List of condition context keys

Global context keys

Use this key to compare the Amazon Resource Name (ARN) of the principal that made the request with the ARN that you specify in the policy.

Availability – This key is included in the request context for all signed requests. Anonymous requests do not include this key. You can specify the following types of principals in this condition key:
- IAM user
- Astran root account
Data type – ARN - Astran recommends that you use ARN operators instead of string operators when comparing ARNs.
Value type – Single-valued - Example values The following list shows the request context value returned for different types of principals that you can specify in the aws:PrincipalArn condition key:
- IAM user – The request context contains the following value for condition key aws:PrincipalArn.
```
arn:YOUR_PARTITION:iam::YOUR_ACCOUNT_ID:user/email
```
- AWS account root user – The request context contains the following value for condition key aws:PrincipalArn. When you specify the root account ARN as the value for the aws:PrincipalArn condition key, it limits permissions only for the root account of the Astran account.
```
arn:YOUR_PARTITION:iam::YOUR_ACCOUNT_ID:root
```

Use this key to compare the requester's email with the email that you specify in the policy.

Availability – This key is always included in the request context for IAM users. Anonymous requests and requests that are made using the Astran root account do not include this key.
Data type – String
Value type – Single-valued

Checks that the specified policy is attached as permissions boundary on the IAM principal resource.

Availability – This key is included in the following actions:
- iam:CreateUser
- iam:DeleteUserPermissionsBoundary
- iam:PutUserPermissionsBoundary
Data type – ARN
Value type – Single-valued