: Workflow
  
  Required: Yes
GetWorkflowRun
- Description: Grants permission to retrieve details about a workflow run
- Access: Read
- Resources:
  Name: Workflow
  
  Required: Yes
ListTagsForResource
- Description: Grants permission to list the tags for the specified resource
- Access: Read
- Resources:
  Name: Workflow
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
ListTaskInstances
- Description: Grants permission to list the tasks for a workflow run
- Access: List
- Resources:
  Name: Workflow
  
  Required: Yes
ListWorkflowRuns
- Description: Grants permission to list the workflow runs of a workflow
- Access: List
- Resources:
  Name: Workflow
  
  Required: Yes
ListWorkflowVersions
- Description: Grants permission to list the workflow versions
- Access: List
- Resources:
  Name: Workflow
  
  Required: Yes
ListWorkflows
- Description: Grants permission to list the workflows
- Access: List
StartWorkflowRun
- Description: Grants permission to start an on-demand workflow run for the workflow
- Access: Write
- Resources:
  Name: Workflow
  
  Required: Yes
StopWorkflowRun
- Description: Grants permission to stop a workflow run
- Access: Write
- Resources:
  Name: Workflow
  
  Required: Yes
TagResource
- Description: Grants permission to tag the specified resource
- Access: Tagging
- Resources:
  Name: Workflow
  
  Required: Yes
- Conditions:
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
UntagResource
- Description: Grants permission to untag the specified resource
- Access: Tagging
- Resources:
  Name: Workflow
  
  Required: Yes
- Conditions:
  aws:TagKeys
  
  aws:ResourceTag/${TagKey}
UpdateWorkflow
- Description: Grants permission to update an existing workflow
- Access: Write
- Resources:
  Name: Workflow
  
  Required: Yes

Resources

Workflow
- Arn: arn:${Partition}:airflow-serverless:${Region}:${Account}:workflow/${WorkflowId}
- Conditions:
  aws:ResourceTag/${TagKey}

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access by the presence of tag key-value pairs in the request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access by tag key-value pairs that are attached to the resource
- Type: String
aws:TagKeys
- Description: Filters access by tag keys in the request
- Type: ArrayOfString

AWS MWAA Serverless (airflow-serverless)

Additions