Status: IN
The `aws:PrincipalArn` condition key avoids the principal ID transformation problem — permissions persist through delete/recreate cycles of the referenced IAM entity.
Source: entries/2026/03/11/IAM-latest-UserGuide-reference_policies_elements_principalhtml.md