IAM policy elements: Variables and tags

Use IAM policy variables as placeholders when you don't know the exact value of a resource or condition key when you write the policy.

The following example shows a policy for an S3 bucket that uses a policy variable:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::mybucket"],
      "Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*"]}}
    },
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::mybucket/${aws:username}/*"]
    }
  ]
}

When this policy is evaluated, IAM replaces the variable ${aws:username}with the name of the actual current user.
Policy variables were introduced in version 2012-10-17, so earlier versions of the policy language don't support policy variables.

PreviousIAM policy elements: Version NextPolicy elements: Principal and NotPrincipal

Last updated 4 years ago

Was this helpful?