signin:CreateOAuth2Token

Read

signin:CreateOAuth2Token is a Read access-level action in the signin service. Grants permission to exchange an authorization code for OAuth 2.0 access token and refresh token that can be used to access AWS services from developer tools and applications

Resource types

ARNs that signin:CreateOAuth2Token can be scoped to in an IAM policy.

arn:${Partition}:signin:::console/${ConsoleName}
console
arn:${Partition}:signin:${Region}:${Account}:oauth2/public-client/localhost
oauth2-public-client-localhost
arn:${Partition}:signin:${Region}:${Account}:oauth2/public-client/remote
oauth2-public-client-remote

Condition keys

No condition keys are documented for this action.

Example IAM policy

A minimal policy that allows signin:CreateOAuth2Token. Replace "Resource": "*" with a specific ARN to follow least privilege.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSigninCreateOAuth2Token",
      "Effect": "Allow",
      "Action": "signin:CreateOAuth2Token",
      "Resource": "*"
    }
  ]
}

Related actions in signin

View all signin actions →