Updated on 2023-11-24 GMT+08:00

IEF Request Conditions

Request conditions are useful in determining when a custom policy takes effect. A request condition consists of a condition key and operator. Condition keys are either global or service-level and are used in the Condition element of a policy statement. Global condition keys (starting with g:) are available for operations of all services, while service-level condition keys (starting with a service name such as ief:) are available only for operations of a specific service. An operator is used together with a condition key to form a complete condition statement.

IEF has a group of predefined condition keys that can be used in IAM. For example, to define an "Allow" permission, you can use the condition key ief:AssumeUserName to filter matching requesters by username. The following table lists the predefined condition keys of IEF.

Table 1 Predefined condition keys of IEF

Condition Key

Operator

Description

ief:AssumeUserName

StringEndWithAnyOfIfExists

StringStartWithAnyOfIfExists

StringEndWithIfExists

StringStartWithIfExists

StringNotLikeAnyOfIfExists

StringLikeAnyOfIfExists

StringNotEqualsIgnoreCaseAnyOfIfExists

StringEqualsIgnoreCaseAnyOfIfExists

StringNotEqualsAnyOfIfExists

StringEqualsAnyOfIfExists

StringNotLikeIfExists

StringLikeIfExists

StringNotEqualsIgnoreCaseIfExists

StringEqualsIgnoreCaseIfExists

StringNotEqualsIfExists

StringEqualsIfExists

IsNullOrEmpty

StringEndWithAnyOf

StringStartWithAnyOf

StringEndWith

StringStartWith

StringNotLikeAnyOf

StringLikeAnyOf

StringNotEqualsIgnoreCaseAnyOf

StringEqualsIgnoreCaseAnyOf

StringNotEqualsAnyOf

StringEqualsAnyOf

StringNotLike

StringLike

StringNotEqualsIgnoreCase

StringEqualsIgnoreCase

StringNotEquals

StringEquals

Used for matching username

Example

This policy can be used only when the username is test.

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ief:deployment:create",
                "ief:appVersion:update",
                "ief:deployment:update",
                "ief:application:create"
            ],
            "Condition": {
                "StringEquals": {
                    "ief:AssumeUserName": [
                        "test"
                    ]
                }
            },
            "Resource": [
                "ief:*:*:deployment:*",
                "ief:*:*:appVersion:*",
                "ief:*:*:application:*"
            ]
        }
    ]
}