AWS Identity and Access Management
API Reference (API Version 2010-05-08)


Gets a list of all of the context keys referenced in the input policies. The policies are supplied as a list of one or more strings. To get the context keys from policies associated with an IAM user, group, or role, use GetContextKeysForPrincipalPolicy.

Context keys are variables maintained by AWS and its services that provide details about the context of an API query request, and can be evaluated by testing against a value specified in an IAM policy. Use GetContextKeysForCustomPolicy to understand what key names and values you must supply when you call SimulateCustomPolicy. Note that all parameters are shown in unencoded form here for clarity, but must be URL encoded to be included as a part of a real HTML request.

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.


A list of policies for which you want the list of context keys referenced in those policies. Each document is specified as a string containing the complete, valid JSON text of an IAM policy.

The regex pattern used to validate this parameter is a string of characters consisting of any printable ASCII character ranging from the space character (\u0020) through end of the ASCII character range as well as the printable characters in the Basic Latin and Latin-1 Supplement character set (through \u00FF). It also includes the special characters tab (\u0009), line feed (\u000A), and carriage return (\u000D).

Type: Array of strings

Length Constraints: Minimum length of 1. Maximum length of 131072.

Pattern: [\u0009\u000A\u000D\u0020-\u00FF]+

Required: Yes

Response Elements

The following element is returned by the service.


The list of context keys that are referenced in the input policies.

Type: Array of strings

Length Constraints: Minimum length of 5. Maximum length of 256.


For information about the errors that are common to all actions, see Common Errors.


The request was rejected because an invalid or out-of-range value was supplied for an input parameter.

HTTP Status Code: 400


Example 1

In the following example, the request includes a policy as a string. The response shows that the policies use both aws:CurrentTime and aws:username.

Sample Request

Copy &PolicyInputList.member.1='{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "dynamodb:*", "Resource": "arn:aws:dynamodb:us-east-2:ACCOUNT-ID-WITHOUT-HYPHENS:table/${aws:username}", "Condition":{"DateGreaterThan":{"aws:CurrentTime":"2015-08-16T12:00:00Z"}} } }' &Version=2010-05-08 &AUTHPARAMS

Sample Response

<GetContextKeysForCustomPolicyResponse xmlns=""> <GetContextKeysForCustomPolicyResult> <ContextKeyNames> <member>aws:username</member> <member>aws:CurrentTime</member> </ContextKeyNames> </GetContextKeysForCustomPolicyResult> <ResponseMetadata> <RequestId>d6808605-4c06-11e5-b121-bd8c7EXAMPLE</RequestId> </ResponseMetadata> </GetContextKeysForCustomPolicyResponse>

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: