Class: Aws::VerifiedPermissions::Client

Inherits:
Seahorse::Client::Base
  • Object
show all
Includes:
ClientStubs
Defined in:
lib/aws-sdk-verifiedpermissions/client.rb

Overview

An API client for VerifiedPermissions. To construct a client, you need to configure a ‘:region` and `:credentials`.

client = Aws::VerifiedPermissions::Client.new(
  region: region_name,
  credentials: credentials,
  # ...
)

For details on configuring region and credentials see the [developer guide](/sdk-for-ruby/v3/developer-guide/setup-config.html).

See #initialize for a full list of supported configuration options.

Class Attribute Summary collapse

API Operations collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(options) ⇒ Client

Returns a new instance of Client.

Parameters:

  • options (Hash)

Options Hash (options):

  • :plugins (Array<Seahorse::Client::Plugin>) — default: []]

    A list of plugins to apply to the client. Each plugin is either a class name or an instance of a plugin class.

  • :credentials (required, Aws::CredentialProvider)

    Your AWS credentials. This can be an instance of any one of the following classes:

    • ‘Aws::Credentials` - Used for configuring static, non-refreshing credentials.

    • ‘Aws::SharedCredentials` - Used for loading static credentials from a shared file, such as `~/.aws/config`.

    • ‘Aws::AssumeRoleCredentials` - Used when you need to assume a role.

    • ‘Aws::AssumeRoleWebIdentityCredentials` - Used when you need to assume a role after providing credentials via the web.

    • ‘Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an access token generated from `aws login`.

    • ‘Aws::ProcessCredentials` - Used for loading credentials from a process that outputs to stdout.

    • ‘Aws::InstanceProfileCredentials` - Used for loading credentials from an EC2 IMDS on an EC2 instance.

    • ‘Aws::ECSCredentials` - Used for loading credentials from instances running in ECS.

    • ‘Aws::CognitoIdentityCredentials` - Used for loading credentials from the Cognito Identity service.

    When ‘:credentials` are not configured directly, the following locations will be searched for credentials:

    • Aws.config`

    • The ‘:access_key_id`, `:secret_access_key`, `:session_token`, and `:account_id` options.

    • ENV, ENV, ENV, and ENV

    • ‘~/.aws/credentials`

    • ‘~/.aws/config`

    • EC2/ECS IMDS instance profile - When used by default, the timeouts are very aggressive. Construct and pass an instance of ‘Aws::InstanceProfileCredentials` or `Aws::ECSCredentials` to enable retries and extended timeouts. Instance profile credential fetching can be disabled by setting ENV to true.

  • :region (required, String)

    The AWS region to connect to. The configured ‘:region` is used to determine the service `:endpoint`. When not passed, a default `:region` is searched for in the following locations:

  • :access_key_id (String)
  • :account_id (String)
  • :active_endpoint_cache (Boolean) — default: false

    When set to ‘true`, a thread polling for endpoints will be running in the background every 60 secs (default). Defaults to `false`.

  • :adaptive_retry_wait_to_fill (Boolean) — default: true

    Used only in ‘adaptive` retry mode. When true, the request will sleep until there is sufficent client side capacity to retry the request. When false, the request will raise a `RetryCapacityNotAvailableError` and will not retry instead of sleeping.

  • :client_side_monitoring (Boolean) — default: false

    When ‘true`, client-side metrics will be collected for all API requests from this client.

  • :client_side_monitoring_client_id (String) — default: ""

    Allows you to provide an identifier for this client which will be attached to all generated client side metrics. Defaults to an empty string.

  • :client_side_monitoring_host (String) — default: "127.0.0.1"

    Allows you to specify the DNS hostname or IPv4 or IPv6 address that the client side monitoring agent is running on, where client metrics will be published via UDP.

  • :client_side_monitoring_port (Integer) — default: 31000

    Required for publishing client metrics. The port that the client side monitoring agent is running on, where client metrics will be published via UDP.

  • :client_side_monitoring_publisher (Aws::ClientSideMonitoring::Publisher) — default: Aws::ClientSideMonitoring::Publisher

    Allows you to provide a custom client-side monitoring publisher class. By default, will use the Client Side Monitoring Agent Publisher.

  • :convert_params (Boolean) — default: true

    When ‘true`, an attempt is made to coerce request parameters into the required types.

  • :correct_clock_skew (Boolean) — default: true

    Used only in ‘standard` and adaptive retry modes. Specifies whether to apply a clock skew correction and retry requests with skewed client clocks.

  • :defaults_mode (String) — default: "legacy"

    See DefaultsModeConfiguration for a list of the accepted modes and the configuration defaults that are included.

  • :disable_host_prefix_injection (Boolean) — default: false

    Set to true to disable SDK automatically adding host prefix to default service endpoint when available.

  • :disable_request_compression (Boolean) — default: false

    When set to ‘true’ the request body will not be compressed for supported operations.

  • :endpoint (String, URI::HTTPS, URI::HTTP)

    Normally you should not configure the ‘:endpoint` option directly. This is normally constructed from the `:region` option. Configuring `:endpoint` is normally reserved for connecting to test or custom endpoints. The endpoint should be a URI formatted like:

    'http://example.com'
'https://example.com'
'http://example.com:123'
  • :endpoint_cache_max_entries (Integer) — default: 1000

    Used for the maximum size limit of the LRU cache storing endpoints data for endpoint discovery enabled operations. Defaults to 1000.

  • :endpoint_cache_max_threads (Integer) — default: 10

    Used for the maximum threads in use for polling endpoints to be cached, defaults to 10.

  • :endpoint_cache_poll_interval (Integer) — default: 60

    When :endpoint_discovery and :active_endpoint_cache is enabled, Use this option to config the time interval in seconds for making requests fetching endpoints information. Defaults to 60 sec.

  • :endpoint_discovery (Boolean) — default: false

    When set to ‘true`, endpoint discovery will be enabled for operations when available.

  • :ignore_configured_endpoint_urls (Boolean)

    Setting to true disables use of endpoint URLs provided via environment variables and the shared configuration file.

  • :log_formatter (Aws::Log::Formatter) — default: Aws::Log::Formatter.default

    The log formatter.

  • :log_level (Symbol) — default: :info

    The log level to send messages to the ‘:logger` at.

  • :logger (Logger)

    The Logger instance to send log messages to. If this option is not set, logging will be disabled.

  • :max_attempts (Integer) — default: 3

    An integer representing the maximum number attempts that will be made for a single request, including the initial attempt. For example, setting this value to 5 will result in a request being retried up to 4 times. Used in ‘standard` and `adaptive` retry modes.

  • :profile (String) — default: "default"

    Used when loading credentials from the shared credentials file at HOME/.aws/credentials. When not specified, ‘default’ is used.

  • :request_min_compression_size_bytes (Integer) — default: 10240

    The minimum size in bytes that triggers compression for request bodies. The value must be non-negative integer value between 0 and 10485780 bytes inclusive.

  • :retry_backoff (Proc)

    A proc or lambda used for backoff. Defaults to 2**retries * retry_base_delay. This option is only used in the ‘legacy` retry mode.

  • :retry_base_delay (Float) — default: 0.3

    The base delay in seconds used by the default backoff function. This option is only used in the ‘legacy` retry mode.

  • :retry_jitter (Symbol) — default: :none

    A delay randomiser function used by the default backoff function. Some predefined functions can be referenced by name - :none, :equal, :full, otherwise a Proc that takes and returns a number. This option is only used in the ‘legacy` retry mode.

    @see www.awsarchitectureblog.com/2015/03/backoff.html

  • :retry_limit (Integer) — default: 3

    The maximum number of times to retry failed requests. Only ~ 500 level server errors and certain ~ 400 level client errors are retried. Generally, these are throttling errors, data checksum errors, networking errors, timeout errors, auth errors, endpoint discovery, and errors from expired credentials. This option is only used in the ‘legacy` retry mode.

  • :retry_max_delay (Integer) — default: 0

    The maximum number of seconds to delay between retries (0 for no limit) used by the default backoff function. This option is only used in the ‘legacy` retry mode.

  • :retry_mode (String) — default: "legacy"

    Specifies which retry algorithm to use. Values are:

    • ‘legacy` - The pre-existing retry behavior. This is default value if no retry mode is provided.

    • ‘standard` - A standardized set of retry rules across the AWS SDKs. This includes support for retry quotas, which limit the number of unsuccessful retries a client can make.

    • ‘adaptive` - An experimental retry mode that includes all the functionality of `standard` mode along with automatic client side throttling. This is a provisional mode that may change behavior in the future.

  • :sdk_ua_app_id (String)

    A unique and opaque application ID that is appended to the User-Agent header as app/sdk_ua_app_id. It should have a maximum length of 50. This variable is sourced from environment variable AWS_SDK_UA_APP_ID or the shared config profile attribute sdk_ua_app_id.

  • :secret_access_key (String)
  • :session_token (String)
  • :sigv4a_signing_region_set (Array)

    A list of regions that should be signed with SigV4a signing. When not passed, a default ‘:sigv4a_signing_region_set` is searched for in the following locations:

  • :simple_json (Boolean) — default: false

    Disables request parameter conversion, validation, and formatting. Also disables response data type conversions. The request parameters hash must be formatted exactly as the API expects.This option is useful when you want to ensure the highest level of performance by avoiding overhead of walking request parameters and response data structures.

  • :stub_responses (Boolean) — default: false

    Causes the client to return stubbed responses. By default fake responses are generated and returned. You can specify the response data to return or errors to raise by calling ClientStubs#stub_responses. See ClientStubs for more information.

    ** Please note ** When response stubbing is enabled, no HTTP requests are made, and retries are disabled.

  • :telemetry_provider (Aws::Telemetry::TelemetryProviderBase) — default: Aws::Telemetry::NoOpTelemetryProvider

    Allows you to provide a telemetry provider, which is used to emit telemetry data. By default, uses ‘NoOpTelemetryProvider` which will not record or emit any telemetry data. The SDK supports the following telemetry providers:

    • OpenTelemetry (OTel) - To use the OTel provider, install and require the

    ‘opentelemetry-sdk` gem and then, pass in an instance of a `Aws::Telemetry::OTelProvider` for telemetry provider.

  • :token_provider (Aws::TokenProvider)

    A Bearer Token Provider. This can be an instance of any one of the following classes:

    • ‘Aws::StaticTokenProvider` - Used for configuring static, non-refreshing tokens.

    • ‘Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an access token generated from `aws login`.

    When ‘:token_provider` is not configured directly, the `Aws::TokenProviderChain` will be used to search for tokens configured for your profile in shared configuration files.

  • :use_dualstack_endpoint (Boolean)

    When set to ‘true`, dualstack enabled endpoints (with `.aws` TLD) will be used if available.

  • :use_fips_endpoint (Boolean)

    When set to ‘true`, fips compatible endpoints will be used if available. When a `fips` region is used, the region is normalized and this config is set to `true`.

  • :validate_params (Boolean) — default: true

    When ‘true`, request parameters are validated before sending the request.

  • :endpoint_provider (Aws::VerifiedPermissions::EndpointProvider)

    The endpoint provider used to resolve endpoints. Any object that responds to ‘#resolve_endpoint(parameters)` where `parameters` is a Struct similar to `Aws::VerifiedPermissions::EndpointParameters`.

  • :http_continue_timeout (Float) — default: 1

    The number of seconds to wait for a 100-continue response before sending the request body. This option has no effect unless the request has “Expect” header set to “100-continue”. Defaults to ‘nil` which disables this behaviour. This value can safely be set per request on the session.

  • :http_idle_timeout (Float) — default: 5

    The number of seconds a connection is allowed to sit idle before it is considered stale. Stale connections are closed and removed from the pool before making a request.

  • :http_open_timeout (Float) — default: 15

    The default number of seconds to wait for response data. This value can safely be set per-request on the session.

  • :http_proxy (URI::HTTP, String)

    A proxy to send requests through. Formatted like ‘proxy.com:123’.

  • :http_read_timeout (Float) — default: 60

    The default number of seconds to wait for response data. This value can safely be set per-request on the session.

  • :http_wire_trace (Boolean) — default: false

    When ‘true`, HTTP debug output will be sent to the `:logger`.

  • :on_chunk_received (Proc)

    When a Proc object is provided, it will be used as callback when each chunk of the response body is received. It provides three arguments: the chunk, the number of bytes received, and the total number of bytes in the response (or nil if the server did not send a ‘content-length`).

  • :on_chunk_sent (Proc)

    When a Proc object is provided, it will be used as callback when each chunk of the request body is sent. It provides three arguments: the chunk, the number of bytes read from the body, and the total number of bytes in the body.

  • :raise_response_errors (Boolean) — default: true

    When ‘true`, response errors are raised.

  • :ssl_ca_bundle (String)

    Full path to the SSL certificate authority bundle file that should be used when verifying peer certificates. If you do not pass ‘:ssl_ca_bundle` or `:ssl_ca_directory` the the system default will be used if available.

  • :ssl_ca_directory (String)

    Full path of the directory that contains the unbundled SSL certificate authority files for verifying peer certificates. If you do not pass ‘:ssl_ca_bundle` or `:ssl_ca_directory` the the system default will be used if available.

  • :ssl_ca_store (String)

    Sets the X509::Store to verify peer certificate.

  • :ssl_cert (OpenSSL::X509::Certificate)

    Sets a client certificate when creating http connections.

  • :ssl_key (OpenSSL::PKey)

    Sets a client key when creating http connections.

  • :ssl_timeout (Float)

    Sets the SSL timeout in seconds

  • :ssl_verify_peer (Boolean) — default: true

    When ‘true`, SSL peer certificates are verified when establishing a connection.



451
452
453
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 451

def initialize(*args)
  super
end

Class Attribute Details

.identifierObject (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future. 



3787
3788
3789
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 3787

def identifier
  @identifier
end

Class Method Details

.errors_moduleObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future. 



3790
3791
3792
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 3790

def errors_module
  Errors
end

Instance Method Details

#batch_get_policy(params = {}) ⇒ Types::BatchGetPolicyOutput

Retrieves information about a group (batch) of policies.

<note markdown=“1”> The ‘BatchGetPolicy` operation doesn’t have its own IAM permission. To authorize this operation for Amazon Web Services principals, include the permission ‘verifiedpermissions:GetPolicy` in their IAM policies.

</note>

Examples:

Example: To retrieve details about a policy


# The following example retrieves information about the specified policy contained in the specified policy store. In this
# example, the requested policy is a template-linked policy, so it returns the ID of the policy template, and the specific
# principal and resource used by this policy.

resp = client.batch_get_policy({
  requests: [
    {
      policy_id: "PWv5M6d5HePx3gVVLKY1nK", 
      policy_store_id: "ERZeDpRc34dkYZeb6FZRVC", 
    }, 
    {
      policy_id: "LzFn6KgLWvv4Mbegus35jn", 
      policy_store_id: "ERZeDpRc34dkYZeb6FZRVC", 
    }, 
    {
      policy_id: "77gLjer8H5o3mvrnMGrSL5", 
      policy_store_id: "ERZeDpRc34dkYZeb6FZRVC", 
    }, 
  ], 
})

resp.to_h outputs the following:
{
  errors: [
  ], 
  results: [
    {
      created_date: Time.parse("2024-10-18T18:53:39.258153Z"), 
      definition: {
        static: {
          description: "Users can manage account resources in any account they own", 
          statement: "permit (principal, action in PhotoFlash::Action::\"ManageAccount\",resource) when { resource in principal.Account };", 
        }, 
      }, 
      last_updated_date: Time.parse("2024-10-18T18:53:39.258153Z"), 
      policy_id: "PWv5M6d5HePx3gVVLKY1nK", 
      policy_store_id: "ERZeDpRc34dkYZeb6FZRVC", 
      policy_type: "STATIC", 
    }, 
    {
      created_date: Time.parse("2024-10-18T18:57:03.305027Z"), 
      definition: {
        static: {
          description: "User alice can't delete any photos.", 
          statement: "forbid (principal == PhotoFlash::User::\"alice\", action in [PhotoFlash::Action::\"DeletePhoto\"], resource);", 
        }, 
      }, 
      last_updated_date: Time.parse("2024-10-18T18:57:03.305027Z"), 
      policy_id: "LzFn6KgLWvv4Mbegus35jn", 
      policy_store_id: "ERZeDpRc34dkYZeb6FZRVC", 
      policy_type: "STATIC", 
    }, 
    {
      created_date: Time.parse("2024-10-18T18:57:48.005343Z"), 
      definition: {
        static: {
          description: "User alice can view and delete photos.", 
          statement: "permit (principal == PhotoFlash::User::\"alice\", action in [PhotoFlash::Action::\"DeletePhoto\", PhotoFlash::Action::\"ViewPhoto\"], resource);", 
        }, 
      }, 
      last_updated_date: Time.parse("2024-10-18T18:57:48.005343Z"), 
      policy_id: "77gLjer8H5o3mvrnMGrSL5", 
      policy_store_id: "ERZeDpRc34dkYZeb6FZRVC", 
      policy_type: "STATIC", 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.batch_get_policy({
  requests: [ # required
    {
      policy_store_id: "PolicyStoreId", # required
      policy_id: "PolicyId", # required
    },
  ],
})

Response structure


resp.results #=> Array
resp.results[0].policy_store_id #=> String
resp.results[0].policy_id #=> String
resp.results[0].policy_type #=> String, one of "STATIC", "TEMPLATE_LINKED"
resp.results[0].definition.static.description #=> String
resp.results[0].definition.static.statement #=> String
resp.results[0].definition.template_linked.policy_template_id #=> String
resp.results[0].definition.template_linked.principal.entity_type #=> String
resp.results[0].definition.template_linked.principal.entity_id #=> String
resp.results[0].definition.template_linked.resource.entity_type #=> String
resp.results[0].definition.template_linked.resource.entity_id #=> String
resp.results[0].created_date #=> Time
resp.results[0].last_updated_date #=> Time
resp.errors #=> Array
resp.errors[0].code #=> String, one of "POLICY_STORE_NOT_FOUND", "POLICY_NOT_FOUND"
resp.errors[0].policy_store_id #=> String
resp.errors[0].policy_id #=> String
resp.errors[0].message #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

Returns:

  • (Types::BatchGetPolicyOutput)

    Returns a response object which responds to the following methods:

    • #results => Array&lt;Types::BatchGetPolicyOutputItem&gt;

    • #errors => Array&lt;Types::BatchGetPolicyErrorItem&gt;

See Also:



581
582
583
584
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 581

def batch_get_policy(params = {}, options = {})
  req = build_request(:batch_get_policy, params)
  req.send_request(options)
end

#batch_is_authorized(params = {}) ⇒ Types::BatchIsAuthorizedOutput

Makes a series of decisions about multiple authorization requests for one principal or resource. Each request contains the equivalent content of an ‘IsAuthorized` request: principal, action, resource, and context. Either the `principal` or the `resource` parameter must be identical across all requests. For example, Verified Permissions won’t evaluate a pair of requests where ‘bob` views `photo1` and `alice` views `photo2`. Authorization of `bob` to view `photo1` and `photo2`, or `bob` and `alice` to view `photo1`, are valid batches.

The request is evaluated against all policies in the specified policy store that match the entities that you declare. The result of the decisions is a series of ‘Allow` or `Deny` responses, along with the IDs of the policies that produced each decision.

The ‘entities` of a `BatchIsAuthorized` API request can contain up to 100 principals and up to 100 resources. The `requests` of a `BatchIsAuthorized` API request can contain up to 30 requests.

<note markdown=“1”> The ‘BatchIsAuthorized` operation doesn’t have its own IAM permission. To authorize this operation for Amazon Web Services principals, include the permission ‘verifiedpermissions:IsAuthorized` in their IAM policies.

</note>

Examples:

Example: Batch - Example 1


# The following example requests two authorization decisions for two principals                     of type Usernamed
# Alice and Annalisa.

resp = client.batch_is_authorized({
  entities: {
    entity_list: [
      {
        attributes: {
          "Account" => {
            entity_identifier: {
              entity_id: "1234", 
              entity_type: "PhotoFlash::Account", 
            }, 
          }, 
          "Email" => {
            string: "", 
          }, 
        }, 
        identifier: {
          entity_id: "Alice", 
          entity_type: "PhotoFlash::User", 
        }, 
        parents: [
        ], 
      }, 
      {
        attributes: {
          "Account" => {
            entity_identifier: {
              entity_id: "5678", 
              entity_type: "PhotoFlash::Account", 
            }, 
          }, 
          "Email" => {
            string: "", 
          }, 
        }, 
        identifier: {
          entity_id: "Annalisa", 
          entity_type: "PhotoFlash::User", 
        }, 
        parents: [
        ], 
      }, 
      {
        attributes: {
          "IsPrivate" => {
            boolean: false, 
          }, 
          "Name" => {
            string: "", 
          }, 
        }, 
        identifier: {
          entity_id: "VacationPhoto94.jpg", 
          entity_type: "PhotoFlash::Photo", 
        }, 
        parents: [
          {
            entity_id: "1234", 
            entity_type: "PhotoFlash::Account", 
          }, 
        ], 
      }, 
      {
        attributes: {
          "Name" => {
            string: "", 
          }, 
        }, 
        identifier: {
          entity_id: "1234", 
          entity_type: "PhotoFlash::Account", 
        }, 
        parents: [
        ], 
      }, 
    ], 
  }, 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  requests: [
    {
      action: {
        action_id: "ViewPhoto", 
        action_type: "PhotoFlash::Action", 
      }, 
      principal: {
        entity_id: "Alice", 
        entity_type: "PhotoFlash::User", 
      }, 
      resource: {
        entity_id: "VacationPhoto94.jpg", 
        entity_type: "PhotoFlash::Photo", 
      }, 
    }, 
    {
      action: {
        action_id: "DeletePhoto", 
        action_type: "PhotoFlash::Action", 
      }, 
      principal: {
        entity_id: "Annalisa", 
        entity_type: "PhotoFlash::User", 
      }, 
      resource: {
        entity_id: "VacationPhoto94.jpg", 
        entity_type: "PhotoFlash::Photo", 
      }, 
    }, 
  ], 
})

resp.to_h outputs the following:
{
  results: [
    {
      errors: [
      ], 
      decision: "ALLOW", 
      determining_policies: [
        {
          policy_id: "9wYxMpljbbZQb5fcZHyJhY", 
        }, 
      ], 
      request: {
        action: {
          action_id: "ViewPhoto", 
          action_type: "PhotoFlash::Action", 
        }, 
        principal: {
          entity_id: "alice", 
          entity_type: "PhotoFlash::User", 
        }, 
        resource: {
          entity_id: "VacationPhoto94.jpg", 
          entity_type: "PhotoFlash::Photo", 
        }, 
      }, 
    }, 
    {
      errors: [
      ], 
      decision: "DENY", 
      determining_policies: [
      ], 
      request: {
        action: {
          action_id: "DeletePhoto", 
          action_type: "PhotoFlash::Action", 
        }, 
        principal: {
          entity_id: "annalisa", 
          entity_type: "PhotoFlash::User", 
        }, 
        resource: {
          entity_id: "VacationPhoto94.jpg", 
          entity_type: "PhotoFlash::Photo", 
        }, 
      }, 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.batch_is_authorized({
  policy_store_id: "PolicyStoreId", # required
  entities: {
    entity_list: [
      {
        identifier: { # required
          entity_type: "EntityType", # required
          entity_id: "EntityId", # required
        },
        attributes: {
          "String" => "value", # value <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
        },
        parents: [
          {
            entity_type: "EntityType", # required
            entity_id: "EntityId", # required
          },
        ],
      },
    ],
  },
  requests: [ # required
    {
      principal: {
        entity_type: "EntityType", # required
        entity_id: "EntityId", # required
      },
      action: {
        action_type: "ActionType", # required
        action_id: "ActionId", # required
      },
      resource: {
        entity_type: "EntityType", # required
        entity_id: "EntityId", # required
      },
      context: {
        context_map: {
          "String" => "value", # value <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
        },
      },
    },
  ],
})

Response structure


resp.results #=> Array
resp.results[0].request.principal.entity_type #=> String
resp.results[0].request.principal.entity_id #=> String
resp.results[0].request.action.action_type #=> String
resp.results[0].request.action.action_id #=> String
resp.results[0].request.resource.entity_type #=> String
resp.results[0].request.resource.entity_id #=> String
resp.results[0].request.context.context_map #=> Hash
resp.results[0].request.context.context_map["String"] #=> <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
resp.results[0].decision #=> String, one of "ALLOW", "DENY"
resp.results[0].determining_policies #=> Array
resp.results[0].determining_policies[0].policy_id #=> String
resp.results[0].errors #=> Array
resp.results[0].errors[0].error_description #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store. Policies in this policy store will be used to make the authorization decisions for the input.

  • :entities (Types::EntitiesDefinition)

    Specifies the list of resources and principals and their associated attributes that Verified Permissions can examine when evaluating the policies.

    <note markdown=“1”> You can include only principal and resource entities in this parameter; you can’t include actions. You must specify actions in the schema.

    </note>
  • :requests (required, Array<Types::BatchIsAuthorizedInputItem>)

    An array of up to 30 requests that you want Verified Permissions to evaluate.

Returns:

See Also:



867
868
869
870
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 867

def batch_is_authorized(params = {}, options = {})
  req = build_request(:batch_is_authorized, params)
  req.send_request(options)
end

#batch_is_authorized_with_token(params = {}) ⇒ Types::BatchIsAuthorizedWithTokenOutput

Makes a series of decisions about multiple authorization requests for one token. The principal in this request comes from an external identity source in the form of an identity or access token, formatted as a [JSON web token (JWT)]. The information in the parameters can also define additional context that Verified Permissions can include in the evaluations.

The request is evaluated against all policies in the specified policy store that match the entities that you provide in the entities declaration and in the token. The result of the decisions is a series of ‘Allow` or `Deny` responses, along with the IDs of the policies that produced each decision.

The ‘entities` of a `BatchIsAuthorizedWithToken` API request can contain up to 100 resources and up to 99 user groups. The `requests` of a `BatchIsAuthorizedWithToken` API request can contain up to 30 requests.

<note markdown=“1”> The ‘BatchIsAuthorizedWithToken` operation doesn’t have its own IAM permission. To authorize this operation for Amazon Web Services principals, include the permission ‘verifiedpermissions:IsAuthorizedWithToken` in their IAM policies.

</note>

[1]: wikipedia.org/wiki/JSON_Web_Token

Examples:

Example: Batch - Example 1


# The following example requests three authorization decisions for two resources                     and two actions in
# different photo albums.

resp = client.batch_is_authorized_with_token({
  entities: {
    entity_list: [
      {
        identifier: {
          entity_id: "VacationPhoto94.jpg", 
          entity_type: "PhotoFlash::Photo", 
        }, 
        parents: [
          {
            entity_id: "MyExampleAlbum1", 
            entity_type: "PhotoFlash::Album", 
          }, 
        ], 
      }, 
      {
        identifier: {
          entity_id: "OfficePhoto94.jpg", 
          entity_type: "PhotoFlash::Photo", 
        }, 
        parents: [
          {
            entity_id: "MyExampleAlbum2", 
            entity_type: "PhotoFlash::Album", 
          }, 
        ], 
      }, 
    ], 
  }, 
  identity_token: "eyJra12345EXAMPLE", 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  requests: [
    {
      action: {
        action_id: "ViewPhoto", 
        action_type: "PhotoFlash::Action", 
      }, 
      resource: {
        entity_id: "VacationPhoto94.jpg", 
        entity_type: "PhotoFlash::Photo", 
      }, 
    }, 
    {
      action: {
        action_id: "SharePhoto", 
        action_type: "PhotoFlash::Action", 
      }, 
      resource: {
        entity_id: "VacationPhoto94.jpg", 
        entity_type: "PhotoFlash::Photo", 
      }, 
    }, 
    {
      action: {
        action_id: "ViewPhoto", 
        action_type: "PhotoFlash::Action", 
      }, 
      resource: {
        entity_id: "OfficePhoto94.jpg", 
        entity_type: "PhotoFlash::Photo", 
      }, 
    }, 
  ], 
})

resp.to_h outputs the following:
{
  principal: {
    entity_id: "us-east-1_EXAMPLE|a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
    entity_type: "PhotoFlash::User", 
  }, 
  results: [
    {
      errors: [
      ], 
      decision: "ALLOW", 
      determining_policies: [
        {
          policy_id: "9wYixMplbbZQb5fcZHyJhY", 
        }, 
      ], 
      request: {
        action: {
          action_id: "ViewPhoto", 
          action_type: "PhotoFlash::Action", 
        }, 
        resource: {
          entity_id: "VacationPhoto94.jpg", 
          entity_type: "PhotoFlash::Photo", 
        }, 
      }, 
    }, 
    {
      errors: [
      ], 
      decision: "ALLOW", 
      determining_policies: [
        {
          policy_id: "9wYixMplbbZQb5fcZHyJhY", 
        }, 
      ], 
      request: {
        action: {
          action_id: "SharePhoto", 
          action_type: "PhotoFlash::Action", 
        }, 
        resource: {
          entity_id: "VacationPhoto94.jpg", 
          entity_type: "PhotoFlash::Photo", 
        }, 
      }, 
    }, 
    {
      errors: [
      ], 
      decision: "DENY", 
      determining_policies: [
      ], 
      request: {
        action: {
          action_id: "ViewPhoto", 
          action_type: "PhotoFlash::Action", 
        }, 
        resource: {
          entity_id: "OfficePhoto94.jpg", 
          entity_type: "PhotoFlash::Photo", 
        }, 
      }, 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.batch_is_authorized_with_token({
  policy_store_id: "PolicyStoreId", # required
  identity_token: "Token",
  access_token: "Token",
  entities: {
    entity_list: [
      {
        identifier: { # required
          entity_type: "EntityType", # required
          entity_id: "EntityId", # required
        },
        attributes: {
          "String" => "value", # value <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
        },
        parents: [
          {
            entity_type: "EntityType", # required
            entity_id: "EntityId", # required
          },
        ],
      },
    ],
  },
  requests: [ # required
    {
      action: {
        action_type: "ActionType", # required
        action_id: "ActionId", # required
      },
      resource: {
        entity_type: "EntityType", # required
        entity_id: "EntityId", # required
      },
      context: {
        context_map: {
          "String" => "value", # value <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
        },
      },
    },
  ],
})

Response structure


resp.principal.entity_type #=> String
resp.principal.entity_id #=> String
resp.results #=> Array
resp.results[0].request.action.action_type #=> String
resp.results[0].request.action.action_id #=> String
resp.results[0].request.resource.entity_type #=> String
resp.results[0].request.resource.entity_id #=> String
resp.results[0].request.context.context_map #=> Hash
resp.results[0].request.context.context_map["String"] #=> <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
resp.results[0].decision #=> String, one of "ALLOW", "DENY"
resp.results[0].determining_policies #=> Array
resp.results[0].determining_policies[0].policy_id #=> String
resp.results[0].errors #=> Array
resp.results[0].errors[0].error_description #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store. Policies in this policy store will be used to make an authorization decision for the input.

  • :identity_token (String)

    Specifies an identity (ID) token for the principal that you want to authorize in each request. This token is provided to you by the identity provider (IdP) associated with the specified identity source. You must specify either an ‘accessToken`, an `identityToken`, or both.

    Must be an ID token. Verified Permissions returns an error if the ‘token_use` claim in the submitted token isn’t ‘id`.

  • :access_token (String)

    Specifies an access token for the principal that you want to authorize in each request. This token is provided to you by the identity provider (IdP) associated with the specified identity source. You must specify either an ‘accessToken`, an `identityToken`, or both.

    Must be an access token. Verified Permissions returns an error if the ‘token_use` claim in the submitted token isn’t ‘access`.

  • :entities (Types::EntitiesDefinition)

    Specifies the list of resources and their associated attributes that Verified Permissions can examine when evaluating the policies.

    You can’t include principals in this parameter, only resource and action entities. This parameter can’t include any entities of a type that matches the user or group entity types that you defined in your identity source.

    * The `BatchIsAuthorizedWithToken` operation takes principal
 attributes from <b> <i>only</i> </b> the `identityToken` or
 `accessToken` passed to the operation.

    • For action entities, you can include only their ‘Identifier` and `EntityType`.

  • :requests (required, Array<Types::BatchIsAuthorizedWithTokenInputItem>)

    An array of up to 30 requests that you want Verified Permissions to evaluate.

Returns:

See Also:



1151
1152
1153
1154
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 1151

def batch_is_authorized_with_token(params = {}, options = {})
  req = build_request(:batch_is_authorized_with_token, params)
  req.send_request(options)
end

#build_request(operation_name, params = {}) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Parameters:

  • params ({}) (defaults to: {}) 


3760
3761
3762
3763
3764
3765
3766
3767
3768
3769
3770
3771
3772
3773
3774
3775
3776
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 3760

def build_request(operation_name, params = {})
  handlers = @handlers.for(operation_name)
  tracer = config.telemetry_provider.tracer_provider.tracer(
    Aws::Telemetry.module_to_tracer_name('Aws::VerifiedPermissions')
  )
  context = Seahorse::Client::RequestContext.new(
    operation_name: operation_name,
    operation: config.api.operation(operation_name),
    client: self,
    params: params,
    config: config,
    tracer: tracer
  )
  context[:gem_name] = 'aws-sdk-verifiedpermissions'
  context[:gem_version] = '1.38.0'
  Seahorse::Client::Request.new(handlers, context)
end

#create_identity_source(params = {}) ⇒ Types::CreateIdentitySourceOutput

Adds an identity source to a policy store–an Amazon Cognito user pool or OpenID Connect (OIDC) identity provider (IdP).

After you create an identity source, you can use the identities provided by the IdP as proxies for the principal in authorization queries that use the [IsAuthorizedWithToken] or

BatchIsAuthorizedWithToken][2

API operations. These identities take

the form of tokens that contain claims about the user, such as IDs, attributes and group memberships. Identity sources provide identity (ID) tokens and access tokens. Verified Permissions derives information about your user and session from token claims. Access tokens provide action ‘context` to your policies, and ID tokens provide principal `Attributes`.

Tokens from an identity source user continue to be usable until they expire. Token revocation and resource deletion have no effect on the validity of a token in your policy store

<note markdown=“1”> To reference a user from this identity source in your Cedar policies, refer to the following syntax examples.

* Amazon Cognito user pool: `Namespace::[Entity type]::[User pool
 ID]|[user principal attribute]`, for example
 `MyCorp::User::us-east-1_EXAMPLE|a1b2c3d4-5678-90ab-cdef-EXAMPLE11111`.

  • OpenID Connect (OIDC) provider: ‘Namespace::[Entity type]::|[user principal attribute]`, for example `MyCorp::User::MyOIDCProvider|a1b2c3d4-5678-90ab-cdef-EXAMPLE22222`.

</note>

<note markdown=“1”> Verified Permissions is <a href=“https://wikipedia.org/wiki/Eventual_consistency”>eventually consistent</a> . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

</note>

[1]: docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_IsAuthorizedWithToken.html [2]: docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_BatchIsAuthorizedWithToken.html

Examples:

Example: To create an identity source


# The following ``create-identity-source`` example creates an identity source that lets you reference identities stored in
# the specified Amazon Cognito user pool. Those identities are available in Verified Permissions as entities of type
# ``User``. 

resp = client.create_identity_source({
  client_token: "a1b2c3d4-e5f6-a1b2-c3d4-TOKEN1111111", 
  configuration: {
    cognito_user_pool_configuration: {
      client_ids: [
        "a1b2c3d4e5f6g7h8i9j0kalbmc", 
      ], 
      user_pool_arn: "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5", 
    }, 
  }, 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  principal_entity_type: "User", 
})

resp.to_h outputs the following:
{
  created_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  identity_source_id: "ISEXAMPLEabcdefg111111", 
  last_updated_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
}

Request syntax with placeholder values


resp = client.create_identity_source({
  client_token: "IdempotencyToken",
  policy_store_id: "PolicyStoreId", # required
  configuration: { # required
    cognito_user_pool_configuration: {
      user_pool_arn: "UserPoolArn", # required
      client_ids: ["ClientId"],
      group_configuration: {
        group_entity_type: "GroupEntityType", # required
      },
    },
    open_id_connect_configuration: {
      issuer: "Issuer", # required
      entity_id_prefix: "EntityIdPrefix",
      group_configuration: {
        group_claim: "Claim", # required
        group_entity_type: "GroupEntityType", # required
      },
      token_selection: { # required
        access_token_only: {
          principal_id_claim: "Claim",
          audiences: ["Audience"],
        },
        identity_token_only: {
          principal_id_claim: "Claim",
          client_ids: ["ClientId"],
        },
      },
    },
  },
  principal_entity_type: "PrincipalEntityType",
})

Response structure


resp.created_date #=> Time
resp.identity_source_id #=> String
resp.last_updated_date #=> Time
resp.policy_store_id #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :client_token (String)

    Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a [UUID type of value.].

    If you don’t provide this value, then Amazon Web Services generates a random one for you.

    If you retry the operation with the same ‘ClientToken`, but with different parameters, the retry fails with an `ConflictException` error.

    Verified Permissions recognizes a ‘ClientToken` for eight hours. After eight hours, the next request with the same parameters performs the operation again regardless of the value of `ClientToken`.

    **A suitable default value is auto-generated.** You should normally not need to pass this option.**

    [1]: wikipedia.org/wiki/Universally_unique_identifier

  • :policy_store_id (required, String)

    Specifies the ID of the policy store in which you want to store this identity source. Only policies and requests made using this policy store can reference identities from the identity provider configured in the new identity source.

  • :configuration (required, Types::Configuration)

    Specifies the details required to communicate with the identity provider (IdP) associated with this identity source.

  • :principal_entity_type (String)

    Specifies the namespace and data type of the principals generated for identities authenticated by the new identity source.

Returns:

See Also:



1322
1323
1324
1325
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 1322

def create_identity_source(params = {}, options = {})
  req = build_request(:create_identity_source, params)
  req.send_request(options)
end

#create_policy(params = {}) ⇒ Types::CreatePolicyOutput

Creates a Cedar policy and saves it in the specified policy store. You can create either a static policy or a policy linked to a policy template.

  • To create a static policy, provide the Cedar policy text in the ‘StaticPolicy` section of the `PolicyDefinition`.

  • To create a policy that is dynamically linked to a policy template, specify the policy template ID and the principal and resource to associate with this policy in the ‘templateLinked` section of the `PolicyDefinition`. If the policy template is ever updated, any policies linked to the policy template automatically use the updated template.

<note markdown=“1”> Creating a policy causes it to be validated against the schema in the policy store. If the policy doesn’t pass validation, the operation fails and the policy isn’t stored.

</note>

<note markdown=“1”> Verified Permissions is <a href=“https://wikipedia.org/wiki/Eventual_consistency”>eventually consistent</a> . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

</note>

Examples:

Example: To create a static policy


# The following example request creates a static policy with a policy scope that specifies both a principal and a
# resource. The response includes both the Principal and Resource elements because both were specified in the request
# policy scope.

resp = client.create_policy({
  client_token: "a1b2c3d4-e5f6-a1b2-c3d4-TOKEN1111111", 
  definition: {
    static: {
      description: "Grant members of janeFriends UserGroup access to the vacationFolder Album", 
      statement: "permit( principal in UserGroup::\"janeFriends\", action, resource in Album::\"vacationFolder\" );", 
    }, 
  }, 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
})

resp.to_h outputs the following:
{
  created_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  last_updated_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  policy_id: "9wYxMpljbbZQb5fcZHyJhY", 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  policy_type: "STATIC", 
  principal: {
    entity_id: "janeFriends", 
    entity_type: "UserGroup", 
  }, 
  resource: {
    entity_id: "vacationFolder", 
    entity_type: "Album", 
  }, 
}

Example: To create a static policy


# The following example request creates a static policy with a policy scope that specifies both a principal and a
# resource. The response includes both the Principal and Resource elements because both were specified in the request
# policy scope.

resp = client.create_policy({
  client_token: "a1b2c3d4-e5f6-a1b2-c3d4-TOKEN1111111", 
  definition: {
    static: {
      description: "Grant members of janeFriends UserGroup access to the vacationFolder Album", 
      statement: "permit( principal in UserGroup::\"janeFriends\", action, resource in Album::\"vacationFolder\" );", 
    }, 
  }, 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
})

resp.to_h outputs the following:
{
  created_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  last_updated_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  policy_id: "9wYxMpljbbZQb5fcZHyJhY", 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  policy_type: "STATIC", 
  principal: {
    entity_id: "janeFriends", 
    entity_type: "UserGroup", 
  }, 
  resource: {
    entity_id: "vacationFolder", 
    entity_type: "Album", 
  }, 
}

Example: To create a template-linked policy


# The following example creates a template-linked policy using the specified policy template and associates the specified
# principal to use with the new template-linked policy.

resp = client.create_policy({
  client_token: "a1b2c3d4-e5f6-a1b2-c3d4-TOKEN1111111", 
  definition: {
    template_linked: {
      policy_template_id: "PTEXAMPLEabcdefg111111", 
      principal: {
        entity_id: "alice", 
        entity_type: "User", 
      }, 
    }, 
  }, 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
})

resp.to_h outputs the following:
{
  created_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  last_updated_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  policy_id: "Et9KxMplyaDdyurDw8TeFa", 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  policy_type: "TEMPLATE_LINKED", 
  principal: {
    entity_id: "alice", 
    entity_type: "User", 
  }, 
  resource: {
    entity_id: "VacationPhoto94.jpg", 
    entity_type: "Photo", 
  }, 
}

Request syntax with placeholder values


resp = client.create_policy({
  client_token: "IdempotencyToken",
  policy_store_id: "PolicyStoreId", # required
  definition: { # required
    static: {
      description: "StaticPolicyDescription",
      statement: "PolicyStatement", # required
    },
    template_linked: {
      policy_template_id: "PolicyTemplateId", # required
      principal: {
        entity_type: "EntityType", # required
        entity_id: "EntityId", # required
      },
      resource: {
        entity_type: "EntityType", # required
        entity_id: "EntityId", # required
      },
    },
  },
})

Response structure


resp.policy_store_id #=> String
resp.policy_id #=> String
resp.policy_type #=> String, one of "STATIC", "TEMPLATE_LINKED"
resp.principal.entity_type #=> String
resp.principal.entity_id #=> String
resp.resource.entity_type #=> String
resp.resource.entity_id #=> String
resp.actions #=> Array
resp.actions[0].action_type #=> String
resp.actions[0].action_id #=> String
resp.created_date #=> Time
resp.last_updated_date #=> Time
resp.effect #=> String, one of "Permit", "Forbid"

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :client_token (String)

    Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a [UUID type of value.].

    If you don’t provide this value, then Amazon Web Services generates a random one for you.

    If you retry the operation with the same ‘ClientToken`, but with different parameters, the retry fails with an `ConflictException` error.

    Verified Permissions recognizes a ‘ClientToken` for eight hours. After eight hours, the next request with the same parameters performs the operation again regardless of the value of `ClientToken`.

    **A suitable default value is auto-generated.** You should normally not need to pass this option.**

    [1]: wikipedia.org/wiki/Universally_unique_identifier

  • :policy_store_id (required, String)

    Specifies the ‘PolicyStoreId` of the policy store you want to store the policy in.

  • :definition (required, Types::PolicyDefinition)

    A structure that specifies the policy type and content to use for the new policy. You must include either a static or a templateLinked element. The policy content must be written in the Cedar policy language.

Returns:

See Also:



1552
1553
1554
1555
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 1552

def create_policy(params = {}, options = {})
  req = build_request(:create_policy, params)
  req.send_request(options)
end

#create_policy_store(params = {}) ⇒ Types::CreatePolicyStoreOutput

Creates a policy store. A policy store is a container for policy resources.

<note markdown=“1”> Although [Cedar supports multiple namespaces], Verified Permissions currently supports only one namespace per policy store.

</note>

<note markdown=“1”> Verified Permissions is <a href=“https://wikipedia.org/wiki/Eventual_consistency”>eventually consistent</a> . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

</note>

[1]: docs.cedarpolicy.com/schema/schema.html#namespace

Examples:

Example: To create policy store


# The following example creates a new policy store with strict validation turned on.

resp = client.create_policy_store({
  client_token: "a1b2c3d4-e5f6-a1b2-c3d4-TOKEN1111111", 
  validation_settings: {
    mode: "STRICT", 
  }, 
})

resp.to_h outputs the following:
{
  arn: "arn:aws:verifiedpermissions::123456789012:policy-store/C7v5xMplfFH3i3e4Jrzb1a", 
  created_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  last_updated_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
}

Request syntax with placeholder values


resp = client.create_policy_store({
  client_token: "IdempotencyToken",
  validation_settings: { # required
    mode: "OFF", # required, accepts OFF, STRICT
  },
  description: "PolicyStoreDescription",
})

Response structure


resp.policy_store_id #=> String
resp.arn #=> String
resp.created_date #=> Time
resp.last_updated_date #=> Time

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :client_token (String)

    Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a [UUID type of value.].

    If you don’t provide this value, then Amazon Web Services generates a random one for you.

    If you retry the operation with the same ‘ClientToken`, but with different parameters, the retry fails with an `ConflictException` error.

    Verified Permissions recognizes a ‘ClientToken` for eight hours. After eight hours, the next request with the same parameters performs the operation again regardless of the value of `ClientToken`.

    **A suitable default value is auto-generated.** You should normally not need to pass this option.**

    [1]: wikipedia.org/wiki/Universally_unique_identifier

  • :validation_settings (required, Types::ValidationSettings)

    Specifies the validation setting for this policy store.

    Currently, the only valid and required value is ‘Mode`.

    We recommend that you turn on ‘STRICT` mode only after you define a schema. If a schema doesn’t exist, then ‘STRICT` mode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the [UpdatePolicyStore]. Then, when you have a schema defined, use

    UpdatePolicyStore][1

    again to turn validation back on.

    [1]: docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore

  • :description (String)

    Descriptive text that you can provide to help with identification of the current policy store.

Returns:

See Also:



1671
1672
1673
1674
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 1671

def create_policy_store(params = {}, options = {})
  req = build_request(:create_policy_store, params)
  req.send_request(options)
end

#create_policy_template(params = {}) ⇒ Types::CreatePolicyTemplateOutput

Creates a policy template. A template can use placeholders for the principal and resource. A template must be instantiated into a policy by associating it with specific principals and resources to use for the placeholders. That instantiated policy can then be considered in authorization decisions. The instantiated policy works identically to any other policy, except that it is dynamically linked to the template. If the template changes, then any policies that are linked to that template are immediately updated as well.

<note markdown=“1”> Verified Permissions is <a href=“https://wikipedia.org/wiki/Eventual_consistency”>eventually consistent</a> . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

</note>

Examples:

Example: To create a policy template


# The following example creates a policy template that has a placeholder for the principal.

resp = client.create_policy_template({
  client_token: "a1b2c3d4-e5f6-a1b2-c3d4-TOKEN1111111", 
  description: "Template for research dept", 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  statement: "\"AccessVacation\"\npermit(\n    principal in ?principal,\n    action == Action::\"view\",\n    resource == Photo::\"VacationPhoto94.jpg\"\n)\nwhen {\n    principal has department && principal.department == \"research\"\n};", 
})

resp.to_h outputs the following:
{
  created_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  last_updated_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  policy_template_id: "PTEXAMPLEabcdefg111111", 
}

Request syntax with placeholder values


resp = client.create_policy_template({
  client_token: "IdempotencyToken",
  policy_store_id: "PolicyStoreId", # required
  description: "PolicyTemplateDescription",
  statement: "PolicyStatement", # required
})

Response structure


resp.policy_store_id #=> String
resp.policy_template_id #=> String
resp.created_date #=> Time
resp.last_updated_date #=> Time

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :client_token (String)

    Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a [UUID type of value.].

    If you don’t provide this value, then Amazon Web Services generates a random one for you.

    If you retry the operation with the same ‘ClientToken`, but with different parameters, the retry fails with an `ConflictException` error.

    Verified Permissions recognizes a ‘ClientToken` for eight hours. After eight hours, the next request with the same parameters performs the operation again regardless of the value of `ClientToken`.

    **A suitable default value is auto-generated.** You should normally not need to pass this option.**

    [1]: wikipedia.org/wiki/Universally_unique_identifier

  • :policy_store_id (required, String)

    The ID of the policy store in which to create the policy template.

  • :description (String)

    Specifies a description for the policy template.

  • :statement (required, String)

    Specifies the content that you want to use for the new policy template, written in the Cedar policy language.

Returns:

See Also:



1776
1777
1778
1779
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 1776

def create_policy_template(params = {}, options = {})
  req = build_request(:create_policy_template, params)
  req.send_request(options)
end

#delete_identity_source(params = {}) ⇒ Struct

Deletes an identity source that references an identity provider (IdP) such as Amazon Cognito. After you delete the identity source, you can no longer use tokens for identities from that identity source to represent principals in authorization queries made using [IsAuthorizedWithToken]. operations.

[1]: docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_IsAuthorizedWithToken.html

Examples:

Example: To delete an identity source


# The following example request deletes the specified identity source.

resp = client.delete_identity_source({
  identity_source_id: "ISEXAMPLEabcdefg111111", 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
})

resp.to_h outputs the following:
{
}

Request syntax with placeholder values


resp = client.delete_identity_source({
  policy_store_id: "PolicyStoreId", # required
  identity_source_id: "IdentitySourceId", # required
})

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the identity source that you want to delete.

  • :identity_source_id (required, String)

    Specifies the ID of the identity source that you want to delete.

Returns:

  • (Struct)

    Returns an empty response.

See Also:



1825
1826
1827
1828
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 1825

def delete_identity_source(params = {}, options = {})
  req = build_request(:delete_identity_source, params)
  req.send_request(options)
end

#delete_policy(params = {}) ⇒ Struct

Deletes the specified policy from the policy store.

This operation is idempotent; if you specify a policy that doesn’t exist, the request response returns a successful ‘HTTP 200` status code.

Examples:

Example: To delete a policy


# The following example deletes the specified policy from its policy store.

resp = client.delete_policy({
  policy_id: "9wYxMpljbbZQb5fcZHyJhY", 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
})

resp.to_h outputs the following:
{
}

Request syntax with placeholder values


resp = client.delete_policy({
  policy_store_id: "PolicyStoreId", # required
  policy_id: "PolicyId", # required
})

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the policy that you want to delete.

  • :policy_id (required, String)

    Specifies the ID of the policy that you want to delete.

Returns:

  • (Struct)

    Returns an empty response.

See Also:



1870
1871
1872
1873
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 1870

def delete_policy(params = {}, options = {})
  req = build_request(:delete_policy, params)
  req.send_request(options)
end

#delete_policy_store(params = {}) ⇒ Struct

Deletes the specified policy store.

This operation is idempotent. If you specify a policy store that does not exist, the request response will still return a successful HTTP 200 status code.

Examples:

Example: To delete a policy store


# The following example deletes the specified policy store.

resp = client.delete_policy_store({
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
})

resp.to_h outputs the following:
{
}

Request syntax with placeholder values


resp = client.delete_policy_store({
  policy_store_id: "PolicyStoreId", # required
})

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that you want to delete.

Returns:

  • (Struct)

    Returns an empty response.

See Also:



1909
1910
1911
1912
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 1909

def delete_policy_store(params = {}, options = {})
  req = build_request(:delete_policy_store, params)
  req.send_request(options)
end

#delete_policy_template(params = {}) ⇒ Struct

Deletes the specified policy template from the policy store.

This operation also deletes any policies that were created from the specified policy template. Those policies are immediately removed from all future API responses, and are asynchronously deleted from the policy store.

Examples:

Example: To delete a policy template


# The following example deletes a policy template. Before you can perform this operation, you must first delete any
# template-linked policies that were instantiated from this policy template. To delete them, use DeletePolicy.

resp = client.delete_policy_template({
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  policy_template_id: "PTEXAMPLEabcdefg111111", 
})

resp.to_h outputs the following:
{
}

Request syntax with placeholder values


resp = client.delete_policy_template({
  policy_store_id: "PolicyStoreId", # required
  policy_template_id: "PolicyTemplateId", # required
})

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the policy template that you want to delete.

  • :policy_template_id (required, String)

    Specifies the ID of the policy template that you want to delete.

Returns:

  • (Struct)

    Returns an empty response.

See Also:



1956
1957
1958
1959
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 1956

def delete_policy_template(params = {}, options = {})
  req = build_request(:delete_policy_template, params)
  req.send_request(options)
end

#get_identity_source(params = {}) ⇒ Types::GetIdentitySourceOutput

Retrieves the details about the specified identity source.

Examples:

Example: To retrieve details about an identity source


# The following example retrieves the details for the specified identity source.

resp = client.get_identity_source({
  identity_source_id: "ISEXAMPLEabcdefg111111", 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
})

resp.to_h outputs the following:
{
  created_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  details: {
    client_ids: [
      "a1b2c3d4e5f6g7h8i9j0kalbmc", 
    ], 
    discovery_url: "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_1a2b3c4d5", 
    open_id_issuer: "COGNITO", 
    user_pool_arn: "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5", 
  }, 
  identity_source_id: "ISEXAMPLEabcdefg111111", 
  last_updated_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  principal_entity_type: "AWS::Cognito", 
}

Request syntax with placeholder values


resp = client.get_identity_source({
  policy_store_id: "PolicyStoreId", # required
  identity_source_id: "IdentitySourceId", # required
})

Response structure


resp.created_date #=> Time
resp.details.client_ids #=> Array
resp.details.client_ids[0] #=> String
resp.details.user_pool_arn #=> String
resp.details.discovery_url #=> String
resp.details.open_id_issuer #=> String, one of "COGNITO"
resp.identity_source_id #=> String
resp.last_updated_date #=> Time
resp.policy_store_id #=> String
resp.principal_entity_type #=> String
resp.configuration.cognito_user_pool_configuration.user_pool_arn #=> String
resp.configuration.cognito_user_pool_configuration.client_ids #=> Array
resp.configuration.cognito_user_pool_configuration.client_ids[0] #=> String
resp.configuration.cognito_user_pool_configuration.issuer #=> String
resp.configuration.cognito_user_pool_configuration.group_configuration.group_entity_type #=> String
resp.configuration.open_id_connect_configuration.issuer #=> String
resp.configuration.open_id_connect_configuration.entity_id_prefix #=> String
resp.configuration.open_id_connect_configuration.group_configuration.group_claim #=> String
resp.configuration.open_id_connect_configuration.group_configuration.group_entity_type #=> String
resp.configuration.open_id_connect_configuration.token_selection.access_token_only.principal_id_claim #=> String
resp.configuration.open_id_connect_configuration.token_selection.access_token_only.audiences #=> Array
resp.configuration.open_id_connect_configuration.token_selection.access_token_only.audiences[0] #=> String
resp.configuration.open_id_connect_configuration.token_selection.identity_token_only.principal_id_claim #=> String
resp.configuration.open_id_connect_configuration.token_selection.identity_token_only.client_ids #=> Array
resp.configuration.open_id_connect_configuration.token_selection.identity_token_only.client_ids[0] #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the identity source you want information about.

  • :identity_source_id (required, String)

    Specifies the ID of the identity source you want information about.

Returns:

See Also:



2046
2047
2048
2049
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 2046

def get_identity_source(params = {}, options = {})
  req = build_request(:get_identity_source, params)
  req.send_request(options)
end

#get_policy(params = {}) ⇒ Types::GetPolicyOutput

Retrieves information about the specified policy.

Examples:

Example: To retrieve details about a policy


# The following example retrieves information about the specified policy contained in the specified policy store. In this
# example, the requested policy is a template-linked policy, so it returns the ID of the policy template, and the specific
# principal and resource used by this policy.

resp = client.get_policy({
  policy_id: "9wYixMplbbZQb5fcZHyJhY", 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
})

resp.to_h outputs the following:
{
  created_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  definition: {
    static: {
      description: "Grant everyone of janeFriends UserGroup access to the vacationFolder Album", 
      statement: "permit(principal, action, resource in Album::\"publicFolder\");", 
    }, 
  }, 
  last_updated_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  policy_id: "9wYxMpljbbZQb5fcZHyJhY", 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  policy_type: "STATIC", 
  resource: {
    entity_id: "publicFolder", 
    entity_type: "Album", 
  }, 
}

Request syntax with placeholder values


resp = client.get_policy({
  policy_store_id: "PolicyStoreId", # required
  policy_id: "PolicyId", # required
})

Response structure


resp.policy_store_id #=> String
resp.policy_id #=> String
resp.policy_type #=> String, one of "STATIC", "TEMPLATE_LINKED"
resp.principal.entity_type #=> String
resp.principal.entity_id #=> String
resp.resource.entity_type #=> String
resp.resource.entity_id #=> String
resp.actions #=> Array
resp.actions[0].action_type #=> String
resp.actions[0].action_id #=> String
resp.definition.static.description #=> String
resp.definition.static.statement #=> String
resp.definition.template_linked.policy_template_id #=> String
resp.definition.template_linked.principal.entity_type #=> String
resp.definition.template_linked.principal.entity_id #=> String
resp.definition.template_linked.resource.entity_type #=> String
resp.definition.template_linked.resource.entity_id #=> String
resp.created_date #=> Time
resp.last_updated_date #=> Time
resp.effect #=> String, one of "Permit", "Forbid"

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the policy that you want information about.

  • :policy_id (required, String)

    Specifies the ID of the policy you want information about.

Returns:

See Also:



2138
2139
2140
2141
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 2138

def get_policy(params = {}, options = {})
  req = build_request(:get_policy, params)
  req.send_request(options)
end

#get_policy_store(params = {}) ⇒ Types::GetPolicyStoreOutput

Retrieves details about a policy store.

Examples:

Example: GetPolicyStore


# The following example retrieves details about the specified policy store.

resp = client.get_policy_store({
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
})

resp.to_h outputs the following:
{
  arn: "arn:aws:verifiedpermissions::123456789012:policy-store/C7v5xMplfFH3i3e4Jrzb1a", 
  created_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  last_updated_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  validation_settings: {
    mode: "STRICT", 
  }, 
}

Request syntax with placeholder values


resp = client.get_policy_store({
  policy_store_id: "PolicyStoreId", # required
})

Response structure


resp.policy_store_id #=> String
resp.arn #=> String
resp.validation_settings.mode #=> String, one of "OFF", "STRICT"
resp.created_date #=> Time
resp.last_updated_date #=> Time
resp.description #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that you want information about.

Returns:

See Also:



2196
2197
2198
2199
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 2196

def get_policy_store(params = {}, options = {})
  req = build_request(:get_policy_store, params)
  req.send_request(options)
end

#get_policy_template(params = {}) ⇒ Types::GetPolicyTemplateOutput

Retrieve the details for the specified policy template in the specified policy store.

Examples:

Example: GetPolicyTemplate


# The following example displays the details of the specified policy template.

resp = client.get_policy_template({
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  policy_template_id: "PTEXAMPLEabcdefg111111", 
})

resp.to_h outputs the following:
{
  created_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  description: "Template for research dept", 
  last_updated_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  policy_template_id: "PTEXAMPLEabcdefg111111", 
  statement: "permit(\n  principal ?principal,\n  action == Action::\"view\",\n  resource in ?resource\n) when {\n  principal has department && principal.department == \"research\" \n};", 
}

Request syntax with placeholder values


resp = client.get_policy_template({
  policy_store_id: "PolicyStoreId", # required
  policy_template_id: "PolicyTemplateId", # required
})

Response structure


resp.policy_store_id #=> String
resp.policy_template_id #=> String
resp.description #=> String
resp.statement #=> String
resp.created_date #=> Time
resp.last_updated_date #=> Time

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the policy template that you want information about.

  • :policy_template_id (required, String)

    Specifies the ID of the policy template that you want information about.

Returns:

See Also:



2261
2262
2263
2264
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 2261

def get_policy_template(params = {}, options = {})
  req = build_request(:get_policy_template, params)
  req.send_request(options)
end

#get_schema(params = {}) ⇒ Types::GetSchemaOutput

Retrieve the details for the specified schema in the specified policy store.

Examples:

Example: GetSchema


# The following example retrieves the current schema stored in the specified policy store.
# Note
# The JSON in the parameters of this operation are strings that can contain embedded quotation marks (") within the
# outermost quotation mark pair. This requires that you stringify the JSON object by preceding all embedded quotation
# marks with a backslash character ( \" ) and combining all lines into a single text line with no line breaks.
# Example strings might be displayed wrapped across multiple lines here for readability, but the operation requires the
# parameters be submitted as single line strings.

resp = client.get_schema({
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
})

resp.to_h outputs the following:
{
  created_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  last_updated_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  schema: "{\n\"My::Application\": {\n\"actions\": {\n\"remoteAccess\": {\n\"appliesTo\": {\n\"principalTypes\":   [\"Employee\"]\n}\n}\n},\n\"entityTypes\":   {\n\"Employee\": {\n\"shape\": {\n\"attributes\": {\n\"jobLevel\": { \"type\": \"Long\" },\n\"name\": { \"type\":\"String\" }\n},\n\"type\": \"Record\"\n}\n}\n}\n}\n  }", 
}

Request syntax with placeholder values


resp = client.get_schema({
  policy_store_id: "PolicyStoreId", # required
})

Response structure


resp.policy_store_id #=> String
resp.schema #=> String
resp.created_date #=> Time
resp.last_updated_date #=> Time
resp.namespaces #=> Array
resp.namespaces[0] #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the schema.

Returns:

See Also:



2322
2323
2324
2325
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 2322

def get_schema(params = {}, options = {})
  req = build_request(:get_schema, params)
  req.send_request(options)
end

#is_authorized(params = {}) ⇒ Types::IsAuthorizedOutput

Makes an authorization decision about a service request described in the parameters. The information in the parameters can also define additional context that Verified Permissions can include in the evaluation. The request is evaluated against all matching policies in the specified policy store. The result of the decision is either ‘Allow` or `Deny`, along with a list of the policies that resulted in the decision.

Examples:

Example: IsAuthorized - Example 1


# The following example requests an authorization decision for a principal of type User named Alice, who wants to perform
# the updatePhoto operation, on a resource of type Photo named VacationPhoto94.jpg.
# The response shows that the request was allowed by one policy.

resp = client.is_authorized({
  action: {
    action_id: "view", 
    action_type: "Action", 
  }, 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  principal: {
    entity_id: "alice", 
    entity_type: "User", 
  }, 
  resource: {
    entity_id: "VacationPhoto94.jpg", 
    entity_type: "Photo", 
  }, 
})

resp.to_h outputs the following:
{
  errors: [
  ], 
  decision: "ALLOW", 
  determining_policies: [
    {
      policy_id: "9wYxMpljbbZQb5fcZHyJhY", 
    }, 
  ], 
}

Example: IsAuthorized - Example 2


# The following example is the same as the previous example, except that the principal is User::"bob", and the policy
# store doesn't contain any policy that allows that user access to Album::"alice_folder". The output infers that the Deny
# was implicit because the list of DeterminingPolicies is empty.

resp = client.is_authorized({
  action: {
    action_id: "view", 
    action_type: "Action", 
  }, 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  principal: {
    entity_id: "bob", 
    entity_type: "User", 
  }, 
  resource: {
    entity_id: "VacationPhoto94.jpg", 
    entity_type: "Photo", 
  }, 
})

resp.to_h outputs the following:
{
  errors: [
  ], 
  decision: "DENY", 
  determining_policies: [
  ], 
}

Request syntax with placeholder values


resp = client.is_authorized({
  policy_store_id: "PolicyStoreId", # required
  principal: {
    entity_type: "EntityType", # required
    entity_id: "EntityId", # required
  },
  action: {
    action_type: "ActionType", # required
    action_id: "ActionId", # required
  },
  resource: {
    entity_type: "EntityType", # required
    entity_id: "EntityId", # required
  },
  context: {
    context_map: {
      "String" => "value", # value <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
    },
  },
  entities: {
    entity_list: [
      {
        identifier: { # required
          entity_type: "EntityType", # required
          entity_id: "EntityId", # required
        },
        attributes: {
          "String" => "value", # value <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
        },
        parents: [
          {
            entity_type: "EntityType", # required
            entity_id: "EntityId", # required
          },
        ],
      },
    ],
  },
})

Response structure


resp.decision #=> String, one of "ALLOW", "DENY"
resp.determining_policies #=> Array
resp.determining_policies[0].policy_id #=> String
resp.errors #=> Array
resp.errors[0].error_description #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store. Policies in this policy store will be used to make an authorization decision for the input.

  • :principal (Types::EntityIdentifier)

    Specifies the principal for which the authorization decision is to be made.

  • :action (Types::ActionIdentifier)

    Specifies the requested action to be authorized. For example, is the principal authorized to perform this action on the resource?

  • :resource (Types::EntityIdentifier)

    Specifies the resource for which the authorization decision is to be made.

  • :context (Types::ContextDefinition)

    Specifies additional context that can be used to make more granular authorization decisions.

  • :entities (Types::EntitiesDefinition)

    Specifies the list of resources and principals and their associated attributes that Verified Permissions can examine when evaluating the policies.

    <note markdown=“1”> You can include only principal and resource entities in this parameter; you can’t include actions. You must specify actions in the schema.

    </note>

Returns:

See Also:



2492
2493
2494
2495
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 2492

def is_authorized(params = {}, options = {})
  req = build_request(:is_authorized, params)
  req.send_request(options)
end

#is_authorized_with_token(params = {}) ⇒ Types::IsAuthorizedWithTokenOutput

Makes an authorization decision about a service request described in the parameters. The principal in this request comes from an external identity source in the form of an identity token formatted as a [JSON web token (JWT)]. The information in the parameters can also define additional context that Verified Permissions can include in the evaluation. The request is evaluated against all matching policies in the specified policy store. The result of the decision is either ‘Allow` or `Deny`, along with a list of the policies that resulted in the decision.

Verified Permissions validates each token that is specified in a request by checking its expiration date and its signature.

Tokens from an identity source user continue to be usable until they expire. Token revocation and resource deletion have no effect on the validity of a token in your policy store

[1]: wikipedia.org/wiki/JSON_Web_Token

Examples:

Example: IsAuthorizedWithToken - Example 1


# The following example requests an authorization decision for a user who was authenticated by Amazon Cognito. The request
# uses the identity token provided by Amazon Cognito instead of the access token. In this example, the specified
# information store is configured to return principals as entities of type CognitoUser. The policy store contains a policy
# with the following statement.
# permit(
# principal == CognitoUser::"us-east-1_1a2b3c4d5|a1b2c3d4e5f6g7h8i9j0kalbmc",
# action,
# resource == Photo::"VacationPhoto94.jpg"
# );

resp = client.is_authorized_with_token({
  action: {
    action_id: "View", 
    action_type: "Action", 
  }, 
  identity_token: "EgZjxMPlbWUyBggAEEUYOdIBCDM3NDlqMGo3qAIAsAIA", 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  resource: {
    entity_id: "vacationPhoto94.jpg", 
    entity_type: "Photo", 
  }, 
})

resp.to_h outputs the following:
{
  errors: [
  ], 
  decision: "ALLOW", 
  determining_policies: [
    {
      policy_id: "9wYxMpljbbZQb5fcZHyJhY", 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.is_authorized_with_token({
  policy_store_id: "PolicyStoreId", # required
  identity_token: "Token",
  access_token: "Token",
  action: {
    action_type: "ActionType", # required
    action_id: "ActionId", # required
  },
  resource: {
    entity_type: "EntityType", # required
    entity_id: "EntityId", # required
  },
  context: {
    context_map: {
      "String" => "value", # value <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
    },
  },
  entities: {
    entity_list: [
      {
        identifier: { # required
          entity_type: "EntityType", # required
          entity_id: "EntityId", # required
        },
        attributes: {
          "String" => "value", # value <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
        },
        parents: [
          {
            entity_type: "EntityType", # required
            entity_id: "EntityId", # required
          },
        ],
      },
    ],
  },
})

Response structure


resp.decision #=> String, one of "ALLOW", "DENY"
resp.determining_policies #=> Array
resp.determining_policies[0].policy_id #=> String
resp.errors #=> Array
resp.errors[0].error_description #=> String
resp.principal.entity_type #=> String
resp.principal.entity_id #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store. Policies in this policy store will be used to make an authorization decision for the input.

  • :identity_token (String)

    Specifies an identity token for the principal to be authorized. This token is provided to you by the identity provider (IdP) associated with the specified identity source. You must specify either an ‘accessToken`, an `identityToken`, or both.

    Must be an ID token. Verified Permissions returns an error if the ‘token_use` claim in the submitted token isn’t ‘id`.

  • :access_token (String)

    Specifies an access token for the principal to be authorized. This token is provided to you by the identity provider (IdP) associated with the specified identity source. You must specify either an ‘accessToken`, an `identityToken`, or both.

    Must be an access token. Verified Permissions returns an error if the ‘token_use` claim in the submitted token isn’t ‘access`.

  • :action (Types::ActionIdentifier)

    Specifies the requested action to be authorized. Is the specified principal authorized to perform this action on the specified resource.

  • :resource (Types::EntityIdentifier)

    Specifies the resource for which the authorization decision is made. For example, is the principal allowed to perform the action on the resource?

  • :context (Types::ContextDefinition)

    Specifies additional context that can be used to make more granular authorization decisions.

  • :entities (Types::EntitiesDefinition)

    Specifies the list of resources and their associated attributes that Verified Permissions can examine when evaluating the policies.

    You can’t include principals in this parameter, only resource and action entities. This parameter can’t include any entities of a type that matches the user or group entity types that you defined in your identity source.

    * The `IsAuthorizedWithToken` operation takes principal attributes
 from <b> <i>only</i> </b> the `identityToken` or `accessToken`
 passed to the operation.

    • For action entities, you can include only their ‘Identifier` and `EntityType`.

Returns:

See Also:



2668
2669
2670
2671
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 2668

def is_authorized_with_token(params = {}, options = {})
  req = build_request(:is_authorized_with_token, params)
  req.send_request(options)
end

#list_identity_sources(params = {}) ⇒ Types::ListIdentitySourcesOutput

Returns a paginated list of all of the identity sources defined in the specified policy store.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Example: ListIdentitySources


# The following example request creates lists the identity sources currently defined in the specified policy store.

resp = client.list_identity_sources({
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
})

resp.to_h outputs the following:
{
  identity_sources: [
    {
      created_date: Time.parse("2023-05-19T20:29:23.66812Z"), 
      details: {
        client_ids: [
          "a1b2c3d4e5f6g7h8i9j0kalbmc", 
        ], 
        discovery_url: "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_1a2b3c4d5", 
        open_id_issuer: "COGNITO", 
        user_pool_arn: "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5", 
      }, 
      identity_source_id: "ISEXAMPLEabcdefg111111", 
      last_updated_date: Time.parse("2023-05-19T20:29:23.66812Z"), 
      policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
      principal_entity_type: "User", 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.list_identity_sources({
  policy_store_id: "PolicyStoreId", # required
  next_token: "NextToken",
  max_results: 1,
  filters: [
    {
      principal_entity_type: "PrincipalEntityType",
    },
  ],
})

Response structure


resp.next_token #=> String
resp.identity_sources #=> Array
resp.identity_sources[0].created_date #=> Time
resp.identity_sources[0].details.client_ids #=> Array
resp.identity_sources[0].details.client_ids[0] #=> String
resp.identity_sources[0].details.user_pool_arn #=> String
resp.identity_sources[0].details.discovery_url #=> String
resp.identity_sources[0].details.open_id_issuer #=> String, one of "COGNITO"
resp.identity_sources[0].identity_source_id #=> String
resp.identity_sources[0].last_updated_date #=> Time
resp.identity_sources[0].policy_store_id #=> String
resp.identity_sources[0].principal_entity_type #=> String
resp.identity_sources[0].configuration.cognito_user_pool_configuration.user_pool_arn #=> String
resp.identity_sources[0].configuration.cognito_user_pool_configuration.client_ids #=> Array
resp.identity_sources[0].configuration.cognito_user_pool_configuration.client_ids[0] #=> String
resp.identity_sources[0].configuration.cognito_user_pool_configuration.issuer #=> String
resp.identity_sources[0].configuration.cognito_user_pool_configuration.group_configuration.group_entity_type #=> String
resp.identity_sources[0].configuration.open_id_connect_configuration.issuer #=> String
resp.identity_sources[0].configuration.open_id_connect_configuration.entity_id_prefix #=> String
resp.identity_sources[0].configuration.open_id_connect_configuration.group_configuration.group_claim #=> String
resp.identity_sources[0].configuration.open_id_connect_configuration.group_configuration.group_entity_type #=> String
resp.identity_sources[0].configuration.open_id_connect_configuration.token_selection.access_token_only.principal_id_claim #=> String
resp.identity_sources[0].configuration.open_id_connect_configuration.token_selection.access_token_only.audiences #=> Array
resp.identity_sources[0].configuration.open_id_connect_configuration.token_selection.access_token_only.audiences[0] #=> String
resp.identity_sources[0].configuration.open_id_connect_configuration.token_selection.identity_token_only.principal_id_claim #=> String
resp.identity_sources[0].configuration.open_id_connect_configuration.token_selection.identity_token_only.client_ids #=> Array
resp.identity_sources[0].configuration.open_id_connect_configuration.token_selection.identity_token_only.client_ids[0] #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the identity sources that you want to list.

  • :next_token (String)

    Specifies that you want to receive the next page of results. Valid only if you received a ‘NextToken` response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call’s ‘NextToken` response to request the next page of results.

  • :max_results (Integer)

    Specifies the total number of results that you want included in each response. If additional items exist beyond the number you specify, the ‘NextToken` response element is returned with a value (not null). Include the specified value as the `NextToken` request parameter in the next call to the operation to get the next set of results. Note that the service might return fewer results than the maximum even when there are more results available. You should check `NextToken` after every operation to ensure that you receive all of the results.

    If you do not specify this parameter, the operation defaults to 10 identity sources per response. You can specify a maximum of 50 identity sources per response.

  • :filters (Array<Types::IdentitySourceFilter>)

    Specifies characteristics of an identity source that you can use to limit the output to matching identity sources.

Returns:

See Also:



2789
2790
2791
2792
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 2789

def list_identity_sources(params = {}, options = {})
  req = build_request(:list_identity_sources, params)
  req.send_request(options)
end

#list_policies(params = {}) ⇒ Types::ListPoliciesOutput

Returns a paginated list of all policies stored in the specified policy store.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Example: ListPolicies - Example 1


# The following example lists all policies in the policy store.

resp = client.list_policies({
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
})

resp.to_h outputs the following:
{
  policies: [
    {
      created_date: Time.parse("2024-08-12T18:20:50.99Z"), 
      definition: {
        static: {
          description: "Grant members of janeFriends UserGroup access to the vacationFolder Album", 
        }, 
      }, 
      last_updated_date: Time.parse("2024-08-12T18:20:50.99Z"), 
      policy_id: "9wYxMpljbbZQb5fcZHyJhY", 
      policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
      policy_type: "STATIC", 
      principal: {
        entity_id: "janeFriends", 
        entity_type: "UserGroup", 
      }, 
      resource: {
        entity_id: "vacationFolder", 
        entity_type: "Album", 
      }, 
    }, 
    {
      created_date: Time.parse("2024-08-12T18:20:50.99Z"), 
      definition: {
        static: {
          description: "Grant everyone access to the publicFolder Album", 
        }, 
      }, 
      last_updated_date: Time.parse("2024-08-12T18:20:50.99Z"), 
      policy_id: "Et9KxMplyaDdyurDw8TeFa", 
      policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
      policy_type: "STATIC", 
      resource: {
        entity_id: "publicFolder", 
        entity_type: "Album", 
      }, 
    }, 
  ], 
}

Example: ListPolicies - Example 2


# The following example lists all policies for a specified principal.

resp = client.list_policies({
  filter: {
    principal: {
      identifier: {
        entity_id: "alice", 
        entity_type: "User", 
      }, 
    }, 
  }, 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
})

resp.to_h outputs the following:
{
  policies: [
    {
      created_date: Time.parse("2022-12-09T22:55:16.067533Z"), 
      definition: {
        static: {
          description: "An example policy", 
        }, 
      }, 
      last_updated_date: Time.parse("2022-12-09T22:55:16.067533Z"), 
      policy_id: "Et9KxMplyaDdyurDw8TeFa", 
      policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
      policy_type: "STATIC", 
      principal: {
        entity_id: "alice", 
        entity_type: "User", 
      }, 
      resource: {
        entity_id: "bob_folder", 
        entity_type: "Album", 
      }, 
    }, 
    {
      created_date: Time.parse("2022-12-09T23:00:24.66266Z"), 
      definition: {
        static: {
        }, 
      }, 
      last_updated_date: Time.parse("2022-12-09T23:00:24.66266Z"), 
      policy_id: "9wYxMpljbbZQb5fcZHyJhY", 
      policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
      policy_type: "STATIC", 
      principal: {
        entity_id: "alice", 
        entity_type: "User", 
      }, 
      resource: {
        entity_id: "alice_folder", 
        entity_type: "Album", 
      }, 
    }, 
  ], 
}

Example: ListPolicies - Example 3


# The following example uses the Filter parameter to list only the template-linked policies in the specified policy store.

resp = client.list_policies({
  filter: {
    policy_type: "TEMPLATE_LINKED", 
  }, 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
})

resp.to_h outputs the following:
{
  policies: [
    {
      created_date: Time.parse("2023-06-13T16:03:07.620867Z"), 
      definition: {
        template_linked: {
          policy_template_id: "PTEXAMPLEabcdefg111111", 
          principal: {
            entity_id: "alice", 
            entity_type: "User", 
          }, 
          resource: {
            entity_id: "pic.jpg", 
            entity_type: "Photo", 
          }, 
        }, 
      }, 
      last_updated_date: Time.parse("2023-06-13T16:03:07.620867Z"), 
      policy_id: "9wYxMpljbbZQb5fcZHyJhY", 
      policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
      policy_type: "TEMPLATE_LINKED", 
      principal: {
        entity_id: "alice", 
        entity_type: "User", 
      }, 
      resource: {
        entity_id: "pic.jpg", 
        entity_type: "Photo", 
      }, 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.list_policies({
  policy_store_id: "PolicyStoreId", # required
  next_token: "NextToken",
  max_results: 1,
  filter: {
    principal: {
      unspecified: false,
      identifier: {
        entity_type: "EntityType", # required
        entity_id: "EntityId", # required
      },
    },
    resource: {
      unspecified: false,
      identifier: {
        entity_type: "EntityType", # required
        entity_id: "EntityId", # required
      },
    },
    policy_type: "STATIC", # accepts STATIC, TEMPLATE_LINKED
    policy_template_id: "PolicyTemplateId",
  },
})

Response structure


resp.next_token #=> String
resp.policies #=> Array
resp.policies[0].policy_store_id #=> String
resp.policies[0].policy_id #=> String
resp.policies[0].policy_type #=> String, one of "STATIC", "TEMPLATE_LINKED"
resp.policies[0].principal.entity_type #=> String
resp.policies[0].principal.entity_id #=> String
resp.policies[0].resource.entity_type #=> String
resp.policies[0].resource.entity_id #=> String
resp.policies[0].actions #=> Array
resp.policies[0].actions[0].action_type #=> String
resp.policies[0].actions[0].action_id #=> String
resp.policies[0].definition.static.description #=> String
resp.policies[0].definition.template_linked.policy_template_id #=> String
resp.policies[0].definition.template_linked.principal.entity_type #=> String
resp.policies[0].definition.template_linked.principal.entity_id #=> String
resp.policies[0].definition.template_linked.resource.entity_type #=> String
resp.policies[0].definition.template_linked.resource.entity_id #=> String
resp.policies[0].created_date #=> Time
resp.policies[0].last_updated_date #=> Time
resp.policies[0].effect #=> String, one of "Permit", "Forbid"

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store you want to list policies from.

  • :next_token (String)

    Specifies that you want to receive the next page of results. Valid only if you received a ‘NextToken` response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call’s ‘NextToken` response to request the next page of results.

  • :max_results (Integer)

    Specifies the total number of results that you want included in each response. If additional items exist beyond the number you specify, the ‘NextToken` response element is returned with a value (not null). Include the specified value as the `NextToken` request parameter in the next call to the operation to get the next set of results. Note that the service might return fewer results than the maximum even when there are more results available. You should check `NextToken` after every operation to ensure that you receive all of the results.

    If you do not specify this parameter, the operation defaults to 10 policies per response. You can specify a maximum of 50 policies per response.

  • :filter (Types::PolicyFilter)

    Specifies a filter that limits the response to only policies that match the specified criteria. For example, you list only the policies that reference a specified principal.

Returns:

See Also:



3044
3045
3046
3047
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 3044

def list_policies(params = {}, options = {})
  req = build_request(:list_policies, params)
  req.send_request(options)
end

#list_policy_stores(params = {}) ⇒ Types::ListPolicyStoresOutput

Returns a paginated list of all policy stores in the calling Amazon Web Services account.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Example: ListPolicyStores


# The following example lists all policy stores in the AWS account in the AWS Region in which you call the operation.

resp = client.list_policy_stores({
})

resp.to_h outputs the following:
{
  policy_stores: [
    {
      arn: "arn:aws:verifiedpermissions::123456789012:policy-store/C7v5xMplfFH3i3e4Jrzb1a", 
      created_date: Time.parse("2023-05-16T17:41:29.103459Z"), 
      policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
    }, 
    {
      arn: "arn:aws:verifiedpermissions::123456789012:policy-store/PSEXAMPLEabcdefg222222", 
      created_date: Time.parse("2023-05-16T18:23:04.985521Z"), 
      policy_store_id: "PSEXAMPLEabcdefg222222", 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.list_policy_stores({
  next_token: "NextToken",
  max_results: 1,
})

Response structure


resp.next_token #=> String
resp.policy_stores #=> Array
resp.policy_stores[0].policy_store_id #=> String
resp.policy_stores[0].arn #=> String
resp.policy_stores[0].created_date #=> Time
resp.policy_stores[0].last_updated_date #=> Time
resp.policy_stores[0].description #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :next_token (String)

    Specifies that you want to receive the next page of results. Valid only if you received a ‘NextToken` response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call’s ‘NextToken` response to request the next page of results.

  • :max_results (Integer)

    Specifies the total number of results that you want included in each response. If additional items exist beyond the number you specify, the ‘NextToken` response element is returned with a value (not null). Include the specified value as the `NextToken` request parameter in the next call to the operation to get the next set of results. Note that the service might return fewer results than the maximum even when there are more results available. You should check `NextToken` after every operation to ensure that you receive all of the results.

    If you do not specify this parameter, the operation defaults to 10 policy stores per response. You can specify a maximum of 50 policy stores per response.

Returns:

See Also:



3125
3126
3127
3128
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 3125

def list_policy_stores(params = {}, options = {})
  req = build_request(:list_policy_stores, params)
  req.send_request(options)
end

#list_policy_templates(params = {}) ⇒ Types::ListPolicyTemplatesOutput

Returns a paginated list of all policy templates in the specified policy store.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Example: ListPolicyTemplates


# The following example retrieves a list of all of the policy templates in the specified policy store.

resp = client.list_policy_templates({
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
})

resp.to_h outputs the following:
{
  policy_templates: [
    {
      created_date: Time.parse("2024-08-12T18:20:50.99Z"), 
      description: "Generic template", 
      last_updated_date: Time.parse("2024-08-12T18:20:50.99Z"), 
      policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
      policy_template_id: "PTEXAMPLEabcdefg111111", 
    }, 
    {
      created_date: Time.parse("2024-08-12T18:20:50.99Z"), 
      description: "Template for research dept", 
      last_updated_date: Time.parse("2024-08-12T18:20:50.99Z"), 
      policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
      policy_template_id: "PTEXAMPLEabcdefg222222", 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.list_policy_templates({
  policy_store_id: "PolicyStoreId", # required
  next_token: "NextToken",
  max_results: 1,
})

Response structure


resp.next_token #=> String
resp.policy_templates #=> Array
resp.policy_templates[0].policy_store_id #=> String
resp.policy_templates[0].policy_template_id #=> String
resp.policy_templates[0].description #=> String
resp.policy_templates[0].created_date #=> Time
resp.policy_templates[0].last_updated_date #=> Time

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the policy templates you want to list.

  • :next_token (String)

    Specifies that you want to receive the next page of results. Valid only if you received a ‘NextToken` response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call’s ‘NextToken` response to request the next page of results.

  • :max_results (Integer)

    Specifies the total number of results that you want included in each response. If additional items exist beyond the number you specify, the ‘NextToken` response element is returned with a value (not null). Include the specified value as the `NextToken` request parameter in the next call to the operation to get the next set of results. Note that the service might return fewer results than the maximum even when there are more results available. You should check `NextToken` after every operation to ensure that you receive all of the results.

    If you do not specify this parameter, the operation defaults to 10 policy templates per response. You can specify a maximum of 50 policy templates per response.

Returns:

See Also:



3216
3217
3218
3219
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 3216

def list_policy_templates(params = {}, options = {})
  req = build_request(:list_policy_templates, params)
  req.send_request(options)
end

#put_schema(params = {}) ⇒ Types::PutSchemaOutput

Creates or updates the policy schema in the specified policy store. The schema is used to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.

<note markdown=“1”> Verified Permissions is <a href=“https://wikipedia.org/wiki/Eventual_consistency”>eventually consistent</a> . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

</note>

Examples:

Example: PutSchema


# The following example creates a new schema, or updates an existing schema, in the specified policy store. Note that the
# schema text is shown line wrapped for readability. You should submit the entire schema text as a single line of text.
# Note
# The JSON in the parameters of this operation are strings that can contain embedded quotation marks (") within the
# outermost quotation mark pair. This requires that you stringify the JSON object by preceding all embedded quotation
# marks with a backslash character ( \" ) and combining all lines into a single text line with no line breaks.
# Example strings might be displayed wrapped across multiple lines here for readability, but the operation requires the
# parameters be submitted as single line strings.

resp = client.put_schema({
  definition: {
    cedar_json: "{\"MySampleNamespace\": {\"actions\": {\"remoteAccess\": {\"appliesTo\": {\"principalTypes\": [\"Employee\"]}}},\"entityTypes\": {\"Employee\": {\"shape\": {\"attributes\": {\"jobLevel\": {\"type\": \"Long\"},\"name\": {\"type\": \"String\"}},\"type\": \"Record\"}}}}}", 
  }, 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
})

resp.to_h outputs the following:
{
  created_date: Time.parse("2023-06-13T19:28:06.003726Z"), 
  last_updated_date: Time.parse("2023-06-13T19:28:06.003726Z"), 
  namespaces: [
    "My::Sample::Namespace", 
  ], 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
}

Request syntax with placeholder values


resp = client.put_schema({
  policy_store_id: "PolicyStoreId", # required
  definition: { # required
    cedar_json: "SchemaJson",
  },
})

Response structure


resp.policy_store_id #=> String
resp.namespaces #=> Array
resp.namespaces[0] #=> String
resp.created_date #=> Time
resp.last_updated_date #=> Time

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store in which to place the schema.

  • :definition (required, Types::SchemaDefinition)

    Specifies the definition of the schema to be stored. The schema definition must be written in Cedar schema JSON.

Returns:

See Also:



3301
3302
3303
3304
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 3301

def put_schema(params = {}, options = {})
  req = build_request(:put_schema, params)
  req.send_request(options)
end

#update_identity_source(params = {}) ⇒ Types::UpdateIdentitySourceOutput

Updates the specified identity source to use a new identity provider (IdP), or to change the mapping of identities from the IdP to a different principal entity type.

<note markdown=“1”> Verified Permissions is <a href=“https://wikipedia.org/wiki/Eventual_consistency”>eventually consistent</a> . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

</note>

Examples:

Example: UpdateIdentitySource


# The following example updates the configuration of the specified identity source with a new configuration.

resp = client.update_identity_source({
  identity_source_id: "ISEXAMPLEabcdefg111111", 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  update_configuration: {
    cognito_user_pool_configuration: {
      client_ids: [
        "a1b2c3d4e5f6g7h8i9j0kalbmc", 
      ], 
      user_pool_arn: "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5", 
    }, 
  }, 
})

resp.to_h outputs the following:
{
  created_date: Time.parse("2023-05-19T20:30:28.173926Z"), 
  identity_source_id: "ISEXAMPLEabcdefg111111", 
  last_updated_date: Time.parse("2023-05-22T20:45:59.962216Z"), 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
}

Request syntax with placeholder values


resp = client.update_identity_source({
  policy_store_id: "PolicyStoreId", # required
  identity_source_id: "IdentitySourceId", # required
  update_configuration: { # required
    cognito_user_pool_configuration: {
      user_pool_arn: "UserPoolArn", # required
      client_ids: ["ClientId"],
      group_configuration: {
        group_entity_type: "GroupEntityType", # required
      },
    },
    open_id_connect_configuration: {
      issuer: "Issuer", # required
      entity_id_prefix: "EntityIdPrefix",
      group_configuration: {
        group_claim: "Claim", # required
        group_entity_type: "GroupEntityType", # required
      },
      token_selection: { # required
        access_token_only: {
          principal_id_claim: "Claim",
          audiences: ["Audience"],
        },
        identity_token_only: {
          principal_id_claim: "Claim",
          client_ids: ["ClientId"],
        },
      },
    },
  },
  principal_entity_type: "PrincipalEntityType",
})

Response structure


resp.created_date #=> Time
resp.identity_source_id #=> String
resp.last_updated_date #=> Time
resp.policy_store_id #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the identity source that you want to update.

  • :identity_source_id (required, String)

    Specifies the ID of the identity source that you want to update.

  • :update_configuration (required, Types::UpdateConfiguration)

    Specifies the details required to communicate with the identity provider (IdP) associated with this identity source.

  • :principal_entity_type (String)

    Specifies the data type of principals generated for identities authenticated by the identity source.

Returns:

See Also:



3412
3413
3414
3415
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 3412

def update_identity_source(params = {}, options = {})
  req = build_request(:update_identity_source, params)
  req.send_request(options)
end

#update_policy(params = {}) ⇒ Types::UpdatePolicyOutput

Modifies a Cedar static policy in the specified policy store. You can change only certain elements of the [UpdatePolicyDefinition] parameter. You can directly update only static policies. To change a template-linked policy, you must update the template instead, using [UpdatePolicyTemplate].

<note markdown=“1”> * If policy validation is enabled in the policy store, then updating a

static policy causes Verified Permissions to validate the policy
against the schema in the policy store. If the updated static policy
doesn't pass validation, the operation fails and the update isn't
stored.

  • When you edit a static policy, you can change only certain elements of a static policy:

    • The action referenced by the policy.

    • A condition clause, such as when and unless.

    You can’t change these elements of a static policy:

    • Changing a policy from a static policy to a template-linked policy.

    • Changing the effect of a static policy from permit or forbid.

    • The principal referenced by a static policy.

    • The resource referenced by a static policy.

  • To update a template-linked policy, you must update the template instead.

</note>

<note markdown=“1”> Verified Permissions is <a href=“https://wikipedia.org/wiki/Eventual_consistency”>eventually consistent</a> . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

</note>

[1]: docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyInput.html#amazonverifiedpermissions-UpdatePolicy-request-UpdatePolicyDefinition [2]: docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyTemplate.html

Examples:

Example: UpdatePolicy


# The following example replaces the definition of the specified static policy with a new one.

resp = client.update_policy({
  definition: {
    static: {
      statement: "permit(principal, action, resource in Album::\"public_folder\");", 
    }, 
  }, 
  policy_id: "9wYxMpljbbZQb5fcZHyJhY", 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
})

resp.to_h outputs the following:
{
  created_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  last_updated_date: Time.parse("2024-08-12T18:20:50.99Z"), 
  policy_id: "9wYxMpljbbZQb5fcZHyJhY", 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  policy_type: "STATIC", 
  resource: {
    entity_id: "public_folder", 
    entity_type: "Album", 
  }, 
}

Request syntax with placeholder values


resp = client.update_policy({
  policy_store_id: "PolicyStoreId", # required
  policy_id: "PolicyId", # required
  definition: { # required
    static: {
      description: "StaticPolicyDescription",
      statement: "PolicyStatement", # required
    },
  },
})

Response structure


resp.policy_store_id #=> String
resp.policy_id #=> String
resp.policy_type #=> String, one of "STATIC", "TEMPLATE_LINKED"
resp.principal.entity_type #=> String
resp.principal.entity_id #=> String
resp.resource.entity_type #=> String
resp.resource.entity_id #=> String
resp.actions #=> Array
resp.actions[0].action_type #=> String
resp.actions[0].action_id #=> String
resp.created_date #=> Time
resp.last_updated_date #=> Time
resp.effect #=> String, one of "Permit", "Forbid"

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the policy that you want to update.

  • :policy_id (required, String)

    Specifies the ID of the policy that you want to update. To find this value, you can use [ListPolicies].

    [1]: docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ListPolicies.html

  • :definition (required, Types::UpdatePolicyDefinition)

    Specifies the updated policy content that you want to replace on the specified policy. The content must be valid Cedar policy language text.

    You can change only the following elements from the policy definition:

    • The ‘action` referenced by the policy.

    • Any conditional clauses, such as ‘when` or `unless` clauses.

    You **can’t** change the following elements:

    • Changing from ‘static` to `templateLinked`.

    • Changing the effect of the policy from ‘permit` or `forbid`.

    • The ‘principal` referenced by the policy.

    • The ‘resource` referenced by the policy.

Returns:

See Also:



3569
3570
3571
3572
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 3569

def update_policy(params = {}, options = {})
  req = build_request(:update_policy, params)
  req.send_request(options)
end

#update_policy_store(params = {}) ⇒ Types::UpdatePolicyStoreOutput

Modifies the validation setting for a policy store.

<note markdown=“1”> Verified Permissions is <a href=“https://wikipedia.org/wiki/Eventual_consistency”>eventually consistent</a> . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

</note>

Examples:

Example: UpdatePolicyStore


# The following example turns off the validation settings for a policy store.

resp = client.update_policy_store({
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  validation_settings: {
    mode: "OFF", 
  }, 
})

resp.to_h outputs the following:
{
  arn: "arn:aws:verifiedpermissions::123456789012:policy-store/C7v5xMplfFH3i3e4Jrzb1a", 
  created_date: Time.parse("2023-05-17T18:36:10.134448Z"), 
  last_updated_date: Time.parse("2023-05-23T18:18:12.443083Z"), 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
}

Request syntax with placeholder values


resp = client.update_policy_store({
  policy_store_id: "PolicyStoreId", # required
  validation_settings: { # required
    mode: "OFF", # required, accepts OFF, STRICT
  },
  description: "PolicyStoreDescription",
})

Response structure


resp.policy_store_id #=> String
resp.arn #=> String
resp.created_date #=> Time
resp.last_updated_date #=> Time

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that you want to update

  • :validation_settings (required, Types::ValidationSettings)

    A structure that defines the validation settings that want to enable for the policy store.

  • :description (String)

    Descriptive text that you can provide to help with identification of the current policy store.

Returns:

See Also:



3643
3644
3645
3646
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 3643

def update_policy_store(params = {}, options = {})
  req = build_request(:update_policy_store, params)
  req.send_request(options)
end

#update_policy_template(params = {}) ⇒ Types::UpdatePolicyTemplateOutput

Updates the specified policy template. You can update only the description and the some elements of the [policyBody].

Changes you make to the policy template content are immediately (within the constraints of eventual consistency) reflected in authorization decisions that involve all template-linked policies instantiated from this template.

<note markdown=“1”> Verified Permissions is <a href=“https://wikipedia.org/wiki/Eventual_consistency”>eventually consistent</a> . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

</note>

[1]: docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyTemplate.html#amazonverifiedpermissions-UpdatePolicyTemplate-request-policyBody

Examples:

Example: UpdatePolicyTemplate


# The following example updates a policy template with both a new description and a new policy body. The effect,
# principal, and resource are the same as the original policy template. Only the action in the head, and the when and
# unless clauses can be different.
# Note
# The JSON in the parameters of this operation are strings that can contain embedded quotation marks (") within the
# outermost quotation mark pair. This requires that you stringify the JSON object by preceding all embedded quotation
# marks with a backslash character ( \" ) and combining all lines into a single text line with no line breaks.
# Example strings might be displayed wrapped across multiple lines here for readability, but the operation requires the
# parameters be submitted as single line strings.

resp = client.update_policy_template({
  description: "My updated template description", 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  policy_template_id: "PTEXAMPLEabcdefg111111", 
  statement: "\"ResearchAccess\"\npermit(\nprincipal in ?principal,\naction == Action::\"view\",\nresource in ?resource\"\n)\nwhen {\nprincipal has department && principal.department == \"research\"\n};", 
})

resp.to_h outputs the following:
{
  created_date: Time.parse("2023-05-17T18:58:48.795411Z"), 
  last_updated_date: Time.parse("2023-05-17T19:18:48.870209Z"), 
  policy_store_id: "C7v5xMplfFH3i3e4Jrzb1a", 
  policy_template_id: "PTEXAMPLEabcdefg111111", 
}

Request syntax with placeholder values


resp = client.update_policy_template({
  policy_store_id: "PolicyStoreId", # required
  policy_template_id: "PolicyTemplateId", # required
  description: "PolicyTemplateDescription",
  statement: "PolicyStatement", # required
})

Response structure


resp.policy_store_id #=> String
resp.policy_template_id #=> String
resp.created_date #=> Time
resp.last_updated_date #=> Time

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the policy template that you want to update.

  • :policy_template_id (required, String)

    Specifies the ID of the policy template that you want to update.

  • :description (String)

    Specifies a new description to apply to the policy template.

  • :statement (required, String)

    Specifies new statement content written in Cedar policy language to replace the current body of the policy template.

    You can change only the following elements of the policy body:

    • The ‘action` referenced by the policy template.

    • Any conditional clauses, such as ‘when` or `unless` clauses.

    You **can’t** change the following elements:

    • The effect (‘permit` or `forbid`) of the policy template.

    • The ‘principal` referenced by the policy template.

    • The ‘resource` referenced by the policy template.

Returns:

See Also:



3751
3752
3753
3754
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 3751

def update_policy_template(params = {}, options = {})
  req = build_request(:update_policy_template, params)
  req.send_request(options)
end

#waiter_namesObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Deprecated. 


3780
3781
3782
 
# File 'lib/aws-sdk-verifiedpermissions/client.rb', line 3780

def waiter_names
  []
end