Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ User Guide/ Permissions/ Identity Policies Management/ Identity Policy Variables
Updated on 2025-11-07 GMT+08:00
View PDF
Share

Identity Policy Variables

Introduction

When writing values for the Resource or Condition element, you can use identity policy variables as placeholders. During authentication, these placeholders are automatically replaced with the values of the conditional context keys passed in the request.

Syntax and Replacement Rules

Variables are marked using a $ prefix followed by a pair of curly braces ({ }) that include the variable name of the value from the request. For example, the variable ${g:UserName} is automatically replaced with the value of the g:UserName condition key during authentication.

If the specified conditional context key does not exist in the request or is a multivalued condition key, the replacement fails and the entire statement may be invalid.

For example, the request contains the g:UserName condition key only when the principal is an IAM user. For other principals, the request does not contain the g:UserName condition key and therefore does not match any resource and condition key that contains ${g:UserName}.

Similarly, the condition key g:CalledVia cannot be used as a variable because it is a multivalued condition key.

If the condition key specified by the variable fails to be replaced, you can use its original text string as the default value. To add a default value to a variable, enclose the default value in a pair of single quotation marks (' ') and separate the condition key name from the default value with a comma and space (, ). For example, if the key in ${key, 'default'} does not exist or fails to be replaced, replace the variable with the text string default. Condition key names are case-insensitive, but default values are case-sensitive. Spaces before and after the condition key name and the default value's single quotation marks are ignored. For example, if the principal is an IAM user, the ${ g:username , 'Default_User_Name' } will be replaced with the value of g:UserName. For other principals, replace the variable with the text string Default_User_Name.

If you want the wildcards (* and ?) and policy variable identifier ($) to be interpreted literally, change them to ${*}, ${?}, and ${$}, respectively. If you want to insert a single quotation mark (') in the default value of a policy variable, use a pair of single quotation marks (''). For example, when you use the default value to replace the variable ${g:UserName, 'A single quote is '', two quotes are ''''.'}, it would be A single quote is ', two quotes are ''.

The variables are replaced only once. If the replacement still contains variables, they would not be replaced any more. For example, after ${g:UserName, '${g:UserName}${*}'} is replaced with the default value ${g:UserName}${*}, the variables ${g:UserName} and ${*} in the default value would not be replaced again.

Example

Using Variables in the Resource Element

In the identity policy preset in the service-linked agency for the Config service, the "iam::${g:DomainId}:agency:rms_tracker_agency_v5" variable is used in the Resource element to specify the trust agency URN of the corresponding account:

{
	"Version": "5.0",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"iam:agencies:attachPolicyV5",
			"iam:agencies:detachPolicyV5"
		],
		"Resource": [
			"iam::${g:DomainId}:agency:rms_tracker_agency_v5"
		],
		"Condition": {
			"StringEquals": {
				"iam:PolicyURN": "iam::system:policy:ConfigTrackAgencyPolicy"
			}
		}
	}]
}

Using Variables in the Condition element

The following identity policy denies cross-organization access to resources:

{
	"Version": "5.0",
	"Statement": [{
		"Effect": "Deny",
		"Action": ["*"],
		"Resource": ["*"],
		"Condition": {
			"StringNotEquals": {
				"g:ResourceOrgId": "${g:PrincipalOrgId}"
			},
			"Null": {
				"g:ResourceOrgId": "false"
			}
		}
	}]
}

Using Variables with Tags

Tag each IAM user with MaxAllowedMfaAge. The following identity policy only allows IAM API access for IAM users who are authenticated with MFA within the number of seconds specified by MaxAllowedMfaAge. If MaxAllowedMfaAge is not specified, 600 seconds are used by default.

{
	"Version": "5.0",
	"Statement": [{
		"Effect": "Allow",
		"Action": ["iam:*"],
		"Condition": {
			"NumberLessThanEquals": {
				"g:MFAAge": "${g:PrincipalTag/MaxAllowedMfaAge, '600'}"
			}
		}
	}]
}