Had a question around the policy grammar of IAM. In https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html#policies-grammar-notes, towards the end of the grammar it says,
<condition_block> = "Condition" : { <condition_map> }
<condition_map> = {
<condition_type_string> : { <condition_key_string> : <condition_value_list> },
<condition_type_string> : { <condition_key_string> : <condition_value_list> }, ...
}
<condition_value_list> = [<condition_value>, <condition_value>, ...]
<condition_value> = ("string" | "number" | "Boolean")
However, in this page https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html, I see the following example,
"Condition": {
"StringEqualsIgnoreCase": {
"aws:PrincipalTag/department": [ "finance", "hr", "legal" ],
"aws:PrincipalTag/role": [ "audit", "security" ]
},
"StringEquals": {
"aws:PrincipalAccount": "123456789012"
}
}
So, shouldn't the grammar be the following?
<condition_block> = "Condition" : { <condition_map> }
<condition_map> = {
<condition_type_string> : { <condition_key_string> : <condition_value_list>,
<condition_key_string> : <condition_value_list>,
...
},
<condition_type_string> : { <condition_key_string> : <condition_value_list>,
<condition_key_string> : <condition_value_list>,
...
},
...
}
<condition_value_list> = [<condition_value>, <condition_value>, ...]
Did I not understand correctly? If I did, which one is correct, the example or the grammar?