pub type RequestContext = ConditionContext;Expand description
Request-time context keys used when evaluating Condition blocks.
This is a re-export of ConditionContext to keep the evaluator’s
public API stable while centralizing the context definition in the
crate::condition module.
Aliased Type§
pub struct RequestContext {Show 22 fields
pub aws_username: Option<String>,
pub aws_userid: Option<String>,
pub aws_principal_arn: Option<String>,
pub aws_principal_account: Option<String>,
pub aws_principal_type: Option<String>,
pub aws_source_ip: Option<IpAddr>,
pub aws_current_time: Option<DateTime<Utc>>,
pub aws_epoch_time: Option<i64>,
pub aws_secure_transport: Option<bool>,
pub aws_requested_region: Option<String>,
pub aws_mfa_present: Option<bool>,
pub aws_mfa_age_seconds: Option<i64>,
pub aws_called_via: Vec<String>,
pub aws_source_vpce: Option<String>,
pub aws_source_vpc: Option<String>,
pub aws_vpc_source_ip: Option<IpAddr>,
pub aws_federated_provider: Option<String>,
pub aws_token_issue_time: Option<DateTime<Utc>>,
pub service_keys: BTreeMap<String, Vec<String>>,
pub resource_tags: Option<HashMap<String, String>>,
pub request_tags: Option<HashMap<String, String>>,
pub principal_tags: Option<HashMap<String, String>>,
}Fields§
§aws_username: Option<String>aws:username — username segment of an IAM user ARN, or None
for assumed roles / federated users where AWS does not set the key.
aws_userid: Option<String>aws:userid — the unique AIDA.../AROA... identifier.
aws_principal_arn: Option<String>aws:PrincipalArn — full principal ARN.
aws_principal_account: Option<String>aws:PrincipalAccount — 12-digit account ID sourced from the
credential, not global config (#381 multi-account alignment).
aws_principal_type: Option<String>aws:PrincipalType — "User", "AssumedRole", etc.
aws_source_ip: Option<IpAddr>aws:SourceIp — remote address of the HTTP connection.
aws_current_time: Option<DateTime<Utc>>aws:CurrentTime — evaluation timestamp (UTC).
aws_epoch_time: Option<i64>aws:EpochTime — same moment as aws_current_time in seconds
since the Unix epoch.
aws_secure_transport: Option<bool>aws:SecureTransport — true iff the request came in over TLS.
aws_requested_region: Option<String>aws:RequestedRegion — region extracted from SigV4 / config.
aws_mfa_present: Option<bool>aws:MultiFactorAuthPresent — true iff the caller supplied an
MFA credential when minting the session (AssumeRole with
SerialNumber + TokenCode, or a long-lived user credential
re-asserted via STS GetSessionToken with MFA).
aws_mfa_age_seconds: Option<i64>aws:MultiFactorAuthAge — seconds since MFA was asserted on
the session.
aws_called_via: Vec<String>aws:CalledVia — the chain of service principals that have
re-invoked downstream services on the caller’s behalf
(e.g. ["cloudformation.amazonaws.com"]). Multi-value key.
aws_source_vpce: Option<String>aws:SourceVpce — VPC endpoint id when the request transited
a VPC interface endpoint.
aws_source_vpc: Option<String>aws:SourceVpc — VPC id when the request originated inside a
VPC.
aws_vpc_source_ip: Option<IpAddr>aws:VpcSourceIp — private source IP inside the VPC (distinct
from aws:SourceIp which is the public NAT/Edge IP).
aws_federated_provider: Option<String>aws:FederatedProvider — cognito-identity.amazonaws.com,
accounts.google.com, or the SAML-provider ARN, depending on
how the credential was minted.
aws_token_issue_time: Option<DateTime<Utc>>aws:TokenIssueTime — when the temporary credential
underlying this session was issued (UTC).
service_keys: BTreeMap<String, Vec<String>>Service-specific keys (s3:prefix, sqs:MessageAttribute, …).
aws:ResourceTag/<key> — tags on the target resource.
Populated by crate::service::AwsService::resource_tags_for.
None means the service doesn’t expose resource tags for ABAC.
aws:RequestTag/<key> — tags sent in the request body/headers.
Populated by crate::service::AwsService::request_tags_from.
Also drives aws:TagKeys (the list of request tag keys).
aws:PrincipalTag/<key> — tags on the calling IAM user or role.
Populated from Principal::tags at dispatch time.