API Token Permissions – Stax

API Tokens provide programmatic access to the Stax API and cannot be used to log into the Stax console. The below table provides a a list of permissions for each Stax role used to manage the access level of your API Token.

Key	Description
✔️	API token can perform this action
❌	API token cannot perform this action

Actions	Root	Admin	User	Read Only	Description
accounts:CreateAccount	✔️	✔️	❌	❌	Allows the token to create an Account
accounts:CreateAccountType	✔️	✔️	❌	❌	Allows the token to create an Account Type
accounts:DeleteAccountType	✔️	✔️	❌	❌	Allows the token to delete an Account Type
accounts:DiscoverAccounts	✔️	✔️	❌	❌	Allows the token to discover AWS Accounts associated with the Organization
accounts:OnboardAccounts	✔️	✔️	❌	❌	Allows the token to onboard AWS Accounts associated with the Organization
accounts:ReadAccountTypes	✔️	✔️	✔️	✔️	Allows the token to view Account Types
accounts:ReadAccounts	✔️	✔️	✔️	✔️	Allows the token to view Accounts
accounts:UpdateAccount	✔️	✔️	❌	❌	Allows the token to update an Account name, description and tags
accounts:UpdateAccountType	✔️	✔️	❌	❌	Allows the token to update an Account Type
accounts:UpdateAccountTypeAccess	✔️	✔️	❌	❌	Allows the token to add an AWS role to an Account Type
account:UpdateAccountTypeMembers	✔️	✔️	❌	❌	Allows the token to move accounts between Account Types
account:UpdatePolicies	✔️	✔️	❌	❌	Allows the token to add or remove Policies from an Account Type
alias:CheckAliasAvailability	✔️	✔️	✔️		Allows token to check if a Customer Alias is already in use
networking:CreateCIDRExclusion	✔️	✔️	❌	❌	Allows the token to create a CIDR Exclusion
networking:CreateCIDRRange	✔️	✔️	❌	❌	Allows the token to create a CIDR Range
networking:CreateDnsResolver	✔️	✔️	❌	❌	Allows the token to create a DNS Resolver
networking:CreateDnsRule	✔️	✔️	❌	❌	Allows the token to create a DNS Rule
networking:CreateDxAssociation	✔️	✔️	❌	❌	Allows the token to create a DX Association between a Stax Networking Hub or Stax VPC and a Stax DX Gateway
networking:CreateDxResource	✔️	✔️	❌	❌	Allows the token to create a DX Resource, a DX Gateway and/or DX Vif
networking:CreateHub	✔️	✔️	❌	❌	Allows the token to create a Networking Hub
networking:CreateVPC	✔️	✔️	✔️	❌	Allows the token to create a VPC
networking:CreateVpnConnection	✔️	✔️	❌	❌	Allows the token to create a VPN Connection between a Stax Networking Hub or Stax VPC and a Stax VPN Customer Gateway
networking:CreateVpnCustomerGateway	✔️	✔️	❌	❌	Allows the token to create a VPN Customer Gateway
networking:DeleteCIDRExclusion	✔️	✔️	❌	❌	Allows the token to delete a CIDR Exclusion
networking:DeleteCIDRRange	✔️	✔️	❌	❌	Allows the token to delete a CIDR Range
networking:DeleteDnsResolver	✔️	✔️	❌	❌	Allows the token to delete a DNS Resolver within a Stax Networking Hub
networking:DeleteDnsRule	✔️	✔️	❌	❌	Allows the token to delete a DNS Rule
networking:DeleteDxAssociation	✔️	✔️	❌	❌	Allows the token to delete a DX Association
networking:DeleteDxGateway	✔️	✔️	❌	❌	Allows the token to delete a DX Gateway
networking:DeleteDxVif	✔️	✔️	❌	❌	Allows the token to delete a DX Vif
networking:DeleteHub	✔️	✔️	❌	❌	Allows the token to delete a Networking Hub
networking:DeleteVPC	✔️	✔️	❌	❌	Allows the token to delete a VPC
networking:DeleteVpnConnection	✔️	✔️	❌	❌	Allows the token to delete a VPN Connection with a Stax VPN Customer Gateway
networking:DeleteVpnCustomerGateway	✔️	✔️	✔️	❌	Allows the token to delete a Stax VPN Customer Gateway
networking:ReadCIDRExclusions	✔️	✔️	✔️	✔️	Allows the token to view CIDR Exclusions
networking:ReadCIDRRange	✔️	✔️	✔️	✔️	Allows the token to view CIDR Ranges
networking:ReadDnsResolvers	✔️	✔️	✔️	✔️	Allows the token to view DNS Resolvers for a Stax Networking Hub
networking:ReadDnsRules	✔️	✔️	✔️	✔️	Allows the token to view DNS Rules for Stax DNS Resolvers
networking:ReadDxAssociations	✔️	✔️	✔️	✔️	Allows the token to view DX Associations
networking:ReadDxConnections	✔️	✔️	✔️	✔️	Allows the token to view DX Connections within Accounts
networking:ReadDxResources	✔️	✔️	✔️	✔️	Allows the token to view DX Gateways
networking:ReadDxVifStatus	✔️	✔️	✔️	✔️	Allows the token to view DX Vifs
networking:ReadHubs	✔️	✔️	✔️	✔️	Allows the token to view Networking Hubs
networking:ReadVPCs	✔️	✔️	✔️	✔️	Allows the token to view VPCs
networking:ReadVpnConnection	✔️	✔️	✔️	✔️	Allows the token to view VPN Connections
networking:ReadVpnConnectionStatus	✔️	✔️	✔️	✔️	Allows the token to view the connectivity status of VPN Tunnels for VPN Connections
networking:ReadVpnCustomerGateways	✔️	✔️	✔️	✔️	Allows the token to view VPN Customer Gateways
networking:UpdateCIDRExclusion	✔️	✔️	❌	❌	Allows the token to update a CIDR Exclusion
networking:UpdateCIDRRange	✔️	✔️	❌	❌	Allows the token to update a CIDR Range
networking:UpdateDnsResolver	✔️	✔️	❌	❌	Allows the token to update a DNS Resolver
networking:UpdateDnsRule	✔️	✔️	❌	❌	Allows the token to update a DNS Rule
networking:UpdateDxAssociation	✔️	✔️	❌	❌	Allows the token to update a DX Association
networking:UpdateDxVif	✔️	✔️	❌	❌	Allows the token to update a DX Vif
networking:UpdateHub	✔️	✔️	❌	❌	Allows the token to update a Networking Hub
networking:UpdateVPC	✔️	✔️	✔️	❌	Allows the token to update a VPC
networking:UpdateVpnConnection	✔️	✔️	❌	❌	Allows the token to update a VPN Connection
networking:UpdateVpnCustomerGateway	✔️	✔️	❌	❌	Allows the token to update a VPN Customer Gateway
organisations:AttachPolicy	✔️	✔️	❌	❌	Allows the token to attach a Policy to an Organization
organisations:CreatePolicy	✔️	✔️	❌	❌	Allows the token to create a Policy
organisations:DeletePolicy	✔️	✔️	❌	❌	Allows the token to delete a Policy
organisations:DetachPolicy	✔️	✔️	❌	❌	Allows the token to detach a Policy from an Organization
organisations:ReadOrganisation	✔️	✔️	✔️	✔️	Allows the token to view their Organization details
organisations:ReadPolicies	✔️	✔️	✔️	✔️	Allows the token to view Policies
organisations:UpdatePolicy	✔️	✔️	❌	❌	Allows the token to update a Policy
tasks:ReadTasks	✔️	✔️	✔️		Allows the token to view the status of a task
tasks:ReadTasksbyStatus	✔️	✔️	✔️		Allows the token to view tasks by status
teams:CreateAPIToken	✔️	✔️	❌	❌	Allows the token to create an API Token
teams:CreateGroup	✔️	✔️	❌	❌	Allows the token to create a Group
teams:CreateUser	✔️	✔️	❌	❌	Allows the token to invite a new team member
teams:DeleteAPIToken	✔️	✔️	❌	❌	Allows the token to delete an API Token
teams:DeleteGroup	✔️	✔️	❌	❌	Allows the token to delete a Group
teams:DeleteUser	✔️	✔️	❌	❌	Allows the token to delete a team member
teams:ReadAPITokens	✔️	✔️	✔️	✔️	Allows the token to view API Tokens
teams:ReadGroups	✔️	✔️	✔️	✔️	Allows the token to view Groups
teams:ReadUsers	✔️	✔️	✔️	✔️	Allows the token to view all team members
teams:UpdateAPITokens	✔️	✔️	❌	❌	Allows the token to update an API Token
teams:UpdateGroup	✔️	✔️	❌	❌	Allows the token to update a Group
teams:UpdateGroupMembers	✔️	✔️	❌	❌	Allows the token to add a Group member
teams:UpdateUser	✔️	✔️	❌	❌	Allows the token to update a team member's details or deactivate/activate them
teams:UpdateUserPassword	✔️	✔️	✔️	❌	Allows the token to request a password reset
workloads:CreateCatalogueItem	✔️	✔️	❌	❌	Allows the token to create a Workload Catalogue Item
workloads:CreateCatalogueVersion	✔️	✔️	❌	❌	Allows the token to create a Workload Catalogue Version within a Workload Catalogue Item
workloads:CreateWorkload	✔️	✔️	✔️	❌	Allows the token to deploy a Workload
workloads:DeleteCatalogueItem	✔️	✔️	❌	❌	Allows the token to delete a Workload Catalogue Item
workloads:DeleteCatalogueVersion	✔️	✔️	❌	❌	Allows the token to delete a Workload Catalogue Version
workloads:DeleteWorkload	✔️	✔️	✔️	❌	Allows the token to delete a Workload
workloads:ReadCatalogueItems	✔️	✔️	✔️	✔️	Allows the token to view the Workload Catalogue
workloads:ReadCatalogueManifest	✔️	✔️	✔️	✔️	Allows the token to view a Workload Catalogue Manifest
workloads:ReadCatalogueTemplate	✔️	✔️	✔️	✔️	Allows the token to view the Workload CloudFormation Template
workloads:ReadWorkloads	✔️	✔️	✔️	✔️	Allows the token to view a active Workloads
workloads:UpdateWorkload	✔️	✔️	✔️	❌	Allows the token to update an active Workload

Related articles