Vague messaging - Condition key is available for only some services
Closed this issue · 5 comments
This document AWS Global Condition Context Keys raises more questions than addresses. There are 12 global conditions that are lacking pretty critical pieces of information of what AWS services they're compatible with:
- aws:PrincipalOrgID
- aws:PrincipalType
- aws:Referer
- aws:RequestedRegion
- aws:SourceAccount
- aws:SourceArn
- aws:SourceIp
- aws:SourceVpce
- aws:userid
- aws:username
This condition key is available for only some services
Aside from using time consuming trial by fire unit testing. How are customers expected to know which services are compatible with these conditions? It appears IAM knows of the services, and if so a 1:1 mapping of compatible services to global conditions should be present. This would greatly help with reducing unnecessary policy testing.
Similar problem for the 2 global tag conditions (different wording):
- aws:TagKeys
- aws:RequestTag/tag-key
Check your service to see whether it supports using this condition key.
Unfortunately, IAM has no way of knowing which services choose to support the globally available keys. That includes the tagging keys. For example, last week I assumed that Redshift supported aws:TagKeys because they support tagging. They do not support using aws:TagKeys.
The only way to know if a service supports these global keys is if they document them in their service documentation.
This is a cross-service issue that IAM is aware of. One problem from the past that we've solved is helping customers know what actions, resources, and conditions that a service supports. We've automated that information. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html
I did clean up the page a bit. I separated the keys into two groups - keys available to all services (that support policies) and keys supported by only some services. The changes will be live later today.
@stephswo How to find out which 'limited' services are supported as no service documentation mentions them directly?
E.g. aws:RequestedRegion. No service documentation explicitly mentions it as supported key and only redirects back to the global keys document. It means service document says global keys are supported but references to the document about global keys which redirects back to service documentation to check if it is really supported.
There is no way how to check supported services for such global keys directly from documentation without painful policy testing.
Can you provide more info here?
Thanks!
You can search within the documentation using the built-in search, or you can do a Google search:
aws:RequestedRegion site:docs.aws.amazon.com
Specific to aws:RequestedRegion, the only service returned in the search results was EC2:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-region
IAM has no way to get this information today. It's up to the 140+ services to choose if they support these recommended keys, and then to document it themselves.
@stephswo It is not the right way how to find out supported services as also your find nowhere describes it as supported global key. The successful find in this case was due to policy example only, where key was mentioned. Without this example, do you want to say this global key is not supported by any service as there is no such info? The current state of global key document gives more questions than answers as there is no info how to technically find out supported services.
Btw. text evokes that this global key is supported for any service with Region attribute mentioned in AWS Regions and Endpoints.
At this link you can read this global key is supported by all actions across all services and an example shows it is supported by ec2, lambda, rds, etc.
Due to that documentation discrepancies, moving such global keys between partially supported services make more questions than answers and it seems support ticket will not help to get the right answer, right?
Thanks