AWS Security Token Service
(sts)
IAM Changes
Services
2026-07-15
2026-07-15
74 new conditions | 1 updated action
Additions
Conditions
accounts.google.com:google/organization_number
Description:
Filters access by the Google Cloud or Google Workspace organization number
Type:
Numeric
agent.${Domain}.buildkite.dev:build_branch
Description:
Filters access by the git branch that triggered the Buildkite build
Type:
String
agent.${Domain}.buildkite.dev:cluster_id
Description:
Filters access by the Buildkite cluster ID
Type:
String
agent.${Domain}.buildkite.dev:cluster_name
Description:
Filters access by the Buildkite cluster name
Type:
String
agent.${Domain}.buildkite.dev:organization_id
Description:
Filters access by the Buildkite organization ID
Type:
String
agent.${Domain}.buildkite.dev:organization_slug
Description:
Filters access by the Buildkite organization slug
Type:
String
agent.${Domain}.buildkite.dev:pipeline_id
Description:
Filters access by the Buildkite pipeline ID
Type:
String
agent.${Domain}.buildkite.dev:pipeline_slug
Description:
Filters access by the Buildkite pipeline slug
Type:
String
agent.${Domain}.buildkite.site:build_branch
Description:
Filters access by the git branch that triggered the Buildkite build
Type:
String
agent.${Domain}.buildkite.site:cluster_id
Description:
Filters access by the Buildkite cluster ID
Type:
String
agent.${Domain}.buildkite.site:cluster_name
Description:
Filters access by the Buildkite cluster name
Type:
String
agent.${Domain}.buildkite.site:organization_id
Description:
Filters access by the Buildkite organization ID
Type:
String
agent.${Domain}.buildkite.site:organization_slug
Description:
Filters access by the Buildkite organization slug
Type:
String
agent.${Domain}.buildkite.site:pipeline_id
Description:
Filters access by the Buildkite pipeline ID
Type:
String
agent.${Domain}.buildkite.site:pipeline_slug
Description:
Filters access by the Buildkite pipeline slug
Type:
String
agent.buildkite.com:build_branch
Description:
Filters access by the git branch that triggered the Buildkite build
Type:
String
agent.buildkite.com:cluster_id
Description:
Filters access by the Buildkite cluster ID
Type:
String
agent.buildkite.com:cluster_name
Description:
Filters access by the Buildkite cluster name
Type:
String
agent.buildkite.com:organization_id
Description:
Filters access by the Buildkite organization ID
Type:
String
agent.buildkite.com:organization_slug
Description:
Filters access by the Buildkite organization slug
Type:
String
agent.buildkite.com:pipeline_id
Description:
Filters access by the Buildkite pipeline ID
Type:
String
agent.buildkite.com:pipeline_slug
Description:
Filters access by the Buildkite pipeline slug
Type:
String
github.com/enterprises/${EnterpriseName}:actor
Description:
Filters access by the personal account that initiated the workflow run
Type:
String
github.com/enterprises/${EnterpriseName}:actor_id
Description:
Filters access by the ID of the personal account that initiated the workflow run
Type:
String
github.com/enterprises/${EnterpriseName}:enterprise_id
Description:
Filters access by the ID of the enterprise that contains the repository from where the workflow is running
Type:
String
github.com/enterprises/${EnterpriseName}:environment
Description:
Filters access by the name of the environment used by the job
Type:
String
github.com/enterprises/${EnterpriseName}:job_workflow_ref
Description:
Filters access by the reference path to the reusable workflow for jobs using a reusable workflow
Type:
String
github.com/enterprises/${EnterpriseName}:ref
Description:
Filters access by the git ref (branch or tag) that triggered the workflow run
Type:
String
github.com/enterprises/${EnterpriseName}:repository
Description:
Filters access by the repository from where the workflow is running
Type:
String
github.com/enterprises/${EnterpriseName}:repository_id
Description:
Filters access by the ID of the repository from where the workflow is running
Type:
String
github.com/enterprises/${EnterpriseName}:repository_owner_id
Description:
Filters access by the ID of the repository owner from where the workflow is running
Type:
String
github.com/enterprises/${EnterpriseName}:workflow
Description:
Filters access by the name of the workflow
Type:
String
gitlab.com:namespace_id
Description:
Filters access by the GitLab namespace (group) ID of the project running the CI/CD job
Type:
String
gitlab.com:pipeline_source
Description:
Filters access by the source that triggered the GitLab pipeline
Type:
String
gitlab.com:project_id
Description:
Filters access by the GitLab project ID running the CI/CD job
Type:
String
gitlab.com:ref_protected
Description:
Filters access by whether the GitLab git ref that triggered the job is protected
Type:
String
gitlab.com:runner_environment
Description:
Filters access by the GitLab runner environment for the CI/CD job
Type:
String
gitlab.com:user_access_level
Description:
Filters access by the GitLab user access level within the project
Type:
String
gitlab.com:user_email
Description:
Filters access by the GitLab user email executing the CI/CD job
Type:
String
gitlab.com:user_id
Description:
Filters access by the GitLab user ID executing the CI/CD job
Type:
String
gitlab.com:user_login
Description:
Filters access by the GitLab username executing the CI/CD job
Type:
String
idcs-${OciUniqueIdentifier}.identity.oraclecloud.com:rpst_id
Description:
Filters access by the OCI resource principal session token ID
Type:
String
oidc.circleci.com/org/${OrgId}:oidc.circleci.com/project-id
Description:
Filters access by the CircleCI project ID
Type:
String
sts:RoleAuthorizedByIdp
Description:
Filters access based on whether the identity provider authorized the role via the roles claim in the OIDC token
Type:
Bool
token.actions.${Domain}.ghe.com:actor
Description:
Filters access by the personal account that initiated the workflow run
Type:
String
token.actions.${Domain}.ghe.com:actor_id
Description:
Filters access by the ID of the personal account that initiated the workflow run
Type:
String
token.actions.${Domain}.ghe.com:enterprise_id
Description:
Filters access by the ID of the enterprise that contains the repository from where the workflow is running
Type:
String
token.actions.${Domain}.ghe.com:environment
Description:
Filters access by the name of the environment used by the job
Type:
String
token.actions.${Domain}.ghe.com:job_workflow_ref
Description:
Filters access by the reference path to the reusable workflow for jobs using a reusable workflow
Type:
String
token.actions.${Domain}.ghe.com:ref
Description:
Filters access by the git ref (branch or tag) that triggered the workflow run
Type:
String
token.actions.${Domain}.ghe.com:repository
Description:
Filters access by the repository from where the workflow is running
Type:
String
token.actions.${Domain}.ghe.com:repository_id
Description:
Filters access by the ID of the repository from where the workflow is running
Type:
String
token.actions.${Domain}.ghe.com:repository_owner_id
Description:
Filters access by the ID of the repository owner from where the workflow is running
Type:
String
token.actions.${Domain}.ghe.com:workflow
Description:
Filters access by the name of the workflow
Type:
String
token.actions.githubusercontent.com/${SubPath}:actor
Description:
Filters access by the personal account that initiated the workflow run
Type:
String
token.actions.githubusercontent.com/${SubPath}:actor_id
Description:
Filters access by the ID of the personal account that initiated the workflow run
Type:
String
token.actions.githubusercontent.com/${SubPath}:enterprise_id
Description:
Filters access by the ID of the enterprise that contains the repository from where the workflow is running
Type:
String
token.actions.githubusercontent.com/${SubPath}:environment
Description:
Filters access by the name of the environment used by the job
Type:
String
token.actions.githubusercontent.com/${SubPath}:job_workflow_ref
Description:
Filters access by the reference path to the reusable workflow for jobs using a reusable workflow
Type:
String
token.actions.githubusercontent.com/${SubPath}:ref
Description:
Filters access by the git ref (branch or tag) that triggered the workflow run
Type:
String
token.actions.githubusercontent.com/${SubPath}:repository
Description:
Filters access by the repository from where the workflow is running
Type:
String
token.actions.githubusercontent.com/${SubPath}:repository_id
Description:
Filters access by the ID of the repository from where the workflow is running
Type:
String
token.actions.githubusercontent.com/${SubPath}:repository_owner_id
Description:
Filters access by the ID of the repository owner from where the workflow is running
Type:
String
token.actions.githubusercontent.com/${SubPath}:workflow
Description:
Filters access by the name of the workflow
Type:
String
token.actions.githubusercontent.com:actor
Description:
Filters access by the personal account that initiated the workflow run
Type:
String
token.actions.githubusercontent.com:actor_id
Description:
Filters access by the ID of the personal account that initiated the workflow run
Type:
String
token.actions.githubusercontent.com:enterprise_id
Description:
Filters access by the ID of the enterprise that contains the repository from where the workflow is running
Type:
String
token.actions.githubusercontent.com:environment
Description:
Filters access by the name of the environment used by the job
Type:
String
token.actions.githubusercontent.com:job_workflow_ref
Description:
Filters access by the reference path to the reusable workflow for jobs using a reusable workflow
Type:
String
token.actions.githubusercontent.com:ref
Description:
Filters access by the git ref (branch or tag) that triggered the workflow run
Type:
String
token.actions.githubusercontent.com:repository
Description:
Filters access by the repository from where the workflow is running
Type:
String
token.actions.githubusercontent.com:repository_id
Description:
Filters access by the ID of the repository from where the workflow is running
Type:
String
token.actions.githubusercontent.com:repository_owner_id
Description:
Filters access by the ID of the repository owner from where the workflow is running
Type:
String
token.actions.githubusercontent.com:workflow
Description:
Filters access by the name of the workflow
Type:
String
Updates
Actions
AssumeRoleWithWebIdentity
Conditions
+ accounts.google.com:google/organization_number
+ agent.${Domain}.buildkite.dev:build_branch
+ agent.${Domain}.buildkite.dev:cluster_id
+ agent.${Domain}.buildkite.dev:cluster_name
+ agent.${Domain}.buildkite.dev:organization_id
+ agent.${Domain}.buildkite.dev:organization_slug
+ agent.${Domain}.buildkite.dev:pipeline_id
+ agent.${Domain}.buildkite.dev:pipeline_slug
+ agent.${Domain}.buildkite.site:build_branch
+ agent.${Domain}.buildkite.site:cluster_id
+ agent.${Domain}.buildkite.site:cluster_name
+ agent.${Domain}.buildkite.site:organization_id
+ agent.${Domain}.buildkite.site:organization_slug
+ agent.${Domain}.buildkite.site:pipeline_id
+ agent.${Domain}.buildkite.site:pipeline_slug
+ agent.buildkite.com:build_branch
+ agent.buildkite.com:cluster_id
+ agent.buildkite.com:cluster_name
+ agent.buildkite.com:organization_id
+ agent.buildkite.com:organization_slug
+ agent.buildkite.com:pipeline_id
+ agent.buildkite.com:pipeline_slug
+ github.com/enterprises/${EnterpriseName}:actor
+ github.com/enterprises/${EnterpriseName}:actor_id
+ github.com/enterprises/${EnterpriseName}:enterprise_id
+ github.com/enterprises/${EnterpriseName}:environment
+ github.com/enterprises/${EnterpriseName}:job_workflow_ref
+ github.com/enterprises/${EnterpriseName}:ref
+ github.com/enterprises/${EnterpriseName}:repository
+ github.com/enterprises/${EnterpriseName}:repository_id
+ github.com/enterprises/${EnterpriseName}:repository_owner_id
+ github.com/enterprises/${EnterpriseName}:workflow
+ gitlab.com:namespace_id
+ gitlab.com:pipeline_source
+ gitlab.com:project_id
+ gitlab.com:ref_protected
+ gitlab.com:runner_environment
+ gitlab.com:user_access_level
+ gitlab.com:user_email
+ gitlab.com:user_id
+ gitlab.com:user_login
+ idcs-${OciUniqueIdentifier}.identity.oraclecloud.com:rpst_id
+ oidc.circleci.com/org/${OrgId}:oidc.circleci.com/project-id
+ sts:RoleAuthorizedByIdp
+ token.actions.${Domain}.ghe.com:actor
+ token.actions.${Domain}.ghe.com:actor_id
+ token.actions.${Domain}.ghe.com:enterprise_id
+ token.actions.${Domain}.ghe.com:environment
+ token.actions.${Domain}.ghe.com:job_workflow_ref
+ token.actions.${Domain}.ghe.com:ref
+ token.actions.${Domain}.ghe.com:repository
+ token.actions.${Domain}.ghe.com:repository_id
+ token.actions.${Domain}.ghe.com:repository_owner_id
+ token.actions.${Domain}.ghe.com:workflow
+ token.actions.githubusercontent.com/${SubPath}:actor
+ token.actions.githubusercontent.com/${SubPath}:actor_id
+ token.actions.githubusercontent.com/${SubPath}:enterprise_id
+ token.actions.githubusercontent.com/${SubPath}:environment
+ token.actions.githubusercontent.com/${SubPath}:job_workflow_ref
+ token.actions.githubusercontent.com/${SubPath}:ref
+ token.actions.githubusercontent.com/${SubPath}:repository
+ token.actions.githubusercontent.com/${SubPath}:repository_id
+ token.actions.githubusercontent.com/${SubPath}:repository_owner_id
+ token.actions.githubusercontent.com/${SubPath}:workflow
+ token.actions.githubusercontent.com:actor
+ token.actions.githubusercontent.com:actor_id
+ token.actions.githubusercontent.com:enterprise_id
+ token.actions.githubusercontent.com:environment
+ token.actions.githubusercontent.com:job_workflow_ref
+ token.actions.githubusercontent.com:ref
+ token.actions.githubusercontent.com:repository
+ token.actions.githubusercontent.com:repository_id
+ token.actions.githubusercontent.com:repository_owner_id
+ token.actions.githubusercontent.com:workflow