Skip to main content

API Token Permissions

API Tokens provide programmatic access to the Stax API and cannot be used to log into the Stax console. The below table provides a a list of permissions for each Stax role used to manage the access level of your API Token.

KeyDescription
✔️API token can perform this action
API token cannot perform this action
ActionsRootAdminUserRead OnlyDescription
accounts:CreateAccount✔️✔️Allows the token to create an Account
accounts:CreateAccountType✔️✔️Allows the token to create an Account Type
accounts:DeleteAccountType✔️✔️Allows the token to delete an Account Type
accounts:DiscoverAccounts✔️✔️Allows the token to discover AWS Accounts associated with the Organization
accounts:OnboardAccounts✔️✔️Allows the token to onboard AWS Accounts associated with the Organization
accounts:ReadAccountTypes✔️✔️✔️✔️Allows the token to view Account Types
accounts:ReadAccounts✔️✔️✔️✔️Allows the token to view Accounts
accounts:UpdateAccount✔️✔️Allows the token to update an Account name, description and tags
accounts:UpdateAccountType✔️✔️Allows the token to update an Account Type
accounts:UpdateAccountTypeAccess✔️✔️Allows the token to add an AWS role to an Account Type
account:UpdateAccountTypeMembers✔️✔️Allows the token to move accounts between Account Types
account:UpdatePolicies✔️✔️Allows the token to add or remove Policies from an Account Type
alias:CheckAliasAvailability✔️✔️✔️Allows token to check if a Customer Alias is already in use
networking:CreateCIDRExclusion✔️✔️Allows the token to create a CIDR Exclusion
networking:CreateCIDRRange✔️✔️Allows the token to create a CIDR Range
networking:CreateDnsResolver✔️✔️Allows the token to create a DNS Resolver
networking:CreateDnsRule✔️✔️Allows the token to create a DNS Rule
networking:CreateDxAssociation✔️✔️Allows the token to create a DX Association between a Stax Networking Hub or Stax VPC and a Stax DX Gateway
networking:CreateDxResource✔️✔️Allows the token to create a DX Resource, a DX Gateway and/or DX Vif
networking:CreateHub✔️✔️Allows the token to create a Networking Hub
networking:CreateVPC✔️✔️✔️Allows the token to create a VPC
networking:CreateVpnConnection✔️✔️Allows the token to create a VPN Connection between a Stax Networking Hub or Stax VPC and a Stax VPN Customer Gateway
networking:CreateVpnCustomerGateway✔️✔️Allows the token to create a VPN Customer Gateway
networking:DeleteCIDRExclusion✔️✔️Allows the token to delete a CIDR Exclusion
networking:DeleteCIDRRange✔️✔️Allows the token to delete a CIDR Range
networking:DeleteDnsResolver✔️✔️Allows the token to delete a DNS Resolver within a Stax Networking Hub
networking:DeleteDnsRule✔️✔️Allows the token to delete a DNS Rule
networking:DeleteDxAssociation✔️✔️Allows the token to delete a DX Association
networking:DeleteDxGateway✔️✔️Allows the token to delete a DX Gateway
networking:DeleteDxVif✔️✔️Allows the token to delete a DX Vif
networking:DeleteHub✔️✔️Allows the token to delete a Networking Hub
networking:DeleteVPC✔️✔️Allows the token to delete a VPC
networking:DeleteVpnConnection✔️✔️Allows the token to delete a VPN Connection with a Stax VPN Customer Gateway
networking:DeleteVpnCustomerGateway✔️✔️✔️Allows the token to delete a Stax VPN Customer Gateway
networking:ReadCIDRExclusions✔️✔️✔️✔️Allows the token to view CIDR Exclusions
networking:ReadCIDRRange✔️✔️✔️✔️Allows the token to view CIDR Ranges
networking:ReadDnsResolvers✔️✔️✔️✔️Allows the token to view DNS Resolvers for a Stax Networking Hub
networking:ReadDnsRules✔️✔️✔️✔️Allows the token to view DNS Rules for Stax DNS Resolvers
networking:ReadDxAssociations✔️✔️✔️✔️Allows the token to view DX Associations
networking:ReadDxConnections✔️✔️✔️✔️Allows the token to view DX Connections within Accounts
networking:ReadDxResources✔️✔️✔️✔️Allows the token to view DX Gateways
networking:ReadDxVifStatus✔️✔️✔️✔️Allows the token to view DX Vifs
networking:ReadHubs✔️✔️✔️✔️Allows the token to view Networking Hubs
networking:ReadVPCs✔️✔️✔️✔️Allows the token to view VPCs
networking:ReadVpnConnection✔️✔️✔️✔️Allows the token to view VPN Connections
networking:ReadVpnConnectionStatus✔️✔️✔️✔️Allows the token to view the connectivity status of VPN Tunnels for VPN Connections
networking:ReadVpnCustomerGateways✔️✔️✔️✔️Allows the token to view VPN Customer Gateways
networking:UpdateCIDRExclusion✔️✔️Allows the token to update a CIDR Exclusion
networking:UpdateCIDRRange✔️✔️Allows the token to update a CIDR Range
networking:UpdateDnsResolver✔️✔️Allows the token to update a DNS Resolver
networking:UpdateDnsRule✔️✔️Allows the token to update a DNS Rule
networking:UpdateDxAssociation✔️✔️Allows the token to update a DX Association
networking:UpdateDxVif✔️✔️Allows the token to update a DX Vif
networking:UpdateHub✔️✔️Allows the token to update a Networking Hub
networking:UpdateVPC✔️✔️✔️Allows the token to update a VPC
networking:UpdateVpnConnection✔️✔️Allows the token to update a VPN Connection
networking:UpdateVpnCustomerGateway✔️✔️Allows the token to update a VPN Customer Gateway
organisations:AttachPolicy✔️✔️Allows the token to attach a Policy to an Organization
organisations:CreatePolicy✔️✔️Allows the token to create a Policy
organisations:DeletePolicy✔️✔️Allows the token to delete a Policy
organisations:DetachPolicy✔️✔️Allows the token to detach a Policy from an Organization
organisations:ReadOrganisation✔️✔️✔️✔️Allows the token to view their Organization details
organisations:ReadPolicies✔️✔️✔️✔️Allows the token to view Policies
organisations:UpdatePolicy✔️✔️Allows the token to update a Policy
tasks:ReadTasks✔️✔️✔️Allows the token to view the status of a task
tasks:ReadTasksbyStatus✔️✔️✔️Allows the token to view tasks by status
teams:CreateAPIToken✔️✔️Allows the token to create an API Token
teams:CreateGroup✔️✔️Allows the token to create a Group
teams:CreateUser✔️✔️Allows the token to invite a new team member
teams:DeleteAPIToken✔️✔️Allows the token to delete an API Token
teams:DeleteGroup✔️✔️Allows the token to delete a Group
teams:DeleteUser✔️✔️Allows the token to delete a team member
teams:ReadAPITokens✔️✔️✔️✔️Allows the token to view API Tokens
teams:ReadGroups✔️✔️✔️✔️Allows the token to view Groups
teams:ReadUsers✔️✔️✔️✔️Allows the token to view all team members
teams:UpdateAPITokens✔️✔️Allows the token to update an API Token
teams:UpdateGroup✔️✔️Allows the token to update a Group
teams:UpdateGroupMembers✔️✔️Allows the token to add a Group member
teams:UpdateUser✔️✔️Allows the token to update a team member's details or deactivate/activate them
teams:UpdateUserPassword✔️✔️✔️Allows the token to request a password reset
workloads:CreateCatalogueItem✔️✔️Allows the token to create a Workload Catalogue Item
workloads:CreateCatalogueVersion✔️✔️Allows the token to create a Workload Catalogue Version within a Workload Catalogue Item
workloads:CreateWorkload✔️✔️✔️Allows the token to deploy a Workload
workloads:DeleteCatalogueItem✔️✔️Allows the token to delete a Workload Catalogue Item
workloads:DeleteCatalogueVersion✔️✔️Allows the token to delete a Workload Catalogue Version
workloads:DeleteWorkload✔️✔️✔️Allows the token to delete a Workload
workloads:ReadCatalogueItems✔️✔️✔️✔️Allows the token to view the Workload Catalogue
workloads:ReadCatalogueManifest✔️✔️✔️✔️Allows the token to view a Workload Catalogue Manifest
workloads:ReadCatalogueTemplate✔️✔️✔️✔️Allows the token to view the Workload CloudFormation Template
workloads:ReadWorkloads✔️✔️✔️✔️Allows the token to view a active Workloads
workloads:UpdateWorkload✔️✔️✔️Allows the token to update an active Workload