2024/05/09 - Amazon Verified Permissions - 4 updated api methods
Changes Adds policy effect and actions fields to Policy API's.
{'actions': [{'actionId': 'string', 'actionType': 'string'}],
'effect': 'Permit | Forbid'}
Creates a Cedar policy and saves it in the specified policy store. You can create either a static policy or a policy linked to a policy template.
To create a static policy, provide the Cedar policy text in the StaticPolicy section of the PolicyDefinition .
To create a policy that is dynamically linked to a policy template, specify the policy template ID and the principal and resource to associate with this policy in the templateLinked section of the PolicyDefinition . If the policy template is ever updated, any policies linked to the policy template automatically use the updated template.
Note
Creating a policy causes it to be validated against the schema in the policy store. If the policy doesn't pass validation, the operation fails and the policy isn't stored.
Note
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.
See also: AWS API Documentation
Request Syntax
client.create_policy(
clientToken='string',
policyStoreId='string',
definition={
'static': {
'description': 'string',
'statement': 'string'
},
'templateLinked': {
'policyTemplateId': 'string',
'principal': {
'entityType': 'string',
'entityId': 'string'
},
'resource': {
'entityType': 'string',
'entityId': 'string'
}
}
}
)
string
Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..
If you don't provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same ClientToken , but with different parameters, the retry fails with an ConflictException error.
Verified Permissions recognizes a ClientToken for eight hours. After eight hours, the next request with the same parameters performs the operation again regardless of the value of ClientToken .
This field is autopopulated if not provided.
string
[REQUIRED]
Specifies the PolicyStoreId of the policy store you want to store the policy in.
dict
[REQUIRED]
A structure that specifies the policy type and content to use for the new policy. You must include either a static or a templateLinked element. The policy content must be written in the Cedar policy language.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set: static, templateLinked.
static (dict) --
A structure that describes a static policy. An static policy doesn't use a template or allow placeholders for entities.
description (string) --
The description of the static policy.
statement (string) -- [REQUIRED]
The policy content of the static policy, written in the Cedar policy language.
templateLinked (dict) --
A structure that describes a policy that was instantiated from a template. The template can specify placeholders for principal and resource . When you use CreatePolicy to create a policy from a template, you specify the exact principal and resource to use for the instantiated policy.
policyTemplateId (string) -- [REQUIRED]
The unique identifier of the policy template used to create this policy.
principal (dict) --
The principal associated with this template-linked policy. Verified Permissions substitutes this principal for the ?principal placeholder in the policy template when it evaluates an authorization request.
entityType (string) -- [REQUIRED]
The type of an entity.
Example: "entityType":"typeName"
entityId (string) -- [REQUIRED]
The identifier of an entity.
"entityId":"identifier"
resource (dict) --
The resource associated with this template-linked policy. Verified Permissions substitutes this resource for the ?resource placeholder in the policy template when it evaluates an authorization request.
entityType (string) -- [REQUIRED]
The type of an entity.
Example: "entityType":"typeName"
entityId (string) -- [REQUIRED]
The identifier of an entity.
"entityId":"identifier"
dict
Response Syntax
{
'policyStoreId': 'string',
'policyId': 'string',
'policyType': 'STATIC'|'TEMPLATE_LINKED',
'principal': {
'entityType': 'string',
'entityId': 'string'
},
'resource': {
'entityType': 'string',
'entityId': 'string'
},
'actions': [
{
'actionType': 'string',
'actionId': 'string'
},
],
'createdDate': datetime(2015, 1, 1),
'lastUpdatedDate': datetime(2015, 1, 1),
'effect': 'Permit'|'Forbid'
}
Response Structure
(dict) --
policyStoreId (string) --
The ID of the policy store that contains the new policy.
policyId (string) --
The unique ID of the new policy.
policyType (string) --
The policy type of the new policy.
principal (dict) --
The principal specified in the new policy's scope. This response element isn't present when principal isn't specified in the policy content.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
resource (dict) --
The resource specified in the new policy's scope. This response element isn't present when the resource isn't specified in the policy content.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
actions (list) --
The action that a policy permits or forbids. For example, {"actions": [{"actionId": "ViewPhoto", "actionType": "PhotoFlash::Action"}, {"entityID": "SharePhoto", "entityType": "PhotoFlash::Action"}]} .
(dict) --
Contains information about an action for a request for which an authorization decision is made.
This data type is used as a request parameter to the IsAuthorized, BatchIsAuthorized, and IsAuthorizedWithToken operations.
Example: { "actionId": "<action name>", "actionType": "Action" }
actionType (string) --
The type of an action.
actionId (string) --
The ID of an action.
createdDate (datetime) --
The date and time the policy was originally created.
lastUpdatedDate (datetime) --
The date and time the policy was last updated.
effect (string) --
The effect of the decision that a policy returns to an authorization request. For example, "effect": "Permit" .
{'actions': [{'actionId': 'string', 'actionType': 'string'}],
'effect': 'Permit | Forbid'}
Retrieves information about the specified policy.
See also: AWS API Documentation
Request Syntax
client.get_policy(
policyStoreId='string',
policyId='string'
)
string
[REQUIRED]
Specifies the ID of the policy store that contains the policy that you want information about.
string
[REQUIRED]
Specifies the ID of the policy you want information about.
dict
Response Syntax
{
'policyStoreId': 'string',
'policyId': 'string',
'policyType': 'STATIC'|'TEMPLATE_LINKED',
'principal': {
'entityType': 'string',
'entityId': 'string'
},
'resource': {
'entityType': 'string',
'entityId': 'string'
},
'actions': [
{
'actionType': 'string',
'actionId': 'string'
},
],
'definition': {
'static': {
'description': 'string',
'statement': 'string'
},
'templateLinked': {
'policyTemplateId': 'string',
'principal': {
'entityType': 'string',
'entityId': 'string'
},
'resource': {
'entityType': 'string',
'entityId': 'string'
}
}
},
'createdDate': datetime(2015, 1, 1),
'lastUpdatedDate': datetime(2015, 1, 1),
'effect': 'Permit'|'Forbid'
}
Response Structure
(dict) --
policyStoreId (string) --
The ID of the policy store that contains the policy that you want information about.
policyId (string) --
The unique ID of the policy that you want information about.
policyType (string) --
The type of the policy.
principal (dict) --
The principal specified in the policy's scope. This element isn't included in the response when Principal isn't present in the policy content.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
resource (dict) --
The resource specified in the policy's scope. This element isn't included in the response when Resource isn't present in the policy content.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
actions (list) --
The action that a policy permits or forbids. For example, {"actions": [{"actionId": "ViewPhoto", "actionType": "PhotoFlash::Action"}, {"entityID": "SharePhoto", "entityType": "PhotoFlash::Action"}]} .
(dict) --
Contains information about an action for a request for which an authorization decision is made.
This data type is used as a request parameter to the IsAuthorized, BatchIsAuthorized, and IsAuthorizedWithToken operations.
Example: { "actionId": "<action name>", "actionType": "Action" }
actionType (string) --
The type of an action.
actionId (string) --
The ID of an action.
definition (dict) --
The definition of the requested policy.
Note
This is a Tagged Union structure. Only one of the following top level keys will be set: static, templateLinked. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:
'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
static (dict) --
Information about a static policy that wasn't created with a policy template.
description (string) --
A description of the static policy.
statement (string) --
The content of the static policy written in the Cedar policy language.
templateLinked (dict) --
Information about a template-linked policy that was created by instantiating a policy template.
policyTemplateId (string) --
The unique identifier of the policy template used to create this policy.
principal (dict) --
The principal associated with this template-linked policy. Verified Permissions substitutes this principal for the ?principal placeholder in the policy template when it evaluates an authorization request.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
resource (dict) --
The resource associated with this template-linked policy. Verified Permissions substitutes this resource for the ?resource placeholder in the policy template when it evaluates an authorization request.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
createdDate (datetime) --
The date and time that the policy was originally created.
lastUpdatedDate (datetime) --
The date and time that the policy was last updated.
effect (string) --
The effect of the decision that a policy returns to an authorization request. For example, "effect": "Permit" .
{'policies': {'actions': [{'actionId': 'string', 'actionType': 'string'}],
'effect': 'Permit | Forbid'}}
Returns a paginated list of all policies stored in the specified policy store.
See also: AWS API Documentation
Request Syntax
client.list_policies(
policyStoreId='string',
nextToken='string',
maxResults=123,
filter={
'principal': {
'unspecified': True|False,
'identifier': {
'entityType': 'string',
'entityId': 'string'
}
},
'resource': {
'unspecified': True|False,
'identifier': {
'entityType': 'string',
'entityId': 'string'
}
},
'policyType': 'STATIC'|'TEMPLATE_LINKED',
'policyTemplateId': 'string'
}
)
string
[REQUIRED]
Specifies the ID of the policy store you want to list policies from.
string
Specifies that you want to receive the next page of results. Valid only if you received a NextToken response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's NextToken response to request the next page of results.
integer
Specifies the total number of results that you want included in each response. If additional items exist beyond the number you specify, the NextToken response element is returned with a value (not null). Include the specified value as the NextToken request parameter in the next call to the operation to get the next set of results. Note that the service might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.
If you do not specify this parameter, the operation defaults to 10 policies per response. You can specify a maximum of 50 policies per response.
dict
Specifies a filter that limits the response to only policies that match the specified criteria. For example, you list only the policies that reference a specified principal.
principal (dict) --
Filters the output to only policies that reference the specified principal.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set: unspecified, identifier.
unspecified (boolean) --
Used to indicate that a principal or resource is not specified. This can be used to search for policies that are not associated with a specific principal or resource.
identifier (dict) --
The identifier of the entity. It can consist of either an EntityType and EntityId, a principal, or a resource.
entityType (string) -- [REQUIRED]
The type of an entity.
Example: "entityType":"typeName"
entityId (string) -- [REQUIRED]
The identifier of an entity.
"entityId":"identifier"
resource (dict) --
Filters the output to only policies that reference the specified resource.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set: unspecified, identifier.
unspecified (boolean) --
Used to indicate that a principal or resource is not specified. This can be used to search for policies that are not associated with a specific principal or resource.
identifier (dict) --
The identifier of the entity. It can consist of either an EntityType and EntityId, a principal, or a resource.
entityType (string) -- [REQUIRED]
The type of an entity.
Example: "entityType":"typeName"
entityId (string) -- [REQUIRED]
The identifier of an entity.
"entityId":"identifier"
policyType (string) --
Filters the output to only policies of the specified type.
policyTemplateId (string) --
Filters the output to only template-linked policies that were instantiated from the specified policy template.
dict
Response Syntax
{
'nextToken': 'string',
'policies': [
{
'policyStoreId': 'string',
'policyId': 'string',
'policyType': 'STATIC'|'TEMPLATE_LINKED',
'principal': {
'entityType': 'string',
'entityId': 'string'
},
'resource': {
'entityType': 'string',
'entityId': 'string'
},
'actions': [
{
'actionType': 'string',
'actionId': 'string'
},
],
'definition': {
'static': {
'description': 'string'
},
'templateLinked': {
'policyTemplateId': 'string',
'principal': {
'entityType': 'string',
'entityId': 'string'
},
'resource': {
'entityType': 'string',
'entityId': 'string'
}
}
},
'createdDate': datetime(2015, 1, 1),
'lastUpdatedDate': datetime(2015, 1, 1),
'effect': 'Permit'|'Forbid'
},
]
}
Response Structure
(dict) --
nextToken (string) --
If present, this value indicates that more output is available than is included in the current response. Use this value in the NextToken request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the NextToken response element comes back as null . This indicates that this is the last page of results.
policies (list) --
Lists all policies that are available in the specified policy store.
(dict) --
Contains information about a policy.
This data type is used as a response parameter for the ListPolicies operation.
policyStoreId (string) --
The identifier of the PolicyStore where the policy you want information about is stored.
policyId (string) --
The identifier of the policy you want information about.
policyType (string) --
The type of the policy. This is one of the following values:
static
templateLinked
principal (dict) --
The principal associated with the policy.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
resource (dict) --
The resource associated with the policy.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
actions (list) --
The action that a policy permits or forbids. For example, {"actions": [{"actionId": "ViewPhoto", "actionType": "PhotoFlash::Action"}, {"entityID": "SharePhoto", "entityType": "PhotoFlash::Action"}]} .
(dict) --
Contains information about an action for a request for which an authorization decision is made.
This data type is used as a request parameter to the IsAuthorized, BatchIsAuthorized, and IsAuthorizedWithToken operations.
Example: { "actionId": "<action name>", "actionType": "Action" }
actionType (string) --
The type of an action.
actionId (string) --
The ID of an action.
definition (dict) --
The policy definition of an item in the list of policies returned.
Note
This is a Tagged Union structure. Only one of the following top level keys will be set: static, templateLinked. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:
'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
static (dict) --
Information about a static policy that wasn't created with a policy template.
description (string) --
A description of the static policy.
templateLinked (dict) --
Information about a template-linked policy that was created by instantiating a policy template.
policyTemplateId (string) --
The unique identifier of the policy template used to create this policy.
principal (dict) --
The principal associated with this template-linked policy. Verified Permissions substitutes this principal for the ?principal placeholder in the policy template when it evaluates an authorization request.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
resource (dict) --
The resource associated with this template-linked policy. Verified Permissions substitutes this resource for the ?resource placeholder in the policy template when it evaluates an authorization request.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
createdDate (datetime) --
The date and time the policy was created.
lastUpdatedDate (datetime) --
The date and time the policy was most recently updated.
effect (string) --
The effect of the decision that a policy returns to an authorization request. For example, "effect": "Permit" .
{'actions': [{'actionId': 'string', 'actionType': 'string'}],
'effect': 'Permit | Forbid'}
Modifies a Cedar static policy in the specified policy store. You can change only certain elements of the UpdatePolicyDefinition parameter. You can directly update only static policies. To change a template-linked policy, you must update the template instead, using UpdatePolicyTemplate.
Note
If policy validation is enabled in the policy store, then updating a static policy causes Verified Permissions to validate the policy against the schema in the policy store. If the updated static policy doesn't pass validation, the operation fails and the update isn't stored.
When you edit a static policy, you can change only certain elements of a static policy:
The action referenced by the policy.
A condition clause, such as when and unless.
You can't change these elements of a static policy:
Changing a policy from a static policy to a template-linked policy.
Changing the effect of a static policy from permit or forbid.
The principal referenced by a static policy.
The resource referenced by a static policy.
To update a template-linked policy, you must update the template instead.
Note
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.
See also: AWS API Documentation
Request Syntax
client.update_policy(
policyStoreId='string',
policyId='string',
definition={
'static': {
'description': 'string',
'statement': 'string'
}
}
)
string
[REQUIRED]
Specifies the ID of the policy store that contains the policy that you want to update.
string
[REQUIRED]
Specifies the ID of the policy that you want to update. To find this value, you can use ListPolicies.
dict
[REQUIRED]
Specifies the updated policy content that you want to replace on the specified policy. The content must be valid Cedar policy language text.
You can change only the following elements from the policy definition:
The action referenced by the policy.
Any conditional clauses, such as when or unless clauses.
You can't change the following elements:
Changing from static to templateLinked .
Changing the effect of the policy from permit or forbid .
The principal referenced by the policy.
The resource referenced by the policy.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set: static.
static (dict) --
Contains details about the updates to be applied to a static policy.
description (string) --
Specifies the description to be added to or replaced on the static policy.
statement (string) -- [REQUIRED]
Specifies the Cedar policy language text to be added to or replaced on the static policy.
Warning
You can change only the following elements from the original content:
The action referenced by the policy.
Any conditional clauses, such as when or unless clauses.
You can't change the following elements:
Changing from StaticPolicy to TemplateLinkedPolicy .
The effect ( permit or forbid ) of the policy.
The principal referenced by the policy.
The resource referenced by the policy.
dict
Response Syntax
{
'policyStoreId': 'string',
'policyId': 'string',
'policyType': 'STATIC'|'TEMPLATE_LINKED',
'principal': {
'entityType': 'string',
'entityId': 'string'
},
'resource': {
'entityType': 'string',
'entityId': 'string'
},
'actions': [
{
'actionType': 'string',
'actionId': 'string'
},
],
'createdDate': datetime(2015, 1, 1),
'lastUpdatedDate': datetime(2015, 1, 1),
'effect': 'Permit'|'Forbid'
}
Response Structure
(dict) --
policyStoreId (string) --
The ID of the policy store that contains the policy that was updated.
policyId (string) --
The ID of the policy that was updated.
policyType (string) --
The type of the policy that was updated.
principal (dict) --
The principal specified in the policy's scope. This element isn't included in the response when Principal isn't present in the policy content.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
resource (dict) --
The resource specified in the policy's scope. This element isn't included in the response when Resource isn't present in the policy content.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
actions (list) --
The action that a policy permits or forbids. For example, {"actions": [{"actionId": "ViewPhoto", "actionType": "PhotoFlash::Action"}, {"entityID": "SharePhoto", "entityType": "PhotoFlash::Action"}]} .
(dict) --
Contains information about an action for a request for which an authorization decision is made.
This data type is used as a request parameter to the IsAuthorized, BatchIsAuthorized, and IsAuthorizedWithToken operations.
Example: { "actionId": "<action name>", "actionType": "Action" }
actionType (string) --
The type of an action.
actionId (string) --
The ID of an action.
createdDate (datetime) --
The date and time that the policy was originally created.
lastUpdatedDate (datetime) --
The date and time that the policy was most recently updated.
effect (string) --
The effect of the decision that a policy returns to an authorization request. For example, "effect": "Permit" .