# AWS Sign-In condition keys reference
<a name="reference-signin-condition-keys"></a>

This page lists the condition keys you can use in AWS Sign-In resource-based policies and resource control policies (RCPs), and shows the evaluation phase and action that each key applies to. Only `signin:PrincipalArn` is specific to AWS Sign-In; the others are AWS global condition keys. For the global key definitions, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

For the complete list of actions and condition keys in the Service Authorization Reference, see [Actions, resources, and condition keys for AWS Sign-In](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssignin.html).

## Network-based condition keys
<a name="reference-signin-condition-keys-network"></a>

These condition keys check where the request originates from. AWS Sign-In evaluates them for all AWS Sign-In actions (`signin:Authenticate`, `signin:AuthorizeOAuth2Access`, and `signin:CreateOAuth2Token`) in both resource-based policies and RCPs.


**Network-based condition keys**  

| Condition key | Operators | Description | Usage rules | 
| --- | --- | --- | --- | 
| aws:SourceIp | IpAddress, NotIpAddress | Public IP address or CIDR range | Not present when a request uses a VPC endpoint. Use IfExists operators when combining with VPC-based conditions in the same statement. | 
| aws:SourceVpc | StringEquals, StringNotEquals | VPC ID (vpc-xxxxxxxx) | Only present when a request uses a VPC endpoint. Use with aws:RequestedRegion to prevent cross-region VPC ID collision. | 
| aws:SourceVpce | StringEquals, StringNotEquals | VPC endpoint ID (vpce-xxxxxxxx) | Only present when a request uses a VPC endpoint. | 
| aws:VpcSourceIp | IpAddress, NotIpAddress | Private IP within the VPC | Always use the aws:VpcSourceIp condition key with the aws:SourceVpc or aws:SourceVpce condition keys. | 
| aws:RequestedRegion | StringEquals, StringNotEquals | Target AWS Region code | Recommended when using aws:SourceVpc to prevent cross-region VPC ID collision. Multiple Regions can be specified. | 

**Important**  
A single request contains either `aws:SourceIp` (public network) or `aws:SourceVpc` (VPC endpoint), not both. When writing deny-unless policies covering both paths, use `IfExists` operators (for example, `NotIpAddressIfExists`) or create separate statements.

## Identity-based condition keys
<a name="reference-signin-condition-keys-identity"></a>

These condition keys check who is making the request. They are available only for the post-authentication actions (`signin:AuthorizeOAuth2Access` and `signin:CreateOAuth2Token`), where the principal identity has been established.


**Identity-based condition keys**  

| Condition key | Operators | Description | Examples | 
| --- | --- | --- | --- | 
| aws:PrincipalArn | ArnEquals, ArnLike, ArnNotEquals, StringEquals, StringLike | ARN of the authenticated IAM principal | arn:aws:iam::123456789012:user/alice, arn:aws:iam::123456789012:role/Admin | 
| aws:PrincipalAccount | StringEquals, StringNotEquals | AWS account ID of the principal | 123456789012 | 

## Service-specific condition key: signin:PrincipalArn
<a name="reference-signin-condition-keys-service-specific"></a>

The following condition key is specific to AWS Sign-In and is not a global AWS key. It is available only during pre-authentication evaluation. Use `signin:PrincipalArn` to identify the principal initiating sign-in before authentication completes. This is the pre-authentication equivalent of `aws:PrincipalArn`, which is not available until after authentication.

Operators  
ARN operators (`ArnEquals`, `ArnLike`, `ArnNotEquals`, `ArnNotLike`) and string operators (`StringEquals`, `StringLike`).

Availability  
AWS Sign-In includes this key in the request context during the pre-authentication phase (the `signin:Authenticate` action). It is not available for the post-authentication actions (`signin:AuthorizeOAuth2Access` and `signin:CreateOAuth2Token`).

Data type  
ARN. Use ARN operators rather than string operators.

Value type  
Single-valued.

Supported in  
Resource-based policies and RCPs.

Use ARN operators to compare values. You can specify the following principal types:
+ AWS account root user (`arn:aws:iam::123456789012:root`)
+ IAM user (`arn:aws:iam::123456789012:user/{{user-name}}`)
+ IAM role (`arn:aws:iam::123456789012:role/{{role-name}}`)

**Use case:** Exempt an excluded principal identity from network restrictions, preventing lockout while still enforcing network controls for all other access attempts.

**Example – Deny pre-authentication access from unauthorized networks, except for the root user:**

```
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": { "AWS": "*" },
      "Action": ["signin:Authenticate"],
      "Resource": "*",
      "Condition": {
        "ArnNotEquals": {
          "signin:PrincipalArn": "arn:aws:iam::123456789012:root"
        },
        "NotIpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        },
        "StringEquals": {
          "aws:ResourceAccount": "123456789012"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": { "AWS": "*" },
      "Action": ["signin:CreateOAuth2Token", "signin:AuthorizeOAuth2Access"],
      "Resource": "*",
      "Condition": {
        "ArnNotEquals": {
          "aws:PrincipalArn": "arn:aws:iam::123456789012:root"
        },
        "NotIpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        },
        "StringEquals": {
          "aws:ResourceAccount": "123456789012"
        }
      }
    }
  ]
}
```

This policy denies console access from outside the `203.0.113.0/24` IP range, except for the account root user. The pre-authentication statement uses `signin:PrincipalArn` to exempt the root user before authentication completes. The post-authentication statement uses `aws:PrincipalArn` to exempt the same principal after authentication, during OAuth token exchange. See [Policy examples](console-access-control.md#console-access-control-policy-examples).

## Condition key availability by action
<a name="reference-signin-condition-keys-availability"></a>


**Condition key availability by action**  

| Condition key | signin:Authenticate | signin:AuthorizeOAuth2Access | signin:CreateOAuth2Token | 
| --- | --- | --- | --- | 
| aws:SourceIp | Yes | Yes | Yes | 
| aws:SourceVpc | Yes | Yes | Yes | 
| aws:SourceVpce | Yes | Yes | Yes | 
| aws:VpcSourceIp | Yes | Yes | Yes | 
| aws:RequestedRegion | Yes | Yes | Yes | 
| aws:PrincipalArn | – | Yes | Yes | 
| aws:PrincipalAccount | – | Yes | Yes | 
| signin:PrincipalArn | Yes | – | – | 

**Note**  
The `signin:CreateAccount` action is used exclusively in VPC endpoint policies for Console Private Access and is not available for resource-based policies or RCPs. No service-specific condition keys are associated with it. See [Console Private Access](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/console-private-access.html).

## Related information
<a name="reference-signin-condition-keys-related"></a>
+ [Controlling console access with resource-based policies and resource control policies](console-access-control.md)
+ [AWS Management Console Private Access](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/console-private-access.html)
+ [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)
+ [Actions, resources, and condition keys for AWS Sign-In](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssignin.html)