GetContextKeysForCustomPolicy - AWS Identity and Access Management


Gets a list of all of the context keys referenced in the input policies. The policies are supplied as a list of one or more strings. To get the context keys from policies associated with an IAM user, group, or role, use GetContextKeysForPrincipalPolicy.

Context keys are variables maintained by AWS and its services that provide details about the context of an API query request. Context keys can be evaluated by testing against a value specified in an IAM policy. Use GetContextKeysForCustomPolicy to understand what key names and values you must supply when you call SimulateCustomPolicy. Note that all parameters are shown in unencoded form here for clarity but must be URL encoded to be included as a part of a real HTML request.

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.


A list of policies for which you want the list of context keys referenced in those policies. Each document is specified as a string containing the complete, valid JSON text of an IAM policy.

The regex pattern used to validate this parameter is a string of characters consisting of the following:

  • Any printable ASCII character ranging from the space character (\u0020) through the end of the ASCII character range

  • The printable characters in the Basic Latin and Latin-1 Supplement character set (through \u00FF)

  • The special characters tab (\u0009), line feed (\u000A), and carriage return (\u000D)

Type: Array of strings

Length Constraints: Minimum length of 1. Maximum length of 131072.

Pattern: [\u0009\u000A\u000D\u0020-\u00FF]+

Required: Yes

Response Elements

The following element is returned by the service.


The list of context keys that are referenced in the input policies.

Type: Array of strings

Length Constraints: Minimum length of 5. Maximum length of 256.


For information about the errors that are common to all actions, see Common Errors.


The request was rejected because an invalid or out-of-range value was supplied for an input parameter.

HTTP Status Code: 400


Example 1

In the following example, the request includes a policy as a string. The response shows that the policies use both aws:CurrentTime and aws:username.

Sample Request &PolicyInputList.member.1='{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "dynamodb:*", "Resource": "arn:aws:dynamodb:us-east-2:ACCOUNT-ID-WITHOUT-HYPHENS:table/${aws:username}", "Condition":{"DateGreaterThan":{"aws:CurrentTime":"2015-08-16T12:00:00Z"}} } }' &Version=2010-05-08 &AUTHPARAMS

Sample Response

<GetContextKeysForCustomPolicyResponse xmlns=""> <GetContextKeysForCustomPolicyResult> <ContextKeyNames> <member>aws:username</member> <member>aws:CurrentTime</member> </ContextKeyNames> </GetContextKeysForCustomPolicyResult> <ResponseMetadata> <RequestId>d6808605-4c06-11e5-b121-bd8c7EXAMPLE</RequestId> </ResponseMetadata> </GetContextKeysForCustomPolicyResponse>

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: