Amazon condition keys that can be used in API Gateway resource policies - Amazon API Gateway
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon condition keys that can be used in API Gateway resource policies

The following table contains Amazon condition keys that can be used in resource policies for APIs in API Gateway for each authorization type.

For more information about Amazon condition keys, see Amazon Global Condition Context Keys.

Table of condition keys
Condition keys Criteria Needs AuthN? Authorization type
aws:CurrentTime None No All
aws:EpochTime None No All
aws:TokenIssueTime Key is present only in requests that are signed using temporary security credentials. Yes IAM
aws:MultiFactorAuthPresent Key is present only in requests that are signed using temporary security credentials. Yes IAM
aws:MultiFactorAuthAge Key is present only if MFA is present in the requests. Yes IAM
aws:PrincipalAccount None Yes IAM
aws:PrincipalArn None Yes IAM
aws:PrincipalOrgID This key is included in the request context only if the principal is a member of an organization. Yes IAM
aws:PrincipalOrgPaths This key is included in the request context only if the principal is a member of an organization. Yes IAM
aws:PrincipalTag This key is included in the request context if the principal is using an IAM user with attached tags. It is included for a principal using an IAM role with attached tags or session tags. Yes IAM
aws:PrincipalType None Yes IAM
aws:Referer Key is present only if the value is provided by the caller in the HTTP header. No All
aws:SecureTransport None No All
aws:SourceArn None No All
aws:SourceIp None No All
aws:SourceVpc This key can be used only for private APIs. No All
aws:SourceVpce This key can be used only for private APIs. No All
aws:VpcSourceIp This key can be used only for private APIs. No All
aws:UserAgent Key is present only if the value is provided by the caller in the HTTP header. No All
aws:userid None Yes IAM
aws:username None Yes IAM