aws_iam/constants.rs
1/*!
2Constants defines in the AWS Documentation.
3
4# Condition Context Keys
5
6When a principal makes a request to AWS, AWS gathers the request information into a
7request context. You can use the Condition element of a JSON policy to compare the
8request context with values that you specify in your policy. To learn more about
9the circumstances under which a global key is included in the request context, see
10the Availability information for each global condition key.
11
12From [AWS Global Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).
13*/
14
15// ------------------------------------------------------------------------------------------------
16// Public Values
17// ------------------------------------------------------------------------------------------------
18
19/// Use this key to compare the date and time of the request with the date and time
20/// that you specify in the policy.
21pub const AWS_CURRENT_TIME: &str = "aws:CurrentTime";
22
23/// Use this key to compare the date and time of the request in epoch or Unix time
24/// with the value that you specify in the policy. This key also accepts the number
25/// of seconds since January 1, 1970.
26pub const AWS_EPOCH_TIME: &str = "aws:EpochTime";
27
28/// Use this key to compare the number of seconds since the requesting principal
29/// was authorized using MFA with the number that you specify in the policy.
30pub const AWS_MFA_AGE: &str = "aws:MultiFactorAuthAge";
31
32/// Use this key to check whether multi-factor authentication (MFA) was used to
33/// validate the temporary security credentials that made the request.
34pub const AWS_MFA_PRESENT: &str = "aws:MultiFactorAuthPresent";
35
36/// Use this key to compare the account to which the requesting principal belongs
37/// with the account identifier that you specify in the policy.
38pub const AWS_PRINCIPAL_ACCOUNT: &str = "aws:PrincipalAccount";
39
40/// Use this key to compare the Amazon Resource Name (ARN) of the principal that
41/// made the request with the ARN that you specify in the policy. For IAM roles,
42/// the request context returns the ARN of the role, not the ARN of the user that
43/// assumed the role.
44pub const AWS_PRINCIPAL_ARN: &str = "aws:PrincipalArn";
45
46/// Use this key to compare the identifier of the organization in AWS Organizations
47/// to which the requesting principal belongs with the identifier specified in
48/// the policy.
49pub const AWS_PRINCIPAL_ORG_ID: &str = "aws:PrincipalOrgID";
50
51/// Use this key to compare the tag attached to the principal making the request
52/// with the tag that you specify in the policy. If the principal has more than
53/// one tag attached, the request context includes one aws:PrincipalTag key for
54/// each attached tag key.
55pub const AWS_PRINCIPAL_TAG: &str = "aws:PrincipalTag/";
56
57/// Use this key to compare the type of principal making the request with the
58/// principal type that you specify in the policy.
59pub const AWS_PRINCIPAL_TYPE: &str = "aws:PrincipalType";
60
61/// Use this key to compare who referred the request in the client browser with
62/// the referer that you specify in the policy. The aws:referer request context
63/// value is provided by the caller in an HTTP header.
64pub const AWS_REFERER: &str = "aws:Referer";
65
66/// Use this key to compare the AWS Region that was called in the request with
67/// the region that you specify in the policy. You can use this global condition
68/// key to control which Regions can be requested.
69pub const AWS_REQUESTED_REGION: &str = "aws:RequestedRegion";
70
71/// Use this key to compare the tag key-value pair that was passed in the request
72/// with the tag pair that you specify in the policy. For example, you could check
73/// whether the request includes the tag key "Dept" and that it has the value
74/// "Accounting".
75pub const AWS_REQUEST_TAG: &str = "aws:RequestTag/";
76
77/// Use this key to compare the tag key-value pair that you specify in the policy
78/// with the key-value pair that is attached to the resource. For example, you
79/// could require that access to a resource is allowed only if the resource has
80/// the attached tag key "Dept" with the value "Marketing".
81pub const AWS_RESOURCE_TAG: &str = "aws:ResourceTag/";
82
83/// Use this key to check whether the request was sent using SSL. The request
84/// context returns true or false. In a policy, you can allow specific actions
85/// only if the request is sent using SSL.
86pub const AWS_SECURE_TRANSPORT: &str = "aws:SecureTransport";
87
88/// Use this key to compare the source of the request with the account ID that
89/// you specify in the policy.
90///
91/// For example, assume that you have an Amazon S3 bucket in your account that
92/// is configured to deliver object creation events to an Amazon SNS topic. In
93/// that case, you could use this condition key to check that Amazon S3 is not being
94/// used as a confused deputy. Amazon S3 tells Amazon SNS the account that the
95/// bucket belongs to.
96pub const AWS_SOURCE_ACCOUNT: &str = "aws:SourceAccount";
97
98/// Use this key to compare the source of the request with the Amazon Resource
99/// Name (ARN) that you specify in the policy.
100///
101/// For example, when an Amazon S3 bucket update triggers an Amazon SNS topic
102/// post, the Amazon S3 service invokes the sns:Publish API operation. The bucket
103/// is considered the source of the SNS request and the value of the key is the
104/// bucket's ARN. This key does not work with the ARN of the principal making
105/// the request. Instead, use aws:PrincipalArn.
106pub const AWS_SOURCE_ARN: &str = "aws:SourceArn";
107
108/// Use this key to compare the requester's IP address with the IP address that
109/// you specify in the policy.
110pub const AWS_SOURCE_IP: &str = "aws:SourceIp";
111
112/// Use this key to check whether the request comes from the VPC that you specify
113/// in the policy. In a policy, you can use this key to allow access to only
114/// a specific VPC.
115pub const AWS_SOURCE_VPC: &str = "aws:SourceVpc";
116
117/// .Use this key to compare the VPC endpoint identifier of the request with the
118/// endpoint ID that you specify in the policy. In a policy, you can use this
119/// key to restrict access to a specific VPC endpoint
120pub const AWS_SOURCE_VPCE: &str = "aws:SourceVpce";
121
122/// Use this key to compare the tag keys in a request with the keys that you
123/// specify in the policy. As a best practice when you use policies to control
124/// access using tags, use the aws:TagKeys condition key to define what tag
125/// keys are allowed.
126pub const AWS_TAG_KEYS: &str = "aws:TagKeys";
127
128/// Use this key to compare the date and time that temporary security credentials
129/// were issued with the date and time that you specify in the policy.
130pub const AWS_TOKEN_ISSUE_TIME: &str = "aws:TokenIssueTime";
131
132/// Use this key to compare the requester's client application with the
133/// application that you specify in the policy.
134pub const AWS_USER_AGENT: &str = "aws:UserAgent";
135
136/// Use this key to compare the requester's principal identifier with the ID that
137/// you specify in the policy. For IAM users, the request context value is the
138/// user ID. For IAM roles, this value format can vary.
139pub const AWS_USER_ID: &str = "aws:userid";
140
141/// Use this key to compare the requester's user name with the user name that you
142/// specify in the policy.
143pub const AWS_USER_NAME: &str = "aws:username";
144
145/// Use this key to compare the IP address from which a request was made with the
146/// IP address that you specify in the policy. In a policy, the key matches only
147/// if the request originates from the specified IP address and it goes through
148/// a VPC endpoint.
149pub const AWS_VPC_SOURCE_ID: &str = "aws:VpcSourceIp";