API Token permissions

Stax API permissions using API Tokens

API Tokens provide programmatic access to the Stax API and cannot be used to log into the Stax console. The below table provides a a list of permissions for each Stax role used to manage the access level of your API Token.

Key	Description
	User can perform this action
	User cannot perform this action

Actions	Root	Admin	User	Read Only	Description
accounts:CreateAccount					Allows the token to create an Account
accounts:CreateAccountType					Allows the token to create an Account Type
accounts:DeleteAccountType					Allows the token to delete an Account Type
accounts:DiscoverAccounts					Allows the token to discover AWS Accounts associated with the Organization
accounts:OnboardAccounts					Allows the token to onboard AWS Accounts associated with the Organization
accounts:ReadAccountTypes					Allows the token to view Account Types
accounts:ReadAccounts					Allows the token to view Accounts
accounts:UpdateAccount					Allows the token to update an Account name, description and tags
accounts:UpdateAccountType					Allows the token to update an Account Type
accounts:UpdateAccountTypeAccess					Allows the token to add an AWS role to an Account Type
account:UpdateAccountTypeMembers					Allows the token to move accounts between Account Types
account:UpdatePolicies					Allows the token to add or remove Policies from an Account Type
alias:CheckAliasAvailability				Allows token to check if a Customer Alias is already in use
networking:CreateCIDRExclusion					Allows the token to create a CIDR Exclusion
networking:CreateCIDRRange					Allows the token to create a CIDR Range
networking:CreateDnsResolver					Allows the token to create a DNS Resolver
networking:CreateDnsRule					Allows the token to create a DNS Rule
networking:CreateDxAssociation					Allows the token to create a DX Association between a Stax Networking Hub or Stax VPC and a Stax DX Gateway
networking:CreateDxResource					Allows the token to create a DX Resource, a DX Gateway and/or DX Vif
networking:CreateHub					Allows the token to create a Networking Hub
networking:CreateVPC					Allows the token to create a VPC
networking:CreateVpnConnection					Allows the token to create a VPN Connection between a Stax Networking Hub or Stax VPC and a Stax VPN Customer Gateway
networking:CreateVpnCustomerGateway					Allows the token to create a VPN Customer Gateway
networking:DeleteCIDRExclusion					Allows the token to delete a CIDR Exclusion
networking:DeleteCIDRRange					Allows the token to delete a CIDR Range
networking:DeleteDnsResolver					Allows the token to delete a DNS Resolver within a Stax Networking Hub
networking:DeleteDnsRule					Allows the token to delete a DNS Rule
networking:DeleteDxAssociation					Allows the token to delete a DX Association
networking:DeleteDxGateway					Allows the token to delete a DX Gateway
networking:DeleteDxVif					Allows the token to delete a DX Vif
networking:DeleteHub					Allows the token to delete a Networking Hub
networking:DeleteVPC					Allows the token to delete a VPC
networking:DeleteVpnConnection					Allows the token to delete a VPN Connection with a Stax VPN Customer Gateway
networking:DeleteVpnCustomerGateway					Allows the token to delete a Stax VPN Customer Gateway
networking:ReadCIDRExclusions					Allows the token to view CIDR Exclusions
networking:ReadCIDRRange					Allows the token to view CIDR Ranges
networking:ReadDnsResolvers					Allows the token to view DNS Resolvers for a Stax Networking Hub
networking:ReadDnsRules					Allows the token to view DNS Rules for Stax DNS Resolvers
networking:ReadDxAssociations					Allows the token to view DX Associations
networking:ReadDxConnections					Allows the token to view DX Connections within Accounts
networking:ReadDxResources					Allows the token to view DX Gateways
networking:ReadDxVifStatus					Allows the token to view DX Vifs
networking:ReadHubs					Allows the token to view Networking Hubs
networking:ReadVPCs					Allows the token to view VPCs
networking:ReadVpnConnection					Allows the token to view VPN Connections
networking:ReadVpnConnectionStatus					Allows the token to view the connectivity status of VPN Tunnels for VPN Connections
networking:ReadVpnCustomerGateways					Allows the token to view VPN Customer Gateways
networking:UpdateCIDRExclusion					Allows the token to update a CIDR Exclusion
networking:UpdateCIDRRange					Allows the token to update a CIDR Range
networking:UpdateDnsResolver					Allows the token to update a DNS Resolver
networking:UpdateDnsRule					Allows the token to update a DNS Rule
networking:UpdateDxAssociation					Allows the token to update a DX Association
networking:UpdateDxVif					Allows the token to update a DX Vif
networking:UpdateHub					Allows the token to update a Networking Hub
networking:UpdateVPC					Allows the token to update a VPC
networking:UpdateVpnConnection					Allows the token to update a VPN Connection
networking:UpdateVpnCustomerGateway					Allows the token to update a VPN Customer Gateway
organisations:AttachPolicy					Allows the token to attach a Policy to an Organization
organisations:CreatePolicy					Allows the token to create a Policy
organisations:DeletePolicy					Allows the token to delete a Policy
organisations:DetachPolicy					Allows the token to detach a Policy from an Organization
organisations:ReadOrganisation					Allows the token to view their Organization details
organisations:ReadPolicies					Allows the token to view Policies
organisations:UpdatePolicy					Allows the token to update a Policy
tasks:ReadTasks				Allows the token to view the status of a task
tasks:ReadTasksbyStatus				Allows the token to view tasks by status
teams:CreateAPIToken					Allows the token to create an API Token
teams:CreateGroup					Allows the token to create a Group
teams:CreateUser					Allows the token to invite a new team member
teams:DeleteAPIToken					Allows the token to delete an API Token
teams:DeleteGroup					Allows the token to delete a Group
teams:DeleteUser					Allows the token to delete a team member
teams:ReadAPITokens					Allows the token to view API Tokens
teams:ReadGroups					Allows the token to view Groups
teams:ReadUsers					Allows the token to view all team members
teams:UpdateAPITokens					Allows the token to update an API Token
teams:UpdateGroup					Allows the token to update a Group
teams:UpdateGroupMembers					Allows the token to add a Group member
teams:UpdateUser					Allows the token to update a team member's details or deactivate/activate them
teams:UpdateUserPassword					Allows the token to request a password reset
workloads:CreateCatalogueItem					Allows the token to create a Workload Catalogue Item
workloads:CreateCatalogueVersion					Allows the token to create a Workload Catalogue Version within a Workload Catalogue Item
workloads:CreateWorkload					Allows the token to deploy a Workload
workloads:DeleteCatalogueItem					Allows the token to delete a Workload Catalogue Item
workloads:DeleteCatalogueVersion					Allows the token to delete a Workload Catalogue Version
workloads:DeleteWorkload					Allows the token to deactivate a Workload
workloads:ReadCatalogueItems					Allows the token to view the Workload Catalogue
workloads:ReadCatalogueManifest					Allows the token to view a Workload Catalogue Manifest
workloads:ReadCatalogueTemplate					Allows the token to view the Workload Cloudformation Template
workloads:ReadWorkloads					Allows the token to view a active Workloads
workloads:UpdateWorkload					Allows the token to update an active Workload

See also

• API Tokens Overview
• Create a Stax API Token
• Managing an API Token
• View an API token's Access Key and Secret Key
• Stax Python SDK Overview
• Stax API Reference