Global Condition Key
When a principal sends a request to a cloud service, the cloud service gathers the request information into a request context. You can compare the request context with the condition keys specified in the "Condition" element of your JSON identity policy to control access. The request information comes from multiple sources, including the principal initiating the request, the requested resource, and the metadata of the request itself.
Condition keys are key values in the "Condition" element of a policy statement. You can specify a global or a service-specific condition key.
- Global condition keys (prefixed with g:) apply to all actions.
- Service-specific condition keys (prefixed with the service abbreviation) apply only to actions on the corresponding service. For details, see Actions Supported by Identity Policy-based Authorization, open the chapter of the specified cloud service, and go to the "Conditions" section.
|
Principal Properties |
Assumed-Agency/Trust Agency Session Properties |
Network Properties |
Resource Properties |
Request Properties |
|---|---|---|---|---|
Sensitive Condition Keys
Principal Properties
- g:PrincipalUrn
URN of the principal that made the request. Different principals have different URN formats.
IAM user: iam::<account-id>:user:<user-name>
IAM agency or trust session: sts::<account-id>:assumed-agency:<agency-name>/<session-name>
Virtual federated user: sts::<account-id>:external-user:<idp-id>/<session-name>
This key is used to compare the URN of the principal who made the request with the URN specified in the identity policy.
- Data type: string
- Value type: single-valued
For example, the following identity policy can be attached to user groups to only allow access from user yyy.{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": [ "sts:agencies:assume" ], "Condition": { "StringEquals": { "g:PrincipalUrn": "iam::xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:user:yyy" } } }] } - g:PrincipalAccount
Used to compare the account ID of the principal who made the request with the account ID specified in the identity policy, which is the same as the value of g:DomainId.
- Data type: string
- Value type: single-valued
- g:PrincipalOrgPath
Path of the organization that the requesting principal belongs to. You can use this condition key to control access to the specified APIs only from accounts within the specified organization root or organizational units (OUs). This condition key is present only when the requesting principal is part of an organization.
The format of the organization path is <organization-id>/<root-id>/(<ou-id>/)*<account-id>.
- Data type: string
- Value type: single-valued
For example, the condition key value ou-qqq in the following identity policy matches the organizational units (OUs) that the requesting principal belongs to in the request.{ "Condition": { "StringMatch": { "g:PrincipalOrgPath": "o-xxx/r-yyy/ou-zzz/ou-qqq/*" } } } - g:PrincipalOrgID
ID of the organization that the requesting principal belongs to. You can use this condition key to control access to the specified APIs only from identities in the specific organization. This condition key is present only when the requesting principal is part of an organization.
- Data type: string
- Value type: single-valued
For example, the following trust policy allows principal xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx to assume agencies or trust agencies only when it is in organization o-yyyyyyyyyyy.{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Principal": { "IAM": [ "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ] }, "Action": [ "sts:agencies:assume" ], "Condition": { "StringEquals": { "g:PrincipalOrgID": "o-yyyyyyyyyyy" } } }] } - g:PrincipalTag/<tag-key>
Tag contained in the requesting principal. The <tag-key> is case-insensitive. This condition key is present only when the requesting principal is a tagged IAM user or trust agency, or an assumed-agency/trust agency session with a session tag.
AssumeAgency API can be used to obtain an assumed-agency/trust agency session. The session tag can be set only by the AssumeAgency API using the tags parameter. CreateTemporaryAccessKeyByAgency API does not support the setting of session tags.
- Data type: string
- Value type: single-valued
For example, the following identity policy only allows IAM users tagged with {"department": "hr"} to access IAM APIs.{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": [ "iam:*" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "g:PrincipalTag/department": "hr" } } }] } - g:PrincipalIsService
Whether the requesting principal is a cloud service. You can use this condition key to control whether only cloud services can access the specified APIs.
- Data type: boolean
- Value type: single-valued
The following example allows only non-service principals to access OBS.{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "OBS:*:*" ], "Condition": { "Bool": { "g:PrincipalIsService": [ "false" ] } } } ] } - g:PrincipalServiceName
Name of the service principal who made the request. This condition key is present only when the requesting principal is a cloud service.
- Data type: string
- Value type: single-valued
For example, the condition key value service.IAM in the following identity policy matches the principal who made the request.{ "Condition": { "StringEquals": { "g:PrincipalServiceName": "service.IAM" } } } - g:PrincipalType
Type of the requesting service principal, which can be User, AssumedAgency, or ExternalUser. When an IAM user is used for access, the value is User. When an IAM assumed-agency/trust agency session is used for access, the value is AssumedAgency. When a virtual federated user is used for access, the value is ExternalUser.
- Data type: string
- Value type: single-valued
- g:UserId
ID of an IAM user. This condition key is present only when the requester is an IAM user.
- Data type: string
- Value type: single-valued
The following example allows all requests from the IAM user whose ID is 111122223333.{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": [ "*:*:*" ], "Condition": { "StringEquals": { "g:UserId": [ "111122223333" ] } } }] } - g:UserName
Name of an IAM user. This condition key is present only when the requester is an IAM user.
- Data type: string
- Value type: single-valued
The following example denies users whose names start with TestUser from deleting vaults whose names start with vault.{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "cbr:vaults:delete" ], "Resource": [ "cbr:*:*:vault:vault*" ], "Condition": { "StringMatch": { "g:UserName": [ "TestUser*" ] } } } ] } - g:DomainName
Account name of the requester. The account name of the root user and all IAM users in the account is the same.
- Data type: string
- Value type: single-valued
The following example allows only the requester whose account name is ZhangSan to obtain the object.{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "obs:object:GetObject" ], "Condition": { "StringEquals": { "g:DomainName": [ "ZhangSan" ] } } } ] } - g:DomainId
Account ID (value of AccountId) of the requester.
- Data type: string
- Value type: single-valued
In the following identity policy preset in the service-linked agency for the Config service, you can use the iam::${g:DomainId}:agency:rms_tracker_agency_v5 variable in the "Resource" element to specify the trust agency URN of the corresponding account rms_tracker_agency_v5.{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": [ "iam:agencies:attachPolicyV5", "iam:agencies:detachPolicyV5" ], "Resource": [ "iam::${g:DomainId}:agency:rms_tracker_agency_v5" ], "Condition": { "StringEquals": { "iam:PolicyURN": "iam::system:policy:ConfigTrackAgencyPolicy" } } }] } - g:PrincipalIsRootUser
Whether the requester is the root user of the account. This property is carried in all requests.
- Data type: boolean
- Value type: single-valued
The following example allows only the root user of the account to query the IAM user list.{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "iam:users:listUsersV5" ], "Condition": { "Bool": { "g:PrincipalIsRootUser": [ "true" ] } } } ] } - g:PrincipalId
ID of the requesting principal. Different principals have different ID formats.
IAM users: <user-id>
Assumed-agency/trust agency session: <agency-id>:<session-name>
Virtual federated users: <idp-id>:<session-name>
- Data type: string
- Value type: single-valued
- g:PrincipalOrgManagementAccountId
ID of the management account in the organization that the requesting principal belongs to. This condition key is present only when the requesting principal is part of an organization.
- Data type: string
- Value type: single-valued
For example, the condition key value xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx in the following identity policy matches the management account ID in the request.{ "Condition": { "StringEquals": { "g:PrincipalOrgManagementAccountId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" } } }
Assumed-Agency/Trust Agency Session Properties
You can use the following condition keys to compare properties of an assumed-agency/trust agency session at the time the session was generated. Note that these condition keys apply only to requests initiated using an assumed-agency/trust agency session, and the values of these condition keys come from the metadata embedded in the session token.
An agency or trust agency is also a type of principal. You can also use the condition keys in the "Principal Properties" section to control access to the properties of an assumed-agency/trust agency session at the time the session is making a request.
- g:SourceIdentity
The source_identity field specified when a user obtains STS security tokens through AssumeAgency API of STS for the first time. This field cannot be changed during subsequent agency switches. The CreateTemporaryAccessKeyByAgency API cannot set source_identity. This condition key is available only when the STS security token with source_identity is used for subsequent access.
- Data type: string
- Value type: single-valued
The following example allows only the identity whose source_identity is yyyyy to assume agencies or trust agencies.{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Principal": { "IAM": [ "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ] }, "Action": [ "sts:agencies:assume" ], "Condition": { "StringEquals": { "g:SourceIdentity": "yyyyy" } } }] } - g:TokenIssueTime
Time when STS Security Token in the access credentials is issued. This condition key is true only when a request is sent using an STS security token.
- Data type: time
- Value type: single-valued
By attaching the following identity policy to a trust agency, you can deny requests signed by temporary security credentials generated before a specific time. Temporary security credentials are generated by the AssumeAgency API for trust agency assuming.{ "Version": "5.0", "Statement": [{ "Effect": "Deny", "Action": [ "*" ], "Resource": [ "*" ], "Condition": { "DateLessThan": { "g:TokenIssueTime": "2024-03-01T12:00:00Z" } } }] } - g:AssumedByService
The requester who has assumed the agency or trust agency. The value is the principal of a cloud service.
The requester is not necessarily the cloud service itself. For example, in some scenarios, ECS obtains the agency credential after agency switching, and then provides the credential for a customer. The customer that uses the credential to initiate a request is the requester.
- Data type: string
- Value type: single-valued
If you attach the following policy to a trust agency, only RGC can access TMS when RGC assumes the agency.{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "tms:*:*" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "g:AssumedByService": [ "service.RGC" ] } } } ] } - g:MFAPresent
Whether to use multi-factor authentication (MFA) to obtain STS security tokens. This condition key is true only when you log in to the console through MFA authentication or when you use the assumed-agency/trust agency session obtained through MFA to make a request. This condition key is present only when a request is sent using STS Security Token. If a request is sent using permanent credentials, this condition key is not present.
- Data type: boolean
- Value type: single-valued
For example, the following identity policy only allows API calling by principals authenticated using MFA. The IfExists operator is used to cover scenarios where the g:MFAPresent condition key is not present when requests are made using permanent credentials.{ "Version": "5.0", "Statement": [{ "Effect": "Deny", "Action": [ "*" ], "Resource": [ "*" ], "Condition": { "BoolIfExists": { "g:MFAPresent": "false" } } }] } - g:MFAAge
Validity period of STS security tokens obtained through MFA authentication. This condition key is present only when you log in to the console through MFA authentication or when you use the assumed-agency/trust agency session obtained through MFA to make a request. The unit of this condition key is second.
- Data type: number
- Value type: single-valued
Tag each IAM user with MaxAllowedMfaAge. The following identity policy only allows IAM API access for IAM users who are authenticated with MFA within the number of seconds specified by MaxAllowedMfaAge. If MaxAllowedMfaAge is not specified, 600 seconds are used by default.{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "iam:*" ], "Condition": { "NumberLessThanEquals": { "g:MFAAge": "${g:PrincipalTag/MaxAllowedMfaAge, '600'}" } } } ] }
Network Properties
You can use the following condition keys to compare the network information in a request with the network properties specified in your policy.
- g:SourceIp
Requester's source IP address from a public network.
If the request is initiated within a VPC and passes through a VPC endpoint, g:VpcSourceIp would be used instead of g:SourceIp. This condition key is available only if the access is not initiated through a VPC endpoint. This condition key can be used as a valid access control condition only when the access is initiated through a public network. It does not take effect when a cloud service uses an agency or trust agency to initiate access on behalf of a user without going through a public network.
- Data type: IP address
- Value type: single-valued
Example 1: Attach the following policy to an IAM identity. This policy denies the programmatic or console access to KMS from source IP addresses within the xxx.xx.xx.0/24 range.{ "Version": "5.0", "Statement": [{ "Effect": "Deny", "Action": [ "kms:cmk:decryptData" ], "Resource": [ "*" ], "Condition": { "IpAddress": { "g:SourceIp": "xxx.xx.xx.0/24" } } }] }
The source IP address must be a public IP address. Do not include a private IP address in the condition key.
The g:SourceIp condition key in the initial request context is not passed to the subsequent FAS requests on behalf of the principal. As a result, if these condition keys are used to control access permissions, the requests forwarded by the service on behalf of the principal may be rejected. In practice, you are advised to use condition keys such as g:ViaService and g:PrincipalUrn to allow FAS requests. However, there is an exception: Public access initiated by the principal from the console can be considered as programming access from the public network. Therefore, the initial SourceIp is included in the request forwarded by the console on behalf of the principal.
Some cloud services may not be fully interconnected with IAM. If a request is forwarded across services, the CalledVia information will be lost, causing the loss of condition keys such as g:ViaService, g:CalledVia, g:CalledViaFirst, and g:CalledViaLast. As a result, the policy check result may be incorrect.
Example 2: A principal can use the TMS API to modify the tags of an ECS instance. The principal accesses the TMS API, and TMS make a FAS request to the tag management API of the ECS on behalf of the principal. In this case, the source IP address is not passed to the cloud service to be called. Although the FAS request does not pass the network information of the access initiated by the customer, you can control the entry for initiating a call to ensure that the entire call link meets the access control requirements. The following example uses calledVia to exclude indirect FAS access when a user directly calls TMS to modify the ECS tag.{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": ["ecs:*:*", "tms:*:*"], "Resource": ["*"], "Condition": { "NotIpAddress": { "g:SourceIp": ["103.218.xxx.xx"] }, "BoolIfExists": { "g:ViaService": "false" } } } ] }
FAS means that TMS calls the tag management API of ECS on behalf of the principal. The g:SourceIp condition key in the initial request is not passed along with the forwarded request. You can add the "BoolIfExists":{"g:ViaService":"false"} condition to the policy. The condition indicates that the policy takes effect only in non-FAS scenarios. When a request is sent from the public network to TMS, the policy takes effect because g:ViaService does not exist. This is how you can use g:SourceIp to control access. In the example, when TMS forwards the request to ECS, the policy does not take effect because g:ViaService is true. This ensures that the policy takes effect even g:SourceIp fails to be passed during FAS access.
Example 3: Since accessing cloud service resources through the console is considered as FAS access by the Console on behalf of the principal. When the Console makes a FAS request, it will pass the network information in the request to the called service, but the Console will only pass the network information of the client's access request to the cloud service directly accessed by the Console. The accessed cloud service will not continue to pass the client's network information to subsequent services. To achieve the effect of Example 2 if you access TMS via the Console and then use TMS APIs to modify the tags of an ECS instance, the policy should be as follows:{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": ["ecs:*:*", "tms:*:*"], "Resource": ["*"], "Condition": { "NotIpAddress": { "g:SourceIp": ["103.218.xxx.xx"] }, "BoolIfExists": { "g:ViaService": "false" } } }, { "Effect": "Deny", "Action": ["ecs:*:*", "tms:*:*"], "Resource": ["*"], "Condition": { "NotIpAddress": { "g:SourceIp": ["103.218.xxx.xx"] }, "StringEquals": { "g:CalledViaFirst": "service.console", "g:CalledViaLast": "service.console" } } } ] }Example 4: You can create a cloud service trust agency to authorize cloud services to help you execute some asynchronous tasks. In this scenario, after a cloud service obtains credentials through a trust agency, it directly requests other cloud services via the internal network. These requests are initiated by the cloud service itself, allowing you to exclude such cloud service trust agencies by identity.{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": ["rms:*:*", "smn:*:*"], "Resource": ["*"], "Condition": { "NotIpAddress": { "g:SourceIp": ["103.218.xxx.xx"] }, "BoolIfExists": { "g:ViaService": "false" }, "StringNotMatch": { "g:PrincipalUrn": ["sts::<account-id>:assumed-agency:<serivce-agency-name>/*"] } } } ] } - g:SourceVpc
ID of the VPC from which the request is sent. This condition key is present only when the request is initiated within a VPC and passes through a VPC endpoint to access a cloud service that is configured as a VPC endpoint service.
- Data type: string
- Value type: single-valued
- g:SourceVpce
ID of the VPC endpoint that initiates the request. This condition key is present only when the request is initiated within a VPC and passes through a VPC endpoint to access a cloud service that is configured as a VPC endpoint service.
- Data type: string
- Value type: single-valued
Example 1: The following identity policy can be attached to IAM users to only allow requests from VPC endpoint xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx to access KMS.{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": [ "kms:cmk:decryptData" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "g:SourceVpce": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" } } }] }Example 2: The following identity policy can be attached to an IAM user to deny access to KMS from a VPC endpoint other than xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. In addition, the identity policy allows cloud services to forward access requests on behalf of the principal.{ "Version": "5.0", "Statement": [{ "Effect": "Deny", "Action": [ "kms:cmk:decryptData" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "g:SourceVpce": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, "Bool": { "g:ViaService": "false" } } }] } - g:VpcSourceIp
Source IP address of a request initiated from a VPC. This condition key is present only when the request is initiated within a VPC and passes through a VPC endpoint to access a cloud service that is configured as a VPC endpoint service.
- Data type: IP address
- Value type: single-valued
- g:SourceVpceOrgId
ID of the organization to which the g:SourceVpceAccount belongs. This property is carried only when the request is initiated from a VPC through a VPC endpoint and the account of the VPC endpoint belongs to an organization.
- Data type: string
- Value type: single-valued
You can use the following identity policy to specify that only the organization to which a VPC endpoint belongs can access resources:{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": ["obs:*:*"], "Resource": ["*"], "Condition": { "StringEquals": { "g:SourceVpceOrgId": "o-xxxxxx" } } }] } - g:SourceVpceOrgPath
Path of the organization to which the g:SourceVpceAccount belongs. This property is carried only when the request is initiated from a VPC through a VPC endpoint and the account of the VPC endpoint belongs to an organization.
- Data type: string
- Value type: single-valued
You can use the following policy to specify that only the organization to which a VPC endpoint belongs can access resources:{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": ["obs:*:*"], "Resource": ["*"], "Condition": { "StringMatch": { "g:SourceVpceOrgPath": "o-xxxx/r-xxxx/ou-xxxx-11111111/ou-xxxx-xxx/*" } } }] } - g:SourceVpceAccount
ID of the account to which the VPC endpoint ID used to initiate the request belongs. This property is carried only when the request is initiated from a VPC through a VPC endpoint.
- Data type: string
- Value type: single-valued
You can use the following policy to specify that only the account to which a VPC endpoint belongs can access resources:{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": ["obs:*:*"], "Resource": ["*"], "Condition": { "StringEquals": { "g:SourceVpceAccount": [ "account-id-1" ] } } }] }
Resource Properties
- g:ResourceAccount
Requested resource owner's account ID. This condition key is present only in actions of cloud services that support fine-grained permissions management. For the actions that support this condition key, see Actions Supported by Identity Policy-based Authorization. Then, open the chapter of the cloud service, navigate to the "Actions" section, and check the "Resource Type" column in Table 1.
- Data type: string
- Value type: single-valued
For example, the following identity policy prevents users from using KMS keys of other than the specified users to decrypt data.{ "Version": "5.0", "Statement": [{ "Effect": "Deny", "Action": [ "kms:cmk:decryptData" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "g:ResourceAccount": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" } } }] } - g:ResourceOrgId
ID of the organization that the requested resource account belongs to. This condition key is present only in actions of cloud services that support fine-grained permissions management and the resource owner account is part of an organization. For the actions that support this condition key, see Actions Supported by Identity Policy-based Authorization. Then, open the chapter of the cloud service, navigate to the "Actions" section, and check the "Resource Type" column in Table 1.
- Data type: string
- Value type: single-valued
For example, the following identity policy prevents users from using KMS keys of other than the specified organizations to decrypt data.{ "Version": "5.0", "Statement": [{ "Effect": "Deny", "Action": [ "kms:cmk:decryptData" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "g:ResourceOrgId": "o-xxxxxxxx" } } }] } - g:ResourceOrgPath
Path in the organization that the requested resource account belongs to. This condition key is present only in actions of cloud services that support fine-grained permissions management and the resource owner account is part of an organization. For the actions that support this condition key, see Actions Supported by Identity Policy-based Authorization. Then, open the chapter of the cloud service, navigate to the "Actions" section, and check the "Resource Type" column in Table 1.
- Data type: string
- Value type: single-valued
Example 1: The following identity policy only allows users to use KMS keys of the accounts in the ou-qqq OU to decrypt data.{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": [ "kms:cmk:decryptData" ], "Resource": [ "*" ], "Condition": { "StringMatch": { "g:ResourceOrgPath": "o-xxx/r-yyy/ou-zzz/ou-qqq/*" } } }] }Example 2: The following identity policy only allows users to use KMS keys of the accounts in the child OUs under the ou-qqq OU to decrypt data.{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": [ "kms:cmk:decryptData" ], "Resource": [ "*" ], "Condition": { "StringMatch": { "g:ResourceOrgPath": "o-xxx/r-yyy/ou-zzz/ou-qqq/ou-*" } } }] } - g:ResourceTag/<tag-key>
Tag contained in the requested resource. The tag key <tag-key> is case-insensitive. You can use this condition key to control that only resources with specified tags attached can be accessed. This condition key is present only when the action supports g:ResourceTag/<tag-key> and tags are attached to the requested resources. For the actions that support this condition key, see Actions Supported by Identity Policy-based Authorization. Then, open the chapter of the cloud service, navigate to the "Actions" section, and check the "Condition Keys" column in Table 1.
- Data type: string
- Value type: single-valued
For example, the following identity policy only allows users to access VPCs tagged with {"team": "engineering"} and {"department": "hr"}:{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": [ "vpc:vpcs:get" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "g:ResourceTag/team": "engineering", "g:ResourceTag/department": "hr" } } }] } - g:EnterpriseProjectId
ID of the enterprise project for the request or the requested resource. This condition key is present when the ID of the enterprise project for the request or the requested resource is passed in the API request and the action supports g:EnterpriseProjectId. This condition key is used in authentication, rather than a filter condition. This means resources in the enterprise project specified by this condition key will not be filtered out.
- Data type: string
- Value type: single-valued
This condition key is used in authentication. For example, the following identity policy prevents users from querying VPC permissions by enterprise project, and only allows access with enterprise_project_id set to xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in the request for calling the GET /v1/{project_id}/vpcs API.{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": [ "vpc:vpcs:list" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "g:EnterpriseProjectId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" } } }] }
Request Properties
- g:Referer
HTTP referer header in a request. As this condition key is specified by the client, it should not be used to prevent unauthorized access.
- Data type: string
- Value type: single-valued
- g:CalledVia
Used to control cross-service access requests. When a principal initiates an access request to a cloud service, the service may forward the request to other services. g:CalledVia contains the list of services that initiate requests on behalf of the principal in the request chain forwarded by the service. This condition key is present when the service forwards the access request of the principal. This condition key is not present when the principal accesses the service directly. For example, a user (principal) makes a request to service A. Service A then makes a request to service B on behalf of the user, and service B makes a request to service C on behalf of the user. The request received by service A does not contain the g:CalledVia condition key because the requesting principal is a user. In the request received by service B, g:CalledVia contains the service principal of service A because the request is made by service A on behalf of the user. In the request received by service C, the g:CalledVia contains the service principals of service A and service B, and the sequence is the same as that of the FAS request chain. In this case, g:CalledViaFirst is the service principal of service A, and g:CalledViaLast is the service principal of service B. The g:CalledViaFirst and g:CalledViaLast condition keys can be used to specify the first and last services that are called in the FAS request chain.
- Data type: string array
- Value type: multivalued
- When the user makes a request to a cloud service through the console, CalledVia contains service.console.
- For the services that support the g:CalledVia key, see Which Cloud Services Support the Global Condition Key G:CalledVia?. The value of the g:CalledVia key is the cloud service in the "Cloud Service" column of the table in this topic.
For example, the following identity policy only allows GaussDB(DWS)-initiated requests to call KMS APIs for encrypting data:{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": [ "kms:cmk:encryptData" ], "Resource": [ "*" ], "Condition": { "ForAnyValue:StringEquals": { "g:CalledVia": "service.DWS" } } }] } - g:CalledViaFirst
Similar to g:CalledVia, this property specifies the first element in g:CalledVia, that is, the first service in FAS access.
- Data type: string
- Value type: single-valued
- g:CalledViaLast
Similar to g:CalledVia, this property specifies the last element in g:CalledVia, that is, the last service in FAS access.
- Data type: string
- Value type: single-valued
- g:CurrentTime
Time when a request is received. It is in ISO 8601 format, for example, 2012-11-11T23:59:59Z.
- Data type: time
- Value type: single-valued
For example, the following identity policy allows cloud service APIs to be accessed from March 1, 2023 to March 30, 2023.{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": [ "sts:agencies:assume" ], "Resource": [ "*" ], "Condition": { "DateGreaterThanEquals": { "g:CurrentTime": "2023-03-01T00:00:00Z" }, "DateLessThanEquals": { "g:CurrentTime": "2023-03-30T23:59:59Z" } } }] } - g:ViaService
Whether the request is a FAS request made by a cloud service on behalf of a principal. The value of this condition key is true only when g:CalledVia is not an empty string. This condition key is true only when a request is sent using an STS security token.
- Data type: boolean
- Value type: single-valued
- g:TagKeys
List of tag keys in a request. This condition key is present only when the action supports g:TagKeys and tags are passed in the API request. For the actions that support this condition key, see Actions Supported by Identity Policy-based Authorization. Then, open the chapter of the cloud service, navigate to the "Actions" section, and check the "Condition Keys" column in Table 1.
- Data type: string array
- Value type: single-valued
This example allows only tags with the type tag key to be added to an IAM user or trust agency.{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": [ "iam::tagForResourceV5" ], "Resource": [ "iam:*:*:agency:*", "iam:*:*:user:*" ], "Condition": { "ForAnyValue:StringEquals": { "g:TagKeys": [ "type" ] } } }] } - g:SourceAccount
Account of the resource making a service-to-service request in FAS scenarios. This condition key is available only for actions that support g:SourceAccount. It is used only in resource policies whose principals are service principals. For the actions that support this condition key, see Actions Supported by Identity Policy-based Authorization. Then, open the chapter of the cloud service, navigate to the "Actions" section, and check the "Condition Keys" column in Table 1.
- Data type: string
- Value type: single-valued
For example, service A is used to record activities. It helps a user (account B) to dump activity logs triggered by a device (account C) to a specified OBS bucket. To enable service A to write data into the bucket, the administrator of account B creates an agency or trust agency named X for service A to manage OBS buckets under account B. After account B or account C accesses service A and triggers a request, service A obtains the temporary security credentials of the specified agency or trust agency X and writes data to the bucket.
The agency or trust agency name X is not confidential. If an attacker (account D) obtains the agency name and triggers service A in the same way, the activity records of the attacker would be incorrectly recorded in the OBS bucket. The attacker uses service A's agency to indirectly modify the OBS bucket of account B. This is called the confused deputy.
The g:SourceAccount condition key is used to control the account of the resource making a service-to-service request. The following trust policy only allows service A to switch to the assumed-agency/trust agency session for account xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx or yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.{ "Version": "5.0", "Statement": [{ "Principal": { "Service": [ "Service.A" ] }, "Action": [ "sts:agencies:assume" ], "Condition": { "StringEquals": { "g:sourceAccount": [ "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" ] } } }] } - g:SourceUrn
URN of the resource making a service-to-service request. This condition key is available only for actions that support g:SourceUrn. It is used only in resource policies whose principals are service principals. For the actions that support this condition key, see Actions Supported by Identity Policy-based Authorization. Then, open the chapter of the cloud service, navigate to the "Actions" section, and check the "Condition Keys" column in Table 1.
- Data type: string
- Value type: single-valued
Example: Similar to g:SourceAccount, this condition key is also used to solve the confused deputy problem. Assume that user devices (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx) are defined as watches and bracelets. The g:SourceUrn condition key is used to control the URN of the resource making a service-to-service request. The following trust policy only allows service A to switch to the corresponding assumed-agency/trust agency session for the watch or bracelet that meets the conditions.{ "Version": "5.0", "Statement": [{ "Principal": { "Service": [ "Service.A" ] }, "Action": [ "sts:agencies:assume" ], "Condition": { "StringEquals": { "g:sourceUrn": [ "alarm:*:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:watch:*", "alarm:*:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:bracelet:*" ] } } }] } - g:SecureTransport
Whether the request is sent using SSL.
- Data type: string
- Value type: single-valued
- g:RequestedRegion
Region called in a request. If the requested cloud service is a region-specific service, set this condition key to the corresponding region ID. This condition key is available only if the requested cloud service is a region-specific service. For details about cloud services that support this condition key, see the "Requested Region" column of the table in the Cloud Services for Using Identity Policies and Trust Agencies section.
- Data type: string
- Value type: single-valued
The following example blocks access from all regions except region-1, region-2, and region-3.{ "Version": "5.0", "Statement": [{ "Effect": "Deny", "Action": [ "*:*:*" ], "Condition": { "StringNotEquals": { "g:RequestedRegion": [ "region-1", "region-2", "region-3" ] } } }] } - g:RequestTag/<tag-key>
Tag contained in a request. The <tag-key> is case-insensitive. If a requester passes a tag when calling an API (for example, for adding a tag to an existing resource, or adding a tag during resource creation), you can use this condition key to check whether the request contains the tag. This condition key is present only when the action supports g:RequestTag/<tag-key> and tags are passed in the API request. For the actions that support this condition key, see Actions Supported by Identity Policy-based Authorization. Then, open the chapter of the cloud service, navigate to the "Actions" section, and check the "Condition Keys" column in Table 1.
- Data type: string
- Value type: single-valued
The following example identity policy only allows users to create OUs tagged with {"team": "engineering"} and {"department": "hr"}.{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": [ "organizations:ous:create" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "g:RequestTag/team": "engineering", "g:RequestTag/department": "hr" } } }] } - g:UserAgent
HTTP User-Agent header in a request. As this condition key is specified by the client, it should not be used to prevent unauthorized access.
- Data type: string
- Value type: single-valued
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
