Role REST API Reference

Note: Sign in to the developer console to build or publish your skill.

Note: This API is only available to registered Alexa Smart Properties partners. For details, see Get Started with Alexa Smart Properties APIs.

Use the Role REST API to manage organizational roles in Alexa Smart Properties (ASP). A role defines the operations that the user has permission to perform on units. Before a user can access any ASP resources, the user must have an assigned role. Alexa assigns the administrator role to the creator of a unit automatically.

For more details about organizational roles, see About Managing Roles in Alexa Smart Properties.

API endpoint

Based on the country of your organization, set the Host parameter in the request header to one of the following API endpoints.

Country	Endpoint
CA, US	`https://api.amazonalexa.com`
DE, ES, FR, IT, UK	`https://api.eu.amazonalexa.com`
JP	`https://api.fe.amazonalexa.com`

Authentication

Each API request must have an authorization header whose value is the access token retrieved from Login with Amazon (LWA). For details, see Manage API Access.

Operations

The Role API includes the following operations.

Operation	HTTP Method and URI
Assign role	`POST /v1/roles/{roleId}/assignments`
Batch assign role	`POST /v1/roles/{roleId}/assignments/batchAssign`
Batch revoke role assignment	`POST /v1/roles/{roleId}/assignments/batchRevoke`
Get role	`GET /v1/roles/{roleId}`
List principal assignments	`GET /v1/roles/{roleId}/assignments?maxResults={maxResults}&nextToken={nextToken}`
List roles	`GET /v1/roles?unitId={unitId}&targetEntityId={targetEntityId}&roleName={roleName}&maxResults={maxResults}&nextToken={nextToken}`
List role assignments	`GET /v1/roles/assignments?principalId={principalId}&unitId={unitId}&targetEntityId={targetEntityId}&maxResults={maxResults}&nextToken={nextToken}`
Revoke role assignment	`DELETE /v1/roles/{roleId}/assignments?principalId={principalId}&propagate={propagate}`

Assign role

Assign the specified role to the specified principal. You can't assign the same role to a principal who is already assigned that role. For details about how to retrieve the user ID for the principal, see Obtain Customer Profile Information. You can assign a role and optionally propagate the role assignment to the property hierarchy. And, you can assign a role temporarily.

This operation is available in the following countries.

Healthcare	Hospitality	Senior Living	Core
US	US, UK, FR, CA, IT, DE, ES, JP	US, UK, FR, CA, IT, DE, ES, JP	US

Request

To assign a role, you make a POST request to the POST /v1/roles/{roleId}/assignments resource.

Request path and header example

Copied to clipboard.

POST /v1/roles/{roleId}/assignments HTTP/1.1
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {access token}

Request path and header parameters

Parameter	Located in	Description	Type	Required
`roleId`	Path	Identifies the role. Formatted as Amazon Common Identifier (ACI), `amzn1.alexa.role.did.{id}`.	String	Yes
`access token`	Header	Access token for the customer. Set to an LWA token.	String	Yes

Request body example

Copied to clipboard.

   "principalId" : "amzn1.account.1",
   "propagate" : true,
   "expiresAt": "2021-11-02T12:51:00.000Z"

Request body properties

Property	Description	Type	Required
`principalId`	Identifies the principal for whom to assign the role. Formatted as Amazon Common Identifier (ACI), `amzn1.account.{id}`. For details about how to get the principal ID, see Obtain Customer Profile Information. The `user_id` you receive in the customer profile response is the value to use for `principalId`.	String	Yes
`propagate`	Indicates whether to propagate the role assignment to the entire unit hierarchy. Only the Amazon Business account's principal ID can propagate roles. Default: `false`.	Boolean	No
`expiresAt`	Assign the role to the specified principal until the specified expiration date and time. The expiration time must be at least 30 minutes after the current time and no more than 30 days from the current time. When not set, the role assignment never expires. When `expiresAt` has a value and `propagate` is `true`, all assignments in the unit hierarchy inherit the expiration time. Defined in ISO 8601 format, `YYYY-MM-DDThh:mm:ssZ`.	String	No

Response

A successful response returns HTTP 202 Accepted or HTTP 204 No content. On error, the response returns the appropriate HTTP status code and includes a response body with a human-readable description.

Response body example

The response has no body.

Response body properties

The response has no body.

HTTP status codes

Status	Description
`202 Accepted`	Role assigned successfully and the propagation request for the specified principal accepted.
`204 No content`	Role assigned successfully. No propagation specified.
`400 Bad Request`	Indicates that one or more properties in the request body aren't valid.
`401 Unauthorized`	Request didn't include the authorization token, or the included token expired or isn't valid. Or, you don't have access to the resource.
`403 Forbidden`	Indicates that the authorization token is valid, but the requested operation isn't allowed.
`404 Not Found`	Requested resource not found.
`429 Too Many Requests`	Permitted rate limit, specified as the number of requests per unit of time, exceeded. You can retry the request by using exponential back-off.
`500 Server Error`	Error occurred on the server. You can retry the request by using exponential back-off.
`503 Service Unavailable`	Server is down for maintenance, overloaded, or otherwise unavailable to handle the incoming request.

Batch assign role

Assign the specified role to the list of principals. For details about how to retrieve the user ID for the principal, see Obtain Customer Profile Information. You can assign a role and optionally propagate the role assignment to the property hierarchy. And, you can assign a role temporarily.

After accepting the request, this operation performs synchronous validations and then returns a successful response. Each principal is then assigned to the role asynchronously in the background. For any inputs that aren't valid, the entire operation fails. Either all the request items are processed or none are processed.

If there's an existing role assignment for a given roleId and principalId with propagate set to false, a role assignment request for the same roleId and principalId with a propagation value of true updates the existing role assignment with propagation.

Note: This operation can't downgrade a propagated role assignment. If there's an existing role assignment for a given roleId and principalId with propagate set to true, the operation returns an error if you try to make a role assignment request for the same roleId and principalId with a propagation value of false. To downgrade a propagated role assignment, you must first revoke the role assignment with Revoke a role assignment or Batch revoke a role assignment, and then reassign it.

This operation is available in the following countries.

Healthcare	Hospitality	Senior Living	Core
US	US, UK, FR, CA, JP	US, CA, JP	US

Request

To assign a role, you make a POST request to the POST /v1/roles/{roleId}/assignments/batchAssign resource.

Request path and header example

Copied to clipboard.

POST /v1/roles/{roleId}/assignments/batchAssign HTTP/1.1
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {access token}

Request path and header parameters

Parameter	Located in	Description	Type	Required
`roleId`	Path	Identifies the role. Formatted as Amazon Common Identifier (ACI), `amzn1.alexa.role.did.{id}`.	String	Yes
`access token`	Header	Access token for the customer. Set to an LWA token.	String	Yes

Request body example

Copied to clipboard.

{
   "items": [
     {
        "itemId" : 0,
        "principalId": "amzn1.alexa.user.2",
        "propagate": false,
        "expiresAt": "2021-11-02T12:51:00.000Z"
     },
     {
        "itemId" : 1,         
        "principalId": "amzn1.alexa.user.3",
        "propagate": true
     },
     {
        "itemId" : 2,
        "principalId": "amzn1.alexa.user.4",
        "propagate": false
     }
   ]
}

Request body properties

Property	Description	Type	Required
`items`	List of principals to which to assign the role.	Array of objects	Yes
`items[].itemId`	Unique identifier for the assignment.	Integer	Yes
`items[].principalId`	Identifies the principal for whom to assign the role. Formatted as Amazon Common Identifier (ACI), `amzn1.account.{id}`. For details about how to get the principal ID, see Obtain Customer Profile Information. The `user_id` you receive in the customer profile response is the value to use for `principalId`.	String	Yes
`items[].propagate`	Indicates whether to propagate the role assignment to the entire unit hierarchy. Only the Amazon Business account's principal ID can propagate roles.	Boolean	No
`items[].expiresAt`	Assign the role to the specified principal until the specified expiration date and time. The expiration time must be at least 30 minutes after the current time and no more than 30 days from the current time. When not set, the role assignment never expires. When `expiresAt` has a value and `propagate` is `true`, all assignments in the unit hierarchy inherit the expiration time. Defined in ISO 8601 format, `YYYY-MM-DDThh:mm:ssZ`.	String	No

Response

A successful response returns HTTP 202 Accepted. On error, the response returns the appropriate HTTP status code and includes a response body with a BatchError object.

Response body example

The response has no body.

Response body properties

The response has no body.

HTTP status codes

Status	Description
`202 Accepted`	Request to assign a role for the specified principals accepted.
`400 Bad Request`	Indicates that one or more properties in the request body aren't valid. The response might include one of the following errors types and messages: `BAD_REQUEST` – The request is malformed or is missing any required parameters. `DUPLICATE_REQUEST_ITEM_FOUND` – Request contains a duplicate request item. `INVALID_PRINCIPAL_ID` – Invalid `principalId`. `INVALID_ROLE_ID` – Invalid `roleId`. `NO_UNIT_FOR_ROLE` – Role not backed by a unit; propagation not supported. `REQUEST_LIMIT_EXCEEDED` – Request exceeded the limit on the number of principals for role assignment per one request. `ROLE_ASSIGNMENT_NOT_SUPPORTED` – You can't downgrade an already propagated role assignment to a standalone assignment; the propagate flag should be true.
`401 Unauthorized`	Request didn't include the authorization token, or the included token expired or isn't valid. Or, you don't have access to the resource.
`403 Forbidden`	Indicates that the authorization token is valid, but the requested operation isn't allowed.
`404 Not Found`	Requested resource not found.
`429 Too Many Requests`	Permitted rate limit, specified as the number of requests per unit of time, exceeded. You can retry the request by using exponential back-off.
`500 Server Error`	Error occurred on the server. You can retry the request by using exponential back-off.
`503 Service Unavailable`	Server is down for maintenance, overloaded, or otherwise unavailable to handle the incoming request.

Batch revoke role assignment

Remove a role assignment for the specified list of principals. You can enable propagation to revoke the role assignment to the property hierarchy.

After accepting the request, this operation performs synchronous validations and then returns a successful response. Each principal is then revoked from the role asynchronously in the background. For any inputs that aren't valid, the entire operation fails. Either all the request items are processed or none are processed.

Note: You must include the propagate flag with the same value that you used in the assign role operations. You can't revoke a propagated role assignment without propagate=true and you can't revoke a non-propagated role assignment with propagate=false.

This operation is available in the following countries.

Healthcare	Hospitality	Senior Living	Core
US	US, UK, FR, CA, JP	US, CA, JP	US

Request

To remove the role, you make a POST request to the /v1/roles/{roleId}/assignments/batchRevoke resource.

Request path and header example

Copied to clipboard.

POST /v1/roles/{roleId}/assignments/batchRevoke
Host: api.amazonalexa.com
Content-Type: application/json
Authorization: Bearer {access token}

Request path and header parameters

Parameter	Located in	Description	Type	Required
`roleId`	Path	Identifies the role. Formatted as Amazon Common Identifier (ACI), `amzn1.alexa.role.did.{id}`.	String	Yes
`access token`	Header	Access token for the customer. Set to an LWA token.	String	Yes

Request body example

Copied to clipboard.

{
   "items": [
     {
        "itemId" : 0,
        "principalId": "amzn1.alexa.user.example1",
        "propagate": false
     },
     {
        "itemId" : 1,         
        "principalId": "amzn1.alexa.user.3",
        "propagate": true
     },
     {
        "itemId" : 2,
        "principalId": "amzn1.alexa.user.4",
        "propagate": false
     }
   ]
}

Request body properties

Property	Description	Type	Required
`items`	List of principals to which to revoke the role.	Array of objects	Yes
`items[].itemId`	Unique identifier for the assignment.	Integer	Yes
`items[].principalId`	Identifies the principal for whom to revoke the role. Formatted as Amazon Common Identifier (ACI), `amzn1.account.{id}`. For details about how to get the principal ID, see Obtain Customer Profile Information. The `user_id` you receive in the customer profile response is the value to use for `principalId`.	String	Yes
`items[].propagate`	Indicates whether to propagate the role revocation to the entire unit hierarchy. Only the Amazon Business account's principal ID can propagate roles.	Boolean	No

Response

A successful response returns HTTP 202 Accepted. On error, the response returns the appropriate HTTP status code and includes a response body with a BatchError object.

Response body example

The response has no body.

Response body properties

The response has no body.

HTTP status codes

Status	Description
`202 Accepted`	Request to revoke a role for the specified principals accepted.
`400 Bad Request`	Indicates that one or more properties in the request body aren't valid. The response might include one of the following errors types and messages: `BAD_REQUEST` – The request is malformed or is missing any required parameters. `DUPLICATE_REQUEST_ITEM_FOUND` – Request contains a duplicate request item. `INVALID_PRINCIPAL_ID` – Invalid `principalId`. `INVALID_ROLE_ID` – Invalid `roleId`. `NO_UNIT_FOR_ROLE` – Role not backed by a unit; propagation not supported. `PRINCIPAL_IS_PROPAGATED` – Role revocation isn't supported for the principal. The current role assignment is the source of a propagation chain. You must pass in the `propagate` flag with a value of `true`. `PRINCIPAL_IS_NOT_PROPAGATED` – Role revocation isn't supported for the principal. The current role assignment is a non-propagated assignment. Either don't pass in the `propagate` flag, or set the `propagate` flag to `false`. `PROPAGATED_FROM_ANOTHER_ROLE` – You attempted to revoke a propagated role assignment. Restart revoke propagation at the source with the `propagate` flag set to `true`. `REQUEST_LIMIT_EXCEEDED` – Request exceeded the limit on the number of principals for role assignment per one request.
`401 Unauthorized`	Request didn't include the authorization token, or the included token expired or isn't valid. Or, you don't have access to the resource.
`403 Forbidden`	Indicates that the authorization token is valid, but the requested operation isn't allowed.
`404 Not Found`	Requested resource not found.
`429 Too Many Requests`	Permitted rate limit, specified as the number of requests per unit of time, exceeded. You can retry the request by using exponential back-off.
`500 Server Error`	Error occurred on the server. You can retry the request by using exponential back-off.
`503 Service Unavailable`	Server is down for maintenance, overloaded, or otherwise unavailable to handle the incoming request.

Get role

Get the details of the specified role.

This operation is available in the following countries.

Healthcare	Hospitality	Senior Living	Core
US	US, UK, FR, CA, IT, DE, ES, JP	US, UK, FR, CA, IT, DE, ES, JP	US

Request

To get the role details, you make a GET request to the /v1/roles/{roleId} resource.

Request path and header example

Copied to clipboard.

GET /v1/roles/{roleId} HTTP/1.1
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {access token}

Request path and header parameters

Parameter	Located in	Description	Type	Required
`roleId`	Path	Identifies the role. Formatted as Amazon Common Identifier (ACI), `amzn1.alexa.role.did.{id}`.	String	Yes
`access token`	Header	Access token for the customer. Set to an LWA token.	String	Yes

Request body example

The request has no body.

Request body properties

The request has no body.

Response

A successful response returns HTTP 200 OK, along with the details of the role. On error, the response returns the appropriate HTTP status code and includes a response body with a human-readable description.

Response body example

{
   "roleId": "amzn1.alexa.role.did.1",
   "roleName": "Admin",
   "unitId": "amzn1.alexa.unit.did.101",
   "targetEntityId": "target.entity.1"
}

Response body properties

Note: For unit-based roles, the response contains the same value in both the unitId and targetEntityId fields. For target-entity-based roles, the response contains the targetEntityId field, and the unitId field is null or empty.

Property	Description	Type
`roleId`	Identifies the role for the unit. Formatted as Amazon Common Identifier (ACI), `amzn1.alexa.role.did.{id}`.	String
`roleName`	Name of the role.	String
`unitId`	Identifies the unit assigned the role. Formatted as Amazon Common Identifier (ACI), `amzn1.alexa.unit.did.{id}`.	String
`targetEntityId`	Identifies the target entity assigned the role.	String

HTTP status codes

Status	Description
`200 OK`	Response body contains the details of the role.
`400 Bad Request`	Indicates that one or more properties in the request body aren't valid.
`401 Unauthorized`	Request didn't include the authorization token, or the included token expired or isn't valid. Or, you don't have access to the resource.
`403 Forbidden`	Indicates that the authorization token is valid, but the requested operation isn't allowed.
`404 Not Found`	Requested resource not found.
`429 Too Many Requests`	Permitted rate limit, specified as the number of requests per unit of time, exceeded. You can retry the request by using exponential back-off.
`500 Server Error`	Error occurred on the server. You can retry the request by using exponential back-off.
`503 Service Unavailable`	Server is down for maintenance, overloaded, or otherwise unavailable to handle the incoming request.

List principal assignments

List the principal assignments for the specified role.

This operation is available in the following countries.

Healthcare	Hospitality	Senior Living	Core
US	US, UK, FR, CA, IT, DE, ES, JP	US, UK, FR, CA, IT, DE, ES, JP	US

Request

To list assignments, you make a GET request to the /v1/roles/{roleId}/assignments resource.

Request path and header example

Copied to clipboard.

GET /v1/roles/{roleId}/assignments?maxResults={maxResults}&nextToken={nextToken}
Host: api.amazonalexa.com
Content-Type: application/json
Authorization: Bearer {access token}
Accept: application/json

Request path and header parameters

Parameter	Located in	Description	Type	Required
`roleId`	Path	Identifies the role. Formatted as Amazon Common Identifier (ACI), `amzn1.alexa.role.did.{id}`.	String	Yes
`maxResults`	Query	Maximum number of results to return in the response. Valid values: 1–10. Default: 10.	Integer	No
`nextToken`	Query	Token from the previous response. Include if iterating over a paginated response.	String	No
`access token`	Header	Access token for the customer. Set to an LWA token.	String	Yes

Request body example

The request has no body.

Request body properties

The request has no body.

Response

A successful response returns HTTP 200 OK, along with a list of role assignments. On error, the response returns the appropriate HTTP status code and includes a response body with a human-readable description.

Response body example

{
  "results": [
    {
      "roleId": "amzn1.alexa.role.did.1",
      "principalId": "amzn1.account.1",
      "expiresAt": "2021-06-10T14:00:00Z",
      "propagatedRoleId": "amzn1.alexa.role.originRoleId"
    },
    {
      "roleId": "amzn1.alexa.role.did.1",
      "principalId": "amzn1.account.2",
      "expiresAt": "2021-06-10T14:00:00Z",
      "propagatedRoleId": "amzn1.alexa.role.originRoleId"
    }
  ],
  "paginationContext": {
    "nextToken": null
  }
}

Response body properties

Property	Description	Type
`results`	List of role assignments	Array of objects
`results[].roleId`	Identifies the role. Formatted as Amazon Common Identifier (ACI), `amzn1.alexa.role.did.{id}`.	String
`results[].principalId`	Identifies the principal assigned to the role. Formatted as Amazon Common Identifier (ACI), `amzn1.account.{id}`.	String
`results[].expiresAt`	(Optional) Expiration date and time at which the assigned role expires. Defined in ISO 8601 format, `YYYY-MM-DDThh:mm:ssZ`.	String
`results[].propagatedRoleId`	(Optional) Identifies the original role from which this role assignment propagated. Formatted as Amazon Common Identifier (ACI), `amzn1.alexa.role.did.{id}`.	String
`paginationContext`	Indicates whether there are more results to return.	Object
`paginationContext.nextToken`	Included when the response is truncated. Use this value in a subsequent request with the same filter parameters as this request. If no more results, `nextToken` is `null`.	String

HTTP status codes

Status	Description
`200 OK`	Response body contains a list of role assignments.
`400 Bad Request`	Indicates that one or more properties in the request body aren't valid.
`401 Unauthorized`	Request didn't include the authorization token, or the included token expired or isn't valid. Or, you don't have access to the resource.
`403 Forbidden`	Indicates that the authorization token is valid, but the requested operation isn't allowed.
`404 Not Found`	Requested resource not found.
`429 Too Many Requests`	Permitted rate limit, specified as the number of requests per unit of time, exceeded. You can retry the request by using exponential back-off.
`500 Server Error`	Error occurred on the server. You can retry the request by using exponential back-off.
`503 Service Unavailable`	Server is down for maintenance, overloaded, or otherwise unavailable to handle the incoming request.

List roles

Get a list of roles defined for the specified unit or target entity. You can assign these roles to a user by using Assign role or Batch assign role.

This operation is available in the following countries.

Healthcare	Hospitality	Senior Living	Core
US	US, UK, FR, CA, IT, DE, ES, JP	US, UK, FR, CA, IT, DE, ES, JP	US

Request

To list roles, you make a GET request to the /v1/roles resource.

Request path and header example

Copied to clipboard.

GET /v1/roles?unitId={unitId}&targetEntityId={targetEntityId}&roleName={roleName}&maxResults={maxResults}&nextToken={nextToken}
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {access token}

Request path and header parameters

Parameter	Located in	Description	Type	Required
`unitId`	Query	Filter on the unit. Formatted as Amazon Common Identifier (ACI), `amzn1.alexa.unit.did.{id}`. You must specify either a `unitId` or `targetEntityId` in the request.	String	No
`targetEntityId`	Query	Filter on the name of the target entity. You must specify either a `unitId` or `targetEntityId` in the request.	String	No
`roleName`	Query	Filter on the name of the role.	String	No
`maxResults`	Query	Maximum number of results to return in the response. Valid values: 1–10. Default: 10.	Integer	No
`nextToken`	Query	Token from the previous response. Include if iterating over a paginated response.	String	No
`access token`	Header	Access token for the customer. Set to an LWA token.	String	Yes

Request body example

The request has no body.

Request body properties

The request has no body.

Response

A successful response returns HTTP 200 OK, along with a list of roles for the specified unit or target entity. On error, the response returns the appropriate HTTP status code and includes a response body with a human-readable description.

Response body example

{
   "results": [
      {
         "roleId": "amzn1.alexa.role.did.1",
         "roleName": "Admin",
         "unitId": "amzn1.alexa.unit.did.101",
         "targetEntityId": "amzn1.alexa.unit.did.101"         
      },
      {
         "roleId": "amzn1.alexa.role.did.2",
         "roleName": "ReadOnly",
         "unitId": "amzn1.alexa.unit.did.101",
         "targetEntityId": "amzn1.alexa.unit.did.101"         
      }     
   ],
   "paginationContext": {
      "nextToken": someToken.1
   }
}

Response body properties

Property	Description	Type
`results`	List of roles for the specified unit or target entity.	Array of objects
`results[].roleId`	Identifies the role for the unit. Formatted as Amazon Common Identifier (ACI), `amzn1.alexa.role.did.{id}`.	String
`results[].roleName`	Name of the role.	String
`results[].unitId`	Identifies the unit assigned the role. Formatted as Amazon Common Identifier (ACI), `amzn1.alexa.unit.did.{id}`.	String
`results[].targetEntityId`	Identifies the target entity assigned the role.	String
`paginationContext`	Indicates whether there are more results to return.	Object
`paginationContext.nextToken`	Included when the response is truncated. Use this value in a subsequent request with the same filter parameters as this request. If no more results, `nextToken` is `null`.	String

HTTP status codes

Status	Description
`200 OK`	Response body contains list of roles for the specified unit or target entity.
`400 Bad Request`	Indicates that one or more properties in the request body aren't valid.
`401 Unauthorized`	Request didn't include the authorization token, or the included token expired or isn't valid. Or, you don't have access to the resource.
`403 Forbidden`	Indicates that the authorization token is valid, but the requested operation isn't allowed.
`404 Not Found`	Requested resource not found.
`429 Too Many Requests`	Permitted rate limit, specified as the number of requests per unit of time, exceeded. You can retry the request by using exponential back-off.
`500 Server Error`	Error occurred on the server. You can retry the request by using exponential back-off.
`503 Service Unavailable`	Server is down for maintenance, overloaded, or otherwise unavailable to handle the incoming request.

List role assignments

List role assignments for the specified principal and unit or target entity.

This operation is available in the following countries.

Healthcare	Hospitality	Senior Living	Core
US	US, UK, FR, CA, IT, DE, ES, JP	US, UK, FR, CA, IT, DE, ES, JP	US

Request

To list assignments, you make a GET request to the /v1/roles/assignments resource.

Request path and header example

Copied to clipboard.

GET /v1/roles/assignments?principalId={principalId}&unitId={unitId}&targetEntityId={targetEntityId}&maxResults={maxResults}&nextToken={nextToken}  HTTP/1.1
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {access token}

Request path and header parameters

Parameter	Located in	Description	Type	Required
`principalId`	Query	Identifies the principal for whom to get the role assignments. Formatted as Amazon Common Identifier (ACI), `amzn1.account.{id}`. For details about how to get the principal ID, see Obtain Customer Profile Information. The `user_id` you receive in the customer profile response is the value to use for `principalId`.	String	Yes
`unitId`	Query	Filter on the unit. Formatted as Amazon Common Identifier (ACI), `amzn1.alexa.unit.did.{id}`.	String	No
`targetEntityId`	Query	Filter on the name of the target entity.	String	No
`maxResults`	Query	Maximum number of results to return in the response. Valid values: 1–10. Default: 10.	Integer	No
`nextToken`	Query	Token from the previous response. Include if iterating over a paginated response.	String	No
`access token`	Header	Access token for the customer. Set to an LWA token.	String	Yes

Request body example

The request has no body.

Request body properties

The request has no body.

Response

A successful response returns HTTP 200 OK, along with a list of role assignments for the specified principal. On error, the response returns the appropriate HTTP status code and includes a response body with a human-readable description.

Response body example

{
  "results" : [
    {
      "roleId" : "amzn1.alexa.role.did.1",
      "principalId" : "amzn1.account.1",
      "expiresAt": "2021-06-10T14:00:00Z",
      "propagatedRoleId": "amzn1.alexa.role.originRoleId"
    }
  ],
    "paginationContext": {
      "nextToken": null
  }
}

Response body properties

Property	Description	Type
`results`	List of roles for the specified principal.	Array of objects
`results[].roleId`	Identifies the role assigned to the specified principal. Formatted as Amazon Common Identifier (ACI), `amzn1.alexa.role.did.{id}`.	String
`results[i].principalId`	Identifies the principal. Formatted as Amazon Common Identifier (ACI), `amzn1.account.{id}`.	String
`results[].expiresAt`	(Optional) Expiration date and time at which the assigned role expires. Defined in ISO 8601 format, `YYYY-MM-DDThh:mm:ssZ`.	String
`results[].propagatedRoleId`	(Optional) Identifies the original role from which this role assignment propagated. Formatted as Amazon Common Identifier (ACI), `amzn1.alexa.role.did.{id}`.	String
`paginationContext`	Indicates whether there are more results to return.	Object
`paginationContext.nextToken`	Included when the response is truncated. Use this value in a subsequent request with the same filter parameters as this request. If no more results, `nextToken` is `null`.	String

HTTP status codes

Status	Description
`200 OK`	Response body contains a list of role assignments for the specified principal.
`400 Bad Request`	Indicates that one or more properties in the request body aren't valid.
`401 Unauthorized`	Request didn't include the authorization token, or the included token expired or isn't valid. Or, you don't have access to the resource.
`403 Forbidden`	Indicates that the authorization token is valid, but the requested operation isn't allowed.
`404 Not Found`	Requested resource not found.
`429 Too Many Requests`	Permitted rate limit, specified as the number of requests per unit of time, exceeded. You can retry the request by using exponential back-off.
`500 Server Error`	Error occurred on the server. You can retry the request by using exponential back-off.
`503 Service Unavailable`	Server is down for maintenance, overloaded, or otherwise unavailable to handle the incoming request.

Revoke role assignment

Remove a role assignment for the specified principal. You can enable propagation to revoke the role assignment to the property hierarchy.

This operation is available in the following countries.

Healthcare	Hospitality	Senior Living	Core
US	US, UK, FR, CA, IT, DE, ES, JP	US, UK, FR, CA, IT, DE, ES, JP	US

Request

To remove a role assignment, you make a DELETE request to the /v1/roles/{roleId}/assignments resource.

Request path and header example

Copied to clipboard.

DELETE /v1/roles/{roleId}/assignments?principalId={principalId}&propagate={propagate}
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {access token}

Request path and header parameters

Parameter	Located in	Description	Type	Required
`roleId`	Path	Identifies the role. Formatted as Amazon Common Identifier (ACI), `amzn1.alexa.role.did.{id}`.	String	Yes
`principalId`	Query	Identifies the principal for whom to revoke the role assignment. Formatted as Amazon Common Identifier (ACI), `amzn1.account.{id}`. For details about how to get the principal ID, see Obtain Customer Profile Information. The `user_id` you receive in the customer profile response is the value to use for `principalId`.	String	Yes
`propagate`	Query	Indicates whether to propagate the role revocation to the entire unit hierarchy. Only the Amazon Business account's principal ID can propagate roles. Default: `false`.	Boolean	No
`access token`	Header	Access token for the customer. Set to an LWA token.	String	Yes

Request body example

The request has no body.

Request body properties

The request has no body.

Response

Response body example

The response has no body.

Response body properties

The response has no body.

HTTP status codes

Status	Description
`202 Accepted`	Role revoked successfully and the propagation request for the specified principal accepted.
`204 No content`	Role revoked successfully. No propagation specified.
`400 Bad Request`	Indicates that one or more properties in the request body aren't valid. The response might include one of the following error `descriptions`: You attempted to revoke a role assignment that's propagated from a different unit. You attempted to revoke a propagated role assignment without the `propagate` flag (or vice versa).
`401 Unauthorized`	Request didn't include the authorization token, or the included token expired or isn't valid. Or, you don't have access to the resource.
`403 Forbidden`	Indicates that the authorization token is valid, but the requested operation isn't allowed.
`404 Not Found`	Requested resource not found.
`429 Too Many Requests`	Permitted rate limit, specified as the number of requests per unit of time, exceeded. You can retry the request by using exponential back-off.
`500 Server Error`	Error occurred on the server. You can retry the request by using exponential back-off.
`503 Service Unavailable`	Server is down for maintenance, overloaded, or otherwise unavailable to handle the incoming request.

Object definitions

The Role API defines the following object definitions.

BatchError object

The BatchError object defines the error code and description included in the response when an error occurs during a batch operation.

The following example shows the response body.

{
  "errors": [
    {
       "itemId": 0,
       "status": 400,   
       "errorCode" : "INVALID_PRINCIPAL_ID",   
       "errorDescription": "Invalid principalId specified."
    },
    {
       "itemId": 1,
       "status": 400,      
       "errorCode" : "REQUEST_LIMIT_EXCEEDED",
       "errorDescription": "The number of request items in the batch request exceeds the limit (50)."
    }
  ]
}

The BatchError object defines the following properties.

Property	Description	Type
`itemId`	(Optional) Identifies the request item that failed.	Integer
`status`	HTTP status code.	String
`errorCode`	Type of error that occurred.	String
`errorDescription`	Human-readable error message. The error message appears only for debugging/logging purposes. You must not share it with the customer. No business logic should depend on the content of the error message.	String

Was this page helpful?

Provide feedback

Last updated: Oct 31, 2024