IAM Policy Grammar - Clarification

0

Had a question around the policy grammar of IAM. In https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html#policies-grammar-notes, towards the end of the grammar it says,

<condition_block> = "Condition" : { <condition_map> }
<condition_map> = { 
  <condition_type_string> : { <condition_key_string> : <condition_value_list> },
  <condition_type_string> : { <condition_key_string> : <condition_value_list> }, ...
}  
<condition_value_list> = [<condition_value>, <condition_value>, ...]
<condition_value> = ("string" | "number" | "Boolean")

However, in this page https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html, I see the following example,

"Condition": {
  "StringEqualsIgnoreCase": {
    "aws:PrincipalTag/department": [ "finance", "hr", "legal" ],
    "aws:PrincipalTag/role": [ "audit", "security" ]
  },
  "StringEquals": {
    "aws:PrincipalAccount": "123456789012"
  }
}

So, shouldn't the grammar be the following?

<condition_block> = "Condition" : { <condition_map> }
<condition_map> = { 
  <condition_type_string> : { <condition_key_string> : <condition_value_list>, 
                              <condition_key_string> : <condition_value_list>,
                              ...
                             },
  <condition_type_string> : { <condition_key_string> : <condition_value_list>, 
                              <condition_key_string> : <condition_value_list>,
                              ...
                             },
  ...
}  
<condition_value_list> = [<condition_value>, <condition_value>, ...]

Did I not understand correctly? If I did, which one is correct, the example or the grammar?

1 Answer
0

Both of them are correct. As you can see below(I just enter the example condition into policy grammar), the example policy is following the policy grammar.

<condition_block> = "Condition" : { <condition_map> }
<condition_map> = { 
  <StringEqualsIgnoreCase> : { <aws:PrincipalTag/department> : <[ "finance", "hr", "legal" ]>, 
                               <aws:PrincipalTag/role> : <[ "audit", "security" ]>,
                              ...
                             },
  <StringEquals> : { <aws:PrincipalAccount> : < 123456789012 >
                              ...
                             },
  ...
profile picture
answered 25 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions