Role REST API Reference


Use the Role REST API to manage organizational roles in Alexa Smart Properties (ASP). A role defines the operations that the user has permission to perform on units. Before a user can access any ASP resources, the user must have an assigned role. Alexa assigns the administrator role to the creator of a unit automatically.

For more details about organizational roles, see About Managing Roles in Alexa Smart Properties.

API endpoint

Based on the country of your organization, set the Host parameter in the request header to one of the following API endpoints.

Country Endpoint

CA, US

https://api.amazonalexa.com

DE, ES, FR, IT, UK

https://api.eu.amazonalexa.com

JP

https://api.fe.amazonalexa.com

Authentication

Each API request must have an authorization header whose value is the access token retrieved from Login with Amazon (LWA). For details, see Manage API Access.

Operations

The Role API includes the following operations.

Operation HTTP Method and URI

Assign role

POST /v1/roles/{roleId}/assignments

Batch assign role

POST /v1/roles/{roleId}/assignments/batchAssign

Batch revoke role assignment

POST /v1/roles/{roleId}/assignments/batchRevoke

Get role

GET /v1/roles/{roleId}

List principal assignments

GET /v1/roles/{roleId}/assignments?maxResults={maxResults}&nextToken={nextToken}

List roles

GET /v1/roles?unitId={unitId}&targetEntityId={targetEntityId}&roleName={roleName}&maxResults={maxResults}&nextToken={nextToken}

List role assignments

GET /v1/roles/assignments?principalId={principalId}&unitId={unitId}&targetEntityId={targetEntityId}&maxResults={maxResults}&nextToken={nextToken}

Revoke role assignment

DELETE /v1/roles/{roleId}/assignments?principalId={principalId}&propagate={propagate}

Assign role

Assign the specified role to the specified principal. You can't assign the same role to a principal who is already assigned that role. For details about how to retrieve the user ID for the principal, see Obtain Customer Profile Information. You can assign a role and optionally propagate the role assignment to the property hierarchy. And, you can assign a role temporarily.

This operation is available in the following countries.

Healthcare Hospitality Senior Living Core

US

US, UK, FR, CA, IT, DE, ES, JP

US, UK, FR, CA, IT, DE, ES, JP

US

Request

To assign a role, you make a POST request to the POST /v1/roles/{roleId}/assignments resource.

Request path and header example

Copied to clipboard.

POST /v1/roles/{roleId}/assignments HTTP/1.1
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {access token}

Request path and header parameters

Parameter Located in Description Type Required

roleId

Path

Identifies the role.
Formatted as Amazon Common Identifier (ACI), amzn1.alexa.role.did.{id}.

String

Yes

access token

Header

Access token for the customer.
Set to an LWA token.

String

Yes

Request body example

Copied to clipboard.

   "principalId" : "amzn1.account.1",
   "propagate" : true,
   "expiresAt": "2021-11-02T12:51:00.000Z"

Request body properties

Property Description Type Required

principalId

Identifies the principal for whom to assign the role.
Formatted as Amazon Common Identifier (ACI), amzn1.account.{id}.
For details about how to get the principal ID, see Obtain Customer Profile Information. The user_id you receive in the customer profile response is the value to use for principalId.

String

Yes

propagate

Indicates whether to propagate the role assignment to the entire unit hierarchy.
Only the Amazon Business account's principal ID can propagate roles.
Default: false.

Boolean

No

expiresAt

Assign the role to the specified principal until the specified expiration date and time.
The expiration time must be at least 30 minutes after the current time and no more than 30 days from the current time. When not set, the role assignment never expires. When expiresAt has a value and propagate is true, all assignments in the unit hierarchy inherit the expiration time.
Defined in ISO 8601 format, YYYY-MM-DDThh:mm:ssZ.

String

No

Response

A successful response returns HTTP 202 Accepted or HTTP 204 No content. On error, the response returns the appropriate HTTP status code and includes a response body with a human-readable description.

Response body example

The response has no body.

Response body properties

The response has no body.

HTTP status codes

Status Description

202 Accepted

Role assigned successfully and the propagation request for the specified principal accepted.

204 No content

Role assigned successfully. No propagation specified.

400 Bad Request

Indicates that one or more properties in the request body aren't valid.

401 Unauthorized

Request didn't include the authorization token, or the included token expired or isn't valid. Or, you don't have access to the resource.

403 Forbidden

Indicates that the authorization token is valid, but the requested operation isn't allowed.

404 Not Found

Requested resource not found.

429 Too Many Requests

Permitted rate limit, specified as the number of requests per unit of time, exceeded. You can retry the request by using exponential back-off.

500 Server Error

Error occurred on the server. You can retry the request by using exponential back-off.

503 Service Unavailable

Server is down for maintenance, overloaded, or otherwise unavailable to handle the incoming request.

Batch assign role

Assign the specified role to the list of principals. For details about how to retrieve the user ID for the principal, see Obtain Customer Profile Information. You can assign a role and optionally propagate the role assignment to the property hierarchy. And, you can assign a role temporarily.

After accepting the request, this operation performs synchronous validations and then returns a successful response. Each principal is then assigned to the role asynchronously in the background. For any inputs that aren't valid, the entire operation fails. Either all the request items are processed or none are processed.

If there's an existing role assignment for a given roleId and principalId with propagate set to false, a role assignment request for the same roleId and principalId with a propagation value of true updates the existing role assignment with propagation.

This operation is available in the following countries.

Healthcare Hospitality Senior Living Core

US

US, UK, FR, CA, JP

US, CA, JP

US

Request

To assign a role, you make a POST request to the POST /v1/roles/{roleId}/assignments/batchAssign resource.

Request path and header example

Copied to clipboard.

POST /v1/roles/{roleId}/assignments/batchAssign HTTP/1.1
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {access token}

Request path and header parameters

Parameter Located in Description Type Required

roleId

Path

Identifies the role.
Formatted as Amazon Common Identifier (ACI), amzn1.alexa.role.did.{id}.

String

Yes

access token

Header

Access token for the customer.
Set to an LWA token.

String

Yes

Request body example

Copied to clipboard.

{
   "items": [
     {
        "itemId" : 0,
        "principalId": "amzn1.alexa.user.2",
        "propagate": false,
        "expiresAt": "2021-11-02T12:51:00.000Z"
     },
     {
        "itemId" : 1,         
        "principalId": "amzn1.alexa.user.3",
        "propagate": true
     },
     {
        "itemId" : 2,
        "principalId": "amzn1.alexa.user.4",
        "propagate": false
     }
   ]
}

Request body properties

Property Description Type Required

items

List of principals to which to assign the role.

Array of objects

Yes

items[].itemId

Unique identifier for the assignment.

Integer

Yes

items[].principalId

Identifies the principal for whom to assign the role.
Formatted as Amazon Common Identifier (ACI), amzn1.account.{id}.
For details about how to get the principal ID, see Obtain Customer Profile Information. The user_id you receive in the customer profile response is the value to use for principalId.

String

Yes

items[].propagate

Indicates whether to propagate the role assignment to the entire unit hierarchy.
Only the Amazon Business account's principal ID can propagate roles.

Boolean

No

items[].expiresAt

Assign the role to the specified principal until the specified expiration date and time.
The expiration time must be at least 30 minutes after the current time and no more than 30 days from the current time. When not set, the role assignment never expires. When expiresAt has a value and propagate is true, all assignments in the unit hierarchy inherit the expiration time.
Defined in ISO 8601 format, YYYY-MM-DDThh:mm:ssZ.

String

No

Response

A successful response returns HTTP 202 Accepted. On error, the response returns the appropriate HTTP status code and includes a response body with a BatchError object.

Response body example

The response has no body.

Response body properties

The response has no body.

HTTP status codes

Status Description

202 Accepted

Request to assign a role for the specified principals accepted.

400 Bad Request

Indicates that one or more properties in the request body aren't valid.

The response might include one of the following errors types and messages:

  • BAD_REQUEST – The request is malformed or is missing any required parameters.
  • DUPLICATE_REQUEST_ITEM_FOUND – Request contains a duplicate request item.
  • INVALID_PRINCIPAL_ID – Invalid principalId.
  • INVALID_ROLE_ID – Invalid roleId.
  • NO_UNIT_FOR_ROLE – Role not backed by a unit; propagation not supported.
  • REQUEST_LIMIT_EXCEEDED – Request exceeded the limit on the number of principals for role assignment per one request.
  • ROLE_ASSIGNMENT_NOT_SUPPORTED – You can't downgrade an already propagated role assignment to a standalone assignment; the propagate flag should be true.

401 Unauthorized

Request didn't include the authorization token, or the included token expired or isn't valid. Or, you don't have access to the resource.

403 Forbidden

Indicates that the authorization token is valid, but the requested operation isn't allowed.

404 Not Found

Requested resource not found.

429 Too Many Requests

Permitted rate limit, specified as the number of requests per unit of time, exceeded. You can retry the request by using exponential back-off.

500 Server Error

Error occurred on the server. You can retry the request by using exponential back-off.

503 Service Unavailable

Server is down for maintenance, overloaded, or otherwise unavailable to handle the incoming request.

Batch revoke role assignment

Remove a role assignment for the specified list of principals. You can enable propagation to revoke the role assignment to the property hierarchy.

After accepting the request, this operation performs synchronous validations and then returns a successful response. Each principal is then revoked from the role asynchronously in the background. For any inputs that aren't valid, the entire operation fails. Either all the request items are processed or none are processed.

This operation is available in the following countries.

Healthcare Hospitality Senior Living Core

US

US, UK, FR, CA, JP

US, CA, JP

US

Request

To remove the role, you make a POST request to the /v1/roles/{roleId}/assignments/batchRevoke resource.

Request path and header example

Copied to clipboard.

POST /v1/roles/{roleId}/assignments/batchRevoke
Host: api.amazonalexa.com
Content-Type: application/json
Authorization: Bearer {access token}

Request path and header parameters

Parameter Located in Description Type Required

roleId

Path

Identifies the role.
Formatted as Amazon Common Identifier (ACI), amzn1.alexa.role.did.{id}.

String

Yes

access token

Header

Access token for the customer.
Set to an LWA token.

String

Yes

Request body example

Copied to clipboard.

{
   "items": [
     {
        "itemId" : 0,
        "principalId": "amzn1.alexa.user.example1",
        "propagate": false
     },
     {
        "itemId" : 1,         
        "principalId": "amzn1.alexa.user.3",
        "propagate": true
     },
     {
        "itemId" : 2,
        "principalId": "amzn1.alexa.user.4",
        "propagate": false
     }
   ]
}

Request body properties

Property Description Type Required

items

List of principals to which to revoke the role.

Array of objects

Yes

items[].itemId

Unique identifier for the assignment.

Integer

Yes

items[].principalId

Identifies the principal for whom to revoke the role.
Formatted as Amazon Common Identifier (ACI), amzn1.account.{id}.
For details about how to get the principal ID, see Obtain Customer Profile Information. The user_id you receive in the customer profile response is the value to use for principalId.

String

Yes

items[].propagate

Indicates whether to propagate the role revocation to the entire unit hierarchy.
Only the Amazon Business account's principal ID can propagate roles.

Boolean

No

Response

A successful response returns HTTP 202 Accepted. On error, the response returns the appropriate HTTP status code and includes a response body with a BatchError object.

Response body example

The response has no body.

Response body properties

The response has no body.

HTTP status codes

Status Description

202 Accepted

Request to revoke a role for the specified principals accepted.

400 Bad Request

Indicates that one or more properties in the request body aren't valid.

The response might include one of the following errors types and messages:

  • BAD_REQUEST – The request is malformed or is missing any required parameters.
  • DUPLICATE_REQUEST_ITEM_FOUND – Request contains a duplicate request item.
  • INVALID_PRINCIPAL_ID – Invalid principalId.
  • INVALID_ROLE_ID – Invalid roleId.
  • NO_UNIT_FOR_ROLE – Role not backed by a unit; propagation not supported.
  • PRINCIPAL_IS_PROPAGATED – Role revocation isn't supported for the principal. The current role assignment is the source of a propagation chain. You must pass in the propagate flag with a value of true.
  • PRINCIPAL_IS_NOT_PROPAGATED – Role revocation isn't supported for the principal. The current role assignment is a non-propagated assignment. Either don't pass in the propagate flag, or set the propagate flag to false.
  • PROPAGATED_FROM_ANOTHER_ROLE – You attempted to revoke a propagated role assignment. Restart revoke propagation at the source with the propagate flag set to true.
  • REQUEST_LIMIT_EXCEEDED – Request exceeded the limit on the number of principals for role assignment per one request.

401 Unauthorized

Request didn't include the authorization token, or the included token expired or isn't valid. Or, you don't have access to the resource.

403 Forbidden

Indicates that the authorization token is valid, but the requested operation isn't allowed.

404 Not Found

Requested resource not found.

429 Too Many Requests

Permitted rate limit, specified as the number of requests per unit of time, exceeded. You can retry the request by using exponential back-off.

500 Server Error

Error occurred on the server. You can retry the request by using exponential back-off.

503 Service Unavailable

Server is down for maintenance, overloaded, or otherwise unavailable to handle the incoming request.

Get role

Get the details of the specified role.

This operation is available in the following countries.

Healthcare Hospitality Senior Living Core

US

US, UK, FR, CA, IT, DE, ES, JP

US, UK, FR, CA, IT, DE, ES, JP

US

Request

To get the role details, you make a GET request to the /v1/roles/{roleId} resource.

Request path and header example

Copied to clipboard.

GET /v1/roles/{roleId} HTTP/1.1
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {access token}

Request path and header parameters

Parameter Located in Description Type Required

roleId

Path

Identifies the role.
Formatted as Amazon Common Identifier (ACI), amzn1.alexa.role.did.{id}.

String

Yes

access token

Header

Access token for the customer.
Set to an LWA token.

String

Yes

Request body example

The request has no body.

Request body properties

The request has no body.

Response

A successful response returns HTTP 200 OK, along with the details of the role. On error, the response returns the appropriate HTTP status code and includes a response body with a human-readable description.

Response body example

{
   "roleId": "amzn1.alexa.role.did.1",
   "roleName": "Admin",
   "unitId": "amzn1.alexa.unit.did.101",
   "targetEntityId": "target.entity.1"
}

Response body properties

Property Description Type

roleId

Identifies the role for the unit.
Formatted as Amazon Common Identifier (ACI), amzn1.alexa.role.did.{id}.

String

roleName

Name of the role.

String

unitId

Identifies the unit assigned the role.
Formatted as Amazon Common Identifier (ACI), amzn1.alexa.unit.did.{id}.

String

targetEntityId

Identifies the target entity assigned the role.

String

HTTP status codes

Status Description

200 OK

Response body contains the details of the role.

400 Bad Request

Indicates that one or more properties in the request body aren't valid.

401 Unauthorized

Request didn't include the authorization token, or the included token expired or isn't valid. Or, you don't have access to the resource.

403 Forbidden

Indicates that the authorization token is valid, but the requested operation isn't allowed.

404 Not Found

Requested resource not found.

429 Too Many Requests

Permitted rate limit, specified as the number of requests per unit of time, exceeded. You can retry the request by using exponential back-off.

500 Server Error

Error occurred on the server. You can retry the request by using exponential back-off.

503 Service Unavailable

Server is down for maintenance, overloaded, or otherwise unavailable to handle the incoming request.

List principal assignments

List the principal assignments for the specified role.

This operation is available in the following countries.

Healthcare Hospitality Senior Living Core

US

US, UK, FR, CA, IT, DE, ES, JP

US, UK, FR, CA, IT, DE, ES, JP

US

Request

To list assignments, you make a GET request to the /v1/roles/{roleId}/assignments resource.

Request path and header example

Copied to clipboard.

GET /v1/roles/{roleId}/assignments?maxResults={maxResults}&nextToken={nextToken}
Host: api.amazonalexa.com
Content-Type: application/json
Authorization: Bearer {access token}
Accept: application/json

Request path and header parameters

Parameter Located in Description Type Required

roleId

Path

Identifies the role.
Formatted as Amazon Common Identifier (ACI), amzn1.alexa.role.did.{id}.

String

Yes

maxResults

Query

Maximum number of results to return in the response.
Valid values: 1–10. Default: 10.

Integer

No

nextToken

Query

Token from the previous response.
Include if iterating over a paginated response.

String

No

access token

Header

Access token for the customer.
Set to an LWA token.

String

Yes

Request body example

The request has no body.

Request body properties

The request has no body.

Response

A successful response returns HTTP 200 OK, along with a list of role assignments. On error, the response returns the appropriate HTTP status code and includes a response body with a human-readable description.

Response body example

{
  "results": [
    {
      "roleId": "amzn1.alexa.role.did.1",
      "principalId": "amzn1.account.1",
      "expiresAt": "2021-06-10T14:00:00Z",
      "propagatedRoleId": "amzn1.alexa.role.originRoleId"
    },
    {
      "roleId": "amzn1.alexa.role.did.1",
      "principalId": "amzn1.account.2",
      "expiresAt": "2021-06-10T14:00:00Z",
      "propagatedRoleId": "amzn1.alexa.role.originRoleId"
    }
  ],
  "paginationContext": {
    "nextToken": null
  }
}

Response body properties

Property Description Type

results

List of role assignments

Array of objects

results[].roleId

Identifies the role.
Formatted as Amazon Common Identifier (ACI), amzn1.alexa.role.did.{id}.

String

results[].principalId

Identifies the principal assigned to the role.
Formatted as Amazon Common Identifier (ACI), amzn1.account.{id}.

String

results[].expiresAt

(Optional) Expiration date and time at which the assigned role expires.
Defined in ISO 8601 format, YYYY-MM-DDThh:mm:ssZ.

String

results[].propagatedRoleId

(Optional) Identifies the original role from which this role assignment propagated.
Formatted as Amazon Common Identifier (ACI), amzn1.alexa.role.did.{id}.

String

paginationContext

Indicates whether there are more results to return.

Object

paginationContext.nextToken

Included when the response is truncated.
Use this value in a subsequent request with the same filter parameters as this request.
If no more results, nextToken is null.

String

HTTP status codes

Status Description

200 OK

Response body contains a list of role assignments.

400 Bad Request

Indicates that one or more properties in the request body aren't valid.

401 Unauthorized

Request didn't include the authorization token, or the included token expired or isn't valid. Or, you don't have access to the resource.

403 Forbidden

Indicates that the authorization token is valid, but the requested operation isn't allowed.

404 Not Found

Requested resource not found.

429 Too Many Requests

Permitted rate limit, specified as the number of requests per unit of time, exceeded. You can retry the request by using exponential back-off.

500 Server Error

Error occurred on the server. You can retry the request by using exponential back-off.

503 Service Unavailable

Server is down for maintenance, overloaded, or otherwise unavailable to handle the incoming request.

List roles

Get a list of roles defined for the specified unit or target entity. You can assign these roles to a user by using Assign role or Batch assign role.

This operation is available in the following countries.

Healthcare Hospitality Senior Living Core

US

US, UK, FR, CA, IT, DE, ES, JP

US, UK, FR, CA, IT, DE, ES, JP

US

Request

To list roles, you make a GET request to the /v1/roles resource.

Request path and header example

Copied to clipboard.

GET /v1/roles?unitId={unitId}&targetEntityId={targetEntityId}&roleName={roleName}&maxResults={maxResults}&nextToken={nextToken}
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {access token}

Request path and header parameters

Parameter Located in Description Type Required

unitId

Query

Filter on the unit.
Formatted as Amazon Common Identifier (ACI), amzn1.alexa.unit.did.{id}.
You must specify either a unitId or targetEntityId in the request.

String

No

targetEntityId

Query

Filter on the name of the target entity.
You must specify either a unitId or targetEntityId in the request.

String

No

roleName

Query

Filter on the name of the role.

String

No

maxResults

Query

Maximum number of results to return in the response.
Valid values: 1–10. Default: 10.

Integer

No

nextToken

Query

Token from the previous response.
Include if iterating over a paginated response.

String

No

access token

Header

Access token for the customer.
Set to an LWA token.

String

Yes

Request body example

The request has no body.

Request body properties

The request has no body.

Response

A successful response returns HTTP 200 OK, along with a list of roles for the specified unit or target entity. On error, the response returns the appropriate HTTP status code and includes a response body with a human-readable description.

Response body example

{
   "results": [
      {
         "roleId": "amzn1.alexa.role.did.1",
         "roleName": "Admin",
         "unitId": "amzn1.alexa.unit.did.101",
         "targetEntityId": "amzn1.alexa.unit.did.101"         
      },
      {
         "roleId": "amzn1.alexa.role.did.2",
         "roleName": "ReadOnly",
         "unitId": "amzn1.alexa.unit.did.101",
         "targetEntityId": "amzn1.alexa.unit.did.101"         
      }     
   ],
   "paginationContext": {
      "nextToken": someToken.1
   }
}

Response body properties

Property Description Type

results

List of roles for the specified unit or target entity.

Array of objects

results[].roleId

Identifies the role for the unit.
Formatted as Amazon Common Identifier (ACI), amzn1.alexa.role.did.{id}.

String

results[].roleName

Name of the role.

String

results[].unitId

Identifies the unit assigned the role.
Formatted as Amazon Common Identifier (ACI), amzn1.alexa.unit.did.{id}.

String

results[].targetEntityId

Identifies the target entity assigned the role.

String

paginationContext

Indicates whether there are more results to return.

Object

paginationContext.nextToken

Included when the response is truncated.
Use this value in a subsequent request with the same filter parameters as this request.
If no more results, nextToken is null.

String

HTTP status codes

Status Description

200 OK

Response body contains list of roles for the specified unit or target entity.

400 Bad Request

Indicates that one or more properties in the request body aren't valid.

401 Unauthorized

Request didn't include the authorization token, or the included token expired or isn't valid. Or, you don't have access to the resource.

403 Forbidden

Indicates that the authorization token is valid, but the requested operation isn't allowed.

404 Not Found

Requested resource not found.

429 Too Many Requests

Permitted rate limit, specified as the number of requests per unit of time, exceeded. You can retry the request by using exponential back-off.

500 Server Error

Error occurred on the server. You can retry the request by using exponential back-off.

503 Service Unavailable

Server is down for maintenance, overloaded, or otherwise unavailable to handle the incoming request.

List role assignments

List role assignments for the specified principal and unit or target entity.

This operation is available in the following countries.

Healthcare Hospitality Senior Living Core

US

US, UK, FR, CA, IT, DE, ES, JP

US, UK, FR, CA, IT, DE, ES, JP

US

Request

To list assignments, you make a GET request to the /v1/roles/assignments resource.

Request path and header example

Copied to clipboard.

GET /v1/roles/assignments?principalId={principalId}&unitId={unitId}&targetEntityId={targetEntityId}&maxResults={maxResults}&nextToken={nextToken}  HTTP/1.1
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {access token}

Request path and header parameters

Parameter Located in Description Type Required

principalId

Query

Identifies the principal for whom to get the role assignments.
Formatted as Amazon Common Identifier (ACI), amzn1.account.{id}.
For details about how to get the principal ID, see Obtain Customer Profile Information. The user_id you receive in the customer profile response is the value to use for principalId.

String

Yes

unitId

Query

Filter on the unit.
Formatted as Amazon Common Identifier (ACI), amzn1.alexa.unit.did.{id}.

String

No

targetEntityId

Query

Filter on the name of the target entity.

String

No

maxResults

Query

Maximum number of results to return in the response.
Valid values: 1–10. Default: 10.

Integer

No

nextToken

Query

Token from the previous response.
Include if iterating over a paginated response.

String

No

access token

Header

Access token for the customer.
Set to an LWA token.

String

Yes

Request body example

The request has no body.

Request body properties

The request has no body.

Response

A successful response returns HTTP 200 OK, along with a list of role assignments for the specified principal. On error, the response returns the appropriate HTTP status code and includes a response body with a human-readable description.

Response body example

{
  "results" : [
    {
      "roleId" : "amzn1.alexa.role.did.1",
      "principalId" : "amzn1.account.1",
      "expiresAt": "2021-06-10T14:00:00Z",
      "propagatedRoleId": "amzn1.alexa.role.originRoleId"
    }
  ],
    "paginationContext": {
      "nextToken": null
  }
}

Response body properties

Property Description Type

results

List of roles for the specified principal.

Array of objects

results[].roleId

Identifies the role assigned to the specified principal.
Formatted as Amazon Common Identifier (ACI), amzn1.alexa.role.did.{id}.

String

results[i].principalId

Identifies the principal.
Formatted as Amazon Common Identifier (ACI), amzn1.account.{id}.

String

results[].expiresAt

(Optional) Expiration date and time at which the assigned role expires.
Defined in ISO 8601 format, YYYY-MM-DDThh:mm:ssZ.

String

results[].propagatedRoleId

(Optional) Identifies the original role from which this role assignment propagated.
Formatted as Amazon Common Identifier (ACI), amzn1.alexa.role.did.{id}.

String

paginationContext

Indicates whether there are more results to return.

Object

paginationContext.nextToken

Included when the response is truncated.
Use this value in a subsequent request with the same filter parameters as this request.
If no more results, nextToken is null.

String

HTTP status codes

Status Description

200 OK

Response body contains a list of role assignments for the specified principal.

400 Bad Request

Indicates that one or more properties in the request body aren't valid.

401 Unauthorized

Request didn't include the authorization token, or the included token expired or isn't valid. Or, you don't have access to the resource.

403 Forbidden

Indicates that the authorization token is valid, but the requested operation isn't allowed.

404 Not Found

Requested resource not found.

429 Too Many Requests

Permitted rate limit, specified as the number of requests per unit of time, exceeded. You can retry the request by using exponential back-off.

500 Server Error

Error occurred on the server. You can retry the request by using exponential back-off.

503 Service Unavailable

Server is down for maintenance, overloaded, or otherwise unavailable to handle the incoming request.

Revoke role assignment

Remove a role assignment for the specified principal. You can enable propagation to revoke the role assignment to the property hierarchy.

This operation is available in the following countries.

Healthcare Hospitality Senior Living Core

US

US, UK, FR, CA, IT, DE, ES, JP

US, UK, FR, CA, IT, DE, ES, JP

US

Request

To remove a role assignment, you make a DELETE request to the /v1/roles/{roleId}/assignments resource.

Request path and header example

Copied to clipboard.

DELETE /v1/roles/{roleId}/assignments?principalId={principalId}&propagate={propagate}
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {access token}

Request path and header parameters

Parameter Located in Description Type Required

roleId

Path

Identifies the role.
Formatted as Amazon Common Identifier (ACI), amzn1.alexa.role.did.{id}.

String

Yes

principalId

Query

Identifies the principal for whom to revoke the role assignment.
Formatted as Amazon Common Identifier (ACI), amzn1.account.{id}.
For details about how to get the principal ID, see Obtain Customer Profile Information. The user_id you receive in the customer profile response is the value to use for principalId.

String

Yes

propagate

Query

Indicates whether to propagate the role revocation to the entire unit hierarchy.
Only the Amazon Business account's principal ID can propagate roles.
Default: false.

Boolean

No

access token

Header

Access token for the customer.
Set to an LWA token.

String

Yes

Request body example

The request has no body.

Request body properties

The request has no body.

Response

A successful response returns HTTP 202 Accepted or HTTP 204 No content. On error, the response returns the appropriate HTTP status code and includes a response body with a human-readable description.

Response body example

The response has no body.

Response body properties

The response has no body.

HTTP status codes

Status Description

202 Accepted

Role revoked successfully and the propagation request for the specified principal accepted.

204 No content

Role revoked successfully. No propagation specified.

400 Bad Request

Indicates that one or more properties in the request body aren't valid.

The response might include one of the following error descriptions:

  • You attempted to revoke a role assignment that's propagated from a different unit.
  • You attempted to revoke a propagated role assignment without the propagate flag (or vice versa).

401 Unauthorized

Request didn't include the authorization token, or the included token expired or isn't valid. Or, you don't have access to the resource.

403 Forbidden

Indicates that the authorization token is valid, but the requested operation isn't allowed.

404 Not Found

Requested resource not found.

429 Too Many Requests

Permitted rate limit, specified as the number of requests per unit of time, exceeded. You can retry the request by using exponential back-off.

500 Server Error

Error occurred on the server. You can retry the request by using exponential back-off.

503 Service Unavailable

Server is down for maintenance, overloaded, or otherwise unavailable to handle the incoming request.

Object definitions

The Role API defines the following object definitions.

BatchError object

The BatchError object defines the error code and description included in the response when an error occurs during a batch operation.

The following example shows the response body.

{
  "errors": [
    {
       "itemId": 0,
       "status": 400,   
       "errorCode" : "INVALID_PRINCIPAL_ID",   
       "errorDescription": "Invalid principalId specified."
    },
    {
       "itemId": 1,
       "status": 400,      
       "errorCode" : "REQUEST_LIMIT_EXCEEDED",
       "errorDescription": "The number of request items in the batch request exceeds the limit (50)."
    }
  ]
}

The BatchError object defines the following properties.

Property Description Type

itemId

(Optional) Identifies the request item that failed.

Integer

status

HTTP status code.

String

errorCode

Type of error that occurred.

String

errorDescription

Human-readable error message. The error message appears only for debugging/logging purposes. You must not share it with the customer. No business logic should depend on the content of the error message.

String


Was this page helpful?

Last updated: Dec 04, 2024