Amazon STS condition context keys for IAM Identity Center - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon STS condition context keys for IAM Identity Center

When a principal makes a request to Amazon, Amazon gathers the request information into a request context, which is used to evaluate and authorize the request. You can use the Condition element of a JSON policy to compare keys in the request context with key values that you specify in your policy. Request information is provided by different sources, including the principal making the request, the resource, the request it is made against, and the metadata about the request itself. Service-specific condition keys are defined for use with an individual Amazon service.

IAM Identity Center includes an Amazon STS context provider that enables Amazon managed applications and third-party applications to add values for condition keys that are defined by IAM Identity Center. These keys are included in IAM roles. The key values are set when an application passes a token to Amazon STS. The application obtains the token that it passes to Amazon STS in either of the following ways:

  • During authentication with IAM Identity Center.

  • After token exchange with a trusted token issuer for trusted identity propagation. In this case, the application obtains a token from a trusted token issuer and exchanges that token for a token from IAM Identity Center.

These keys are typically used by applications that integrate with trusted identity propagation. In some cases, when key values are present, you can use these keys in IAM policies that you create to allow or deny permissions.

For example, you might want to provide conditional access to a resource based on the value of the UserId. This value indicates which IAM Identity Center user is using the role. The example is similar to using SourceId. Unlike SourceId, however, the value for UserId represents a specific, verified user from the identity store. This value is present in the token that the application obtains and then passes to Amazon STS. It is not a general purpose string that can contain arbitrary values.

identitystore:UserId

This context key is the UserId of the IAM Identity Center user who is the subject of the context assertion issued by IAM Identity Center. The context assertion is passed to Amazon STS. You can use this key to compare the UserId of the IAM Identity Center user on behalf of whom the request is made with the identifier for the user that you specify in the policy.

  • Availability – This key is included in the request context after a context assertion issued by IAM Identity Center is set, when a role is assumed using any Amazon STS assume-role command in the Amazon CLI or Amazon STS AssumeRole API operation.

  • Data typeString

  • Value type – Single-valued

identitystore:IdentityStoreArn

This context key is the ARN of the identity store that is attached to the instance of IAM Identity Center that issued the context assertion. It is also the identity store in which you can look up attributes for identitystore:UserID. You can use this key in policies to determine whether the identitystore:UserID comes from an expected identity store ARN.

  • Availability – This key is included in the request context after a context assertion issued by IAM Identity Center is set, when a role is assumed using any Amazon STS assume-role command in the Amazon CLI or Amazon STS AssumeRole API operation.

  • Data typeArn, String

  • Value type – Single-valued

identitycenter:ApplicationArn

This context key is the ARN of the application to which IAM Identity Center issued a context assertion. You can use this key in policies to determine whether identitycenter:ApplicationArn comes from an expected application. Using this key can help prevent an IAM role from being accessed by an unexpected application.

  • Availability – This key is included in the request context of an Amazon STS AssumeRole API operation. The request context includes a context assertion issued by IAM Identity Center.

  • Data typeArn, String

  • Value type – Single-valued

identitycenter:CredentialId

This context key is a random ID for the identity-enhanced role credential and is used for logging only. Because this key value is unpredictable, we recommend that you do not use it for context assertions in policies.

  • Availability – This key is included in the request context of an Amazon STS AssumeRole API operation. The request context includes a context assertion issued by IAM Identity Center.

  • Data typeString

  • Value type – Single-valued

identitycenter:InstanceArn

This context key is the ARN of the instance of IAM Identity Center that issued the context assertion for the identitystore:UserID. You can use this key to determine whether the identitystore:UserID and context assertion came from an expected IAM Identity Center instance ARN.

  • Availability – This key is included in the request context of an Amazon STS AssumeRole API operation. The request context includes a context assertion issued by IAM Identity Center.

  • Data typeArn, String

  • Value type – Single-valued