Menu
AWS IoT
Developer Guide

TestAuthorization

Test custom authorization.

Request syntax:

POST /test-authorization?clientId=clientId Content-type: application/json { "principal": "string", "cognitoIdentityPoolId": "string", "authInfos": [ { "actionType": "string", "resources": [ "string" ] } ], "policyNamesToAdd": [ "string" ], "policyNamesToSkip": [ "string" ] }

URI Request Parameters:

Name

Type

Req?

Description

clientId

ClientId

no

The MQTT client ID.

Request Body Parameters:

Name

Type

Req?

Description

principal

Principal

no

The principal.

cognitoIdentityPoolId

CognitoIdentityPoolId

no

The Cognito identity pool ID.

authInfos

AuthInfos

yes

A list of authorization info objects. Simulating authorization will create a response for each authInfo object in the list.

policyNamesToAdd

PolicyNames

no

When testing custom authorization, the policies specified here are treated as if they are attached to the principal being authorized.

policyNamesToSkip

PolicyNames

no

When testing custom authorization, the policies specified here are treated as if they are not attached to the principal being authorized.

Response syntax:

Content-type: application/json { "authResults": [ { "authInfo": { "actionType": "string", "resources": [ "string" ] }, "allowed": { "policies": [ { "policyName": "string", "policyArn": "string" } ] }, "denied": { "implicitDeny": { "policies": [ { "policyName": "string", "policyArn": "string" } ] }, "explicitDeny": { "policies": [ { "policyName": "string", "policyArn": "string" } ] } }, "authDecision": "string", "missingContextValues": [ "string" ] } ] }

Response Body Parameters:

Name

Type

Req?

Description

authResults

AuthResults

no

The authentication results.

Errors:

ResourceNotFoundException

The specified resource does not exist.

HTTP response code: 404

InvalidRequestException

The contents of the request were invalid. For example, this code is returned when an UpdateJobExecution request contains invalid status details. The message contains details about the error.

HTTP response code: 400

ThrottlingException

The rate exceeds the limit.

HTTP response code: 429

UnauthorizedException

You are not authorized to perform this operation.

HTTP response code: 401

ServiceUnavailableException

The service is temporarily unavailable.

HTTP response code: 503

InternalFailureException

An unexpected error has occurred.

HTTP response code: 500

LimitExceededException

The number of attached entities exceeds the limit.

HTTP response code: 410

CLI

Synopsis:

aws iot test-authorization \ [--principal <value>] \ [--cognito-identity-pool-id <value>] \ --auth-infos <value> \ [--client-id <value>] \ [--policy-names-to-add <value>] \ [--policy-names-to-skip <value>] \ [--cli-input-json <value>] \ [--generate-cli-skeleton]

cli-input-json format:

{ "principal": "string", "cognitoIdentityPoolId": "string", "authInfos": [ { "actionType": "string", "resources": [ "string" ] } ], "clientId": "string", "policyNamesToAdd": [ "string" ], "policyNamesToSkip": [ "string" ] }

cli-input-json fields:

Name

Type

Description

principal

string

The principal.

cognitoIdentityPoolId

string

The Cognito identity pool ID.

authInfos

list

member: AuthInfo

A list of authorization info objects. Simulating authorization will create a response for each authInfo object in the list.

AuthInfo

AuthInfo

actionType

string

enum: PUBLISH | SUBSCRIBE | RECEIVE | CONNECT

java class: com.amazonaws.iot.identity.enums.ActionType

The type of action for which the principal is being authorized.

resources

list

member: Resource

The resources for which the principal is being authorized to perform the specified action.

Resource

string

clientId

string

The MQTT client ID.

policyNamesToAdd

list

member: PolicyName

java class: java.util.List

When testing custom authorization, the policies specified here are treated as if they are attached to the principal being authorized.

PolicyName

string

length max:128 min:1

pattern: [w+=,.@-]+

policyNamesToSkip

list

member: PolicyName

java class: java.util.List

When testing custom authorization, the policies specified here are treated as if they are not attached to the principal being authorized.

PolicyName

string

length max:128 min:1

pattern: [w+=,.@-]+

Output:

{ "authResults": [ { "authInfo": { "actionType": "string", "resources": [ "string" ] }, "allowed": { "policies": [ { "policyName": "string", "policyArn": "string" } ] }, "denied": { "implicitDeny": { "policies": [ { "policyName": "string", "policyArn": "string" } ] }, "explicitDeny": { "policies": [ { "policyName": "string", "policyArn": "string" } ] } }, "authDecision": "string", "missingContextValues": [ "string" ] } ] }

cli output fields:

Name

Type

Description

authResults

list

member: AuthResult

The authentication results.

AuthResult

AuthResult

authInfo

AuthInfo

Authorization information.

actionType

string

enum: PUBLISH | SUBSCRIBE | RECEIVE | CONNECT

java class: com.amazonaws.iot.identity.enums.ActionType

The type of action for which the principal is being authorized.

resources

list

member: Resource

The resources for which the principal is being authorized to perform the specified action.

Resource

string

allowed

Allowed

The policies and statements that allowed the specified action.

policies

list

member: Policy

java class: java.util.List

A list of policies that allowed the authentication.

Policy

Policy

policyName

string

length max:128 min:1

pattern: [w+=,.@-]+

The policy name.

policyArn

string

The policy ARN.

denied

Denied

The policies and statements that denied the specified action.

implicitDeny

ImplicitDeny

Information that implicitly denies the authorization. When a policy doesn't explicitly deny or allow an action on a resource it is considered an implicit deny.

policies

list

member: Policy

java class: java.util.List

Policies that don't contain a matching allow or deny statement for the specified action on the specified resource.

Policy

Policy

policyName

string

length max:128 min:1

pattern: [w+=,.@-]+

The policy name.

policyArn

string

The policy ARN.

explicitDeny

ExplicitDeny

Information that explicitly denies the authorization.

policies

list

member: Policy

java class: java.util.List

The policies that denied the authorization.

Policy

Policy

policyName

string

length max:128 min:1

pattern: [w+=,.@-]+

The policy name.

policyArn

string

The policy ARN.

authDecision

string

enum: ALLOWED | EXPLICIT_DENY | IMPLICIT_DENY

java class: com.amazonaws.iot.identity.enums.AuthDecision

The final authorization decision of this scenario. Multiple statements are taken into account when determining the authorization decision. An explicit deny statement can override multiple allow statements.

missingContextValues

list

member: MissingContextValue

java class: java.util.List

Contains any missing context values found while evaluating policy.

MissingContextValue

string

On this page: