Comments (2)
Unfortunately, IAM has no way of knowing if a service supports any of the AWS global condition keys today. The IAM team is aware of this problem, but right now, the only way to know is to check the service documentation sets and hope that they documented them. You can find the landing page for each service doc set on the following docs website: https://docs.aws.amazon.com
The WorkDocs link that you provided is the page in the IAM documentation. This is different than the service documentation that you can find using the link above. If a global (aws:) key is not in these pages, then the service team hasn't told IAM. Links on these IAM pages direct you to the global condition keys because that service DOES support using the keys for all services listed at the top of the page.
Specific to aws:RequestedRegion, I did a Google search:
aws:RequestedRegion site:docs.aws.amazon.com
And the only service that came up was EC2:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-region
So the answer is, there is no list. Anywhere. Limited availability means that the only way you can learn whether a service supports these keys is to search the service's documentation. IAM makes these keys available to other services and recommends that they implement them. Those services can choose to support them, but they don't tell IAM. There is no centralized list, and no guarantee that the service even documents the keys if they do support them. Every service in AWS (140+) acts independently.
I can tell you that we know it's a problem. We've improved a similar situation with helping customers learn which actions, resource types, and service-specific condition keys that services support for IAM policies. The page you mentioned is a result of that fix. We now require services to programmatically provide all of the information that you see on the Actions, Resources, and Condition Keys pages: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html
These pages all come from the service data and are automatically generated.
from iam-user-guide.
@stephswo Thanks for your answer.
Sure, WorkDocs example was taken from service docs but I posted one of the mentioned guides which referenced condition or aws: string.
From your points I understand there is no way how to find out supported services, no official list of them. By reading this post it seems this global key is not service dependent as it restricts API calls to specific regions only.
Comparing all existing documentations it is not clear what is the right answer now.
Thanks for clarifying it a little bit 👍
from iam-user-guide.
Related Issues (20)
- roles-managingrole-editing-console seems to be out-of-sync HOT 2
- Missing Links in Actions in CloudFormation Actions Table: TagResource and UntagResource HOT 1
- Document: Denies Access to AWS Based on the Source IP HOT 1
- Links to CloudFront Actions are broken HOT 1
- Broken links in 10 services HOT 1
- GuardDuty actions missing from docs HOT 1
- guardduty:DescribePublishingDestination does not work with documented resources HOT 1
- Providing default region in URL HOT 3
- Typo in “Actions, resources, and condition keys for AWS CloudFormation” HOT 1
- Was it intentional that all list_* files have been wiped? HOT 3
- Missing redirect for appstream page HOT 1
- Never put AWS temporary credentials in the credentials file (or env vars)—there’s a better way HOT 1
- Anthonysidesapps, 🚘rivetime, silencer, $ HOT 2
- Resource Based Policy evaluation logic unclear HOT 2
- Resource-based policies and implicit denies in other policy types (same account) HOT 8
- Please publish the source of Service Authorization Reference HOT 2
- Fix the documentation for Security Credentials HOT 1
- Document constraints on Sid grammar HOT 1
- OUTDATED IAM MFA policies documentation HOT 1
- Specify SHA-1 fingerprint HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from iam-user-guide.