Skip to main content

Condition

The Condition element (or Condition block) lets you specify conditions for when a policy is in effect. The Condition element is optional. In the Condition element, you build expressions in which you use condition operators (equal, less than, and others) to match the context keys and values in the policy against keys and values in the request context.

"Condition" : { "{condition-operator}" : { "{condition-key}" : "{condition-value}" }}

The context key that you specify in a policy condition can be a global condition context key or a service-specific context key. Global condition context keys have the aws: prefix. Service-specific context keys have the service's prefix. For example, Astran IAM lets you write a condition using the iam:PermissionsBoundary context key, which is unique to that service. See the list of available condition context keys for more information.

Context key names are not case-sensitive. For example, including the aws:username context key is equivalent to testing for AWS:Username. Case-sensitivity of context key values depends on the condition operator that you use. For example, the following condition includes the StringEquals operator to make sure that only requests made by johndoe@astran.io match. Users with email JohnDoe@astran.io are denied access even though an email is case insensitive.

"Condition" : { "StringEquals" : { "aws:username" : "johndoe@astran.io" }}

The following condition uses the StringEqualsIgnoreCase operator to match users with email johndoe@astran.io or JohnDoe@astran.io.

"Condition" : { "StringEqualsIgnoreCase" : { "aws:username" : "johndoe@astran.io" }}

For a list of all of the condition operators and a description of how they work, see Condition operators.

Context keys can have multiple values. For a description of how to handle context keys that have multiple values, see Multivalued context keys.

The request context

When a principal makes a request to Astran, Astran gathers the request information into a request context. The request context includes information about the principal, resources, actions, and other environmental properties. Policy evaluation matches the properties in the policy against the properties sent in the request to evaluate and authorize actions you can perform in Astran.

You can use the Condition element of a JSON policy to test specific context keys against the request context. For example, you can create a policy that uses the iam:PermissionsBoundary context key to allow a user to create only users with a specific permissions boundary.