Attribute-based access (ABAC) — Azure · AWS · GCP
IAM Conditions add context-aware rules to role bindings — "allow this role, but only when X is true." Useful for time-bound access, IP restrictions, and resource tags.
Not in IAM directly. Uses Entra Conditional Access with Named Locations for IP ranges.
"Condition":{"IpAddress":{"aws:SourceIp":"203.0.113.0/24"}}--condition-expression="origin.ip in ['203.0.113.0/24']"
Azure AD Privileged Identity Management: eligible → activate for X hours. Not a native IAM condition on the role assignment.
"Condition":{"DateGreaterThan":{"aws:CurrentTime":"2026-01-01T00:00:00Z"},"DateLessThan":{"aws:CurrentTime":"2026-12-31T23:59:59Z"}}--condition="request.time < timestamp('2026-12-31T23:59:59Z') && request.time > timestamp('2026-01-01T00:00:00Z')"{"conditionVersion":"2.0","condition":"@Resource[storageAccounts/blobServices/containers:name] StringContains 'prod'"}Currently limited to Storage Blob Data actions.
"Condition":{"StringEquals":{"aws:ResourceTag/environment":"prod"}}Works with all services that support resource tagging.
--condition="resource.matchTag('ORG_ID/environment', 'prod')"Requires tag created at org level first.