Expand description
Constants defines in the AWS Documentation.
§Condition Context Keys
When a principal makes a request to AWS, AWS gathers the request information into a request context. You can use the Condition element of a JSON policy to compare the request context with values that you specify in your policy. To learn more about the circumstances under which a global key is included in the request context, see the Availability information for each global condition key.
Constants§
- AWS_
CURRENT_ TIME - Use this key to compare the date and time of the request with the date and time that you specify in the policy.
- AWS_
EPOCH_ TIME - Use this key to compare the date and time of the request in epoch or Unix time with the value that you specify in the policy. This key also accepts the number of seconds since January 1, 1970.
- AWS_
MFA_ AGE - Use this key to compare the number of seconds since the requesting principal was authorized using MFA with the number that you specify in the policy.
- AWS_
MFA_ PRESENT - Use this key to check whether multi-factor authentication (MFA) was used to validate the temporary security credentials that made the request.
- AWS_
PRINCIPAL_ ACCOUNT - Use this key to compare the account to which the requesting principal belongs with the account identifier that you specify in the policy.
- AWS_
PRINCIPAL_ ARN - Use this key to compare the Amazon Resource Name (ARN) of the principal that made the request with the ARN that you specify in the policy. For IAM roles, the request context returns the ARN of the role, not the ARN of the user that assumed the role.
- AWS_
PRINCIPAL_ ORG_ ID - Use this key to compare the identifier of the organization in AWS Organizations to which the requesting principal belongs with the identifier specified in the policy.
- AWS_
PRINCIPAL_ TAG - Use this key to compare the tag attached to the principal making the request with the tag that you specify in the policy. If the principal has more than one tag attached, the request context includes one aws:PrincipalTag key for each attached tag key.
- AWS_
PRINCIPAL_ TYPE - Use this key to compare the type of principal making the request with the principal type that you specify in the policy.
- AWS_
REFERER - Use this key to compare who referred the request in the client browser with the referer that you specify in the policy. The aws:referer request context value is provided by the caller in an HTTP header.
- AWS_
REQUESTED_ REGION - Use this key to compare the AWS Region that was called in the request with the region that you specify in the policy. You can use this global condition key to control which Regions can be requested.
- AWS_
REQUEST_ TAG - Use this key to compare the tag key-value pair that was passed in the request with the tag pair that you specify in the policy. For example, you could check whether the request includes the tag key “Dept” and that it has the value “Accounting”.
- AWS_
RESOURCE_ TAG - Use this key to compare the tag key-value pair that you specify in the policy with the key-value pair that is attached to the resource. For example, you could require that access to a resource is allowed only if the resource has the attached tag key “Dept” with the value “Marketing”.
- AWS_
SECURE_ TRANSPORT - Use this key to check whether the request was sent using SSL. The request context returns true or false. In a policy, you can allow specific actions only if the request is sent using SSL.
- AWS_
SOURCE_ ACCOUNT - Use this key to compare the source of the request with the account ID that you specify in the policy.
- AWS_
SOURCE_ ARN - Use this key to compare the source of the request with the Amazon Resource Name (ARN) that you specify in the policy.
- AWS_
SOURCE_ IP - Use this key to compare the requester’s IP address with the IP address that you specify in the policy.
- AWS_
SOURCE_ VPC - Use this key to check whether the request comes from the VPC that you specify in the policy. In a policy, you can use this key to allow access to only a specific VPC.
- AWS_
SOURCE_ VPCE - .Use this key to compare the VPC endpoint identifier of the request with the endpoint ID that you specify in the policy. In a policy, you can use this key to restrict access to a specific VPC endpoint
- AWS_
TAG_ KEYS - Use this key to compare the tag keys in a request with the keys that you specify in the policy. As a best practice when you use policies to control access using tags, use the aws:TagKeys condition key to define what tag keys are allowed.
- AWS_
TOKEN_ ISSUE_ TIME - Use this key to compare the date and time that temporary security credentials were issued with the date and time that you specify in the policy.
- AWS_
USER_ AGENT - Use this key to compare the requester’s client application with the application that you specify in the policy.
- AWS_
USER_ ID - Use this key to compare the requester’s principal identifier with the ID that you specify in the policy. For IAM users, the request context value is the user ID. For IAM roles, this value format can vary.
- AWS_
USER_ NAME - Use this key to compare the requester’s user name with the user name that you specify in the policy.
- AWS_
VPC_ SOURCE_ ID - Use this key to compare the IP address from which a request was made with the IP address that you specify in the policy. In a policy, the key matches only if the request originates from the specified IP address and it goes through a VPC endpoint.