{"id":"iam-principal-arn-returns-role-not-session","text":"The `aws:PrincipalArn` condition key returns the IAM role ARN, not the assumed-role session ARN — ARN operators (not string operators) should be used for comparisons.","truth_value":"IN","source":"entries/2026/03/11/IAM-latest-UserGuide-reference_policies_condition-keyshtml.md","source_url":"","source_hash":"e2027fc5516d6eee","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"iam-principal-arn-returns-role-not-session","truth_value":"IN","reason":"premise"}]}}