Specifying conditions in a policy

You can use conditions to allow policies to take effect based on request values. Conditions consist of operators and key-value pairs.

Conditions use key-value pairs for evaluation. A Condition element can contain multiple conditions, and each condition can contain multiple key-value pairs. The condition block uses the following format:

Condition: {
     condition_type: {
          condition_key: condition_values

In the following example, the IpAddress condition uses the SourceIp condition key.

"Condition": {
    "IpAddress": {
      "sgws:SourceIp": "54.240.143.0/24"
		...
},
		...

Supported condition operators

Condition operators are categorized as follows:

String
Numeric
Boolean
IP address
Null check

Condition operators	Description
StringEquals	Compares a key to a string value based on exact equality (case sensitive).
StringNotEquals	Compares a key to a string value based on exact non-equality (case sensitive).
StringEqualsIgnoreCase	Compares a key to a string value based on exact equality (ignores case).
StringNotEqualsIgnoreCase	Compares a key to a string value based on exact non-equality (ignores case).
StringLike	Compares a key to a string value and provides access if there is an exact match (case sensitive). Can include * and ? wildcard characters.
StringNotLike	Compares a key to a string value and provides access to all except the specified string (case sensitive). Can include * and ? wildcard characters.
NumericEquals	Compares a key to a numeric value and provides access if there is an exact match.
NumericNotEquals	Compares a key to a numeric value and provides access to all except the specified value.
NumericGreaterThan	Compares a key to a numeric value and provides access if there is a "greater than" matching.
NumericGreaterThanEquals	Compares a key to a numeric value and provides access if there is a "greater than or equals" matching.
NumericLessThan	Compares a key to a numeric value and provides access if there is a "less than" matching.
NumericLessThanEquals	Compares a key to a numeric value and provides access if there is a "less than or equals" matching.
Bool	Compares a key to a Boolean value and provides access based on a "true or false" matching.
IpAddress	Compares a key to a numeric value and provides access if there is a match to an IP or range of IP addresses.
NotIpAddress	Compares a key to a numeric value and provides access to all addresses except the specified IP or range of IP addresses.
Null	Checks if a condition key is present in the current request context.

Supported condition keys

Category	Applicable condition keys	Description
IP operators	sgws:SourceIp	Will compare to the IP address from which the request was sent. Can be used for bucket or object operations.
Resource/Identity	sgws:username	Will compare to the sender's username from which the request was sent. Can be used for bucket or object operations.
S3:ListBucket and S3:ListBucketVersions permissions	s3:delimiter	Will compare to the delimiter parameter specified in a GET Bucket or GET Bucket Object versions request.
	s3:max-keys	Will compare to the max-keys parameter specified in a GET Bucket or GET Bucket Object versions request.
	s3:prefix	Will compare to the prefix parameter specified in a GET Bucket or GET Bucket Object versions request.