Status: IN
The `aws:PrincipalArn` condition key returns the IAM role ARN, not the assumed-role session ARN — ARN operators (not string operators) should be used for comparisons.
Source: entries/2026/03/11/IAM-latest-UserGuide-reference_policies_condition-keyshtml.md