Menu
AWS IoT
Developer Guide

TestAuthorization

TestAuthorization

Test custom authorization.

https

Request syntax:

POST /test-authorization?clientId=clientId Content-type: application/json { "principal": "string", "cognitoIdentityPoolId": "string", "authInfos": [ { "actionType": "string", "resources": [ "string" ] } ], "policyNamesToAdd": [ "string" ], "policyNamesToSkip": [ "string" ] }

URI Request Parameters:

Name

Type

Req?

Description

clientId

ClientId

no

The MQTT client ID.

Request Body Parameters:

Name

Type

Req?

Description

principal

Principal

no

The principal.

cognitoIdentityPoolId

CognitoIdentityPoolId

no

The Cognito identity pool ID.

authInfos

AuthInfos

yes

A list of authorization info objects. Simulating authorization will create a response for each authInfo object in the list.

policyNamesToAdd

PolicyNames

no

When testing custom authorization, the policies specified here are treated as if they are attached to the principal being authorized.

policyNamesToSkip

PolicyNames

no

When testing custom authorization, the policies specified here are treated as if they are not attached to the principal being authorized.

Response syntax:

Content-type: application/json { "authResults": [ { "authInfo": { "actionType": "string", "resources": [ "string" ] }, "allowed": { "policies": [ { "policyName": "string", "policyArn": "string" } ] }, "denied": { "implicitDeny": { "policies": [ { "policyName": "string", "policyArn": "string" } ] }, "explicitDeny": { "policies": [ { "policyName": "string", "policyArn": "string" } ] } }, "authDecision": "string", "missingContextValues": [ "string" ] } ] }

Response Body Parameters:

Name

Type

Req?

Description

authResults

AuthResults

no

The authentication results.

Errors:

ResourceNotFoundException

The specified resource does not exist.

HTTP response code: 404

InvalidRequestException

The contents of the request were invalid. For example, this code is returned when an UpdateJobExecution request contains invalid status details. The message contains details about the error.

HTTP response code: 400

ThrottlingException

The rate exceeds the limit.

HTTP response code: 429

UnauthorizedException

You are not authorized to perform this operation.

HTTP response code: 401

ServiceUnavailableException

The service is temporarily unavailable.

HTTP response code: 503

InternalFailureException

An unexpected error has occurred.

HTTP response code: 500

LimitExceededException

The number of attached entities exceeds the limit.

HTTP response code: 410

cli

Synopsis:

aws iot test-authorization \ [--principal <value>] \ [--cognito-identity-pool-id <value>] \ --auth-infos <value> \ [--client-id <value>] \ [--policy-names-to-add <value>] \ [--policy-names-to-skip <value>] \ [--cli-input-json <value>] \ [--generate-cli-skeleton]

cli-input-json format:

{ "principal": "string", "cognitoIdentityPoolId": "string", "authInfos": [ { "actionType": "string", "resources": [ "string" ] } ], "clientId": "string", "policyNamesToAdd": [ "string" ], "policyNamesToSkip": [ "string" ] }

cli-input-json fields:

Name

Type

Description

principal

string

The principal.

cognitoIdentityPoolId

string

The Cognito identity pool ID.

authInfos

list

member: AuthInfo

A list of authorization info objects. Simulating authorization will create a response for each authInfo object in the list.

actionType

string

The type of action for which the principal is being authorized.

enum: PUBLISH | SUBSCRIBE | RECEIVE | CONNECT

resources

list

member: Resource

The resources for which the principal is being authorized to perform the specified action.

clientId

string

The MQTT client ID.

policyNamesToAdd

list

member: PolicyName

java class: java.util.List

When testing custom authorization, the policies specified here are treated as if they are attached to the principal being authorized.

policyNamesToSkip

list

member: PolicyName

java class: java.util.List

When testing custom authorization, the policies specified here are treated as if they are not attached to the principal being authorized.

Output:

{ "authResults": [ { "authInfo": { "actionType": "string", "resources": [ "string" ] }, "allowed": { "policies": [ { "policyName": "string", "policyArn": "string" } ] }, "denied": { "implicitDeny": { "policies": [ { "policyName": "string", "policyArn": "string" } ] }, "explicitDeny": { "policies": [ { "policyName": "string", "policyArn": "string" } ] } }, "authDecision": "string", "missingContextValues": [ "string" ] } ] }

cli output fields:

Name

Type

Description

authResults

list

member: AuthResult

The authentication results.

authInfo

AuthInfo

Authorization information.

actionType

string

The type of action for which the principal is being authorized.

enum: PUBLISH | SUBSCRIBE | RECEIVE | CONNECT

resources

list

member: Resource

The resources for which the principal is being authorized to perform the specified action.

allowed

Allowed

The policies and statements that allowed the specified action.

policies

list

member: Policy

java class: java.util.List

A list of policies that allowed the authentication.

policyName

string

length- max:128 min:1

pattern: [w+=,.@-]+

The policy name.

policyArn

string

The policy ARN.

denied

Denied

The policies and statements that denied the specified action.

implicitDeny

ImplicitDeny

Information that implicitly denies the authorization. When a policy doesn't explicitly deny or allow an action on a resource it is considered an implicit deny.

policies

list

member: Policy

java class: java.util.List

Policies that don't contain a matching allow or deny statement for the specified action on the specified resource.

policyName

string

length- max:128 min:1

pattern: [w+=,.@-]+

The policy name.

policyArn

string

The policy ARN.

explicitDeny

ExplicitDeny

Information that explicitly denies the authorization.

policies

list

member: Policy

java class: java.util.List

The policies that denied the authorization.

policyName

string

length- max:128 min:1

pattern: [w+=,.@-]+

The policy name.

policyArn

string

The policy ARN.

authDecision

string

The final authorization decision of this scenario. Multiple statements are taken into account when determining the authorization decision. An explicit deny statement can override multiple allow statements.

enum: ALLOWED | EXPLICIT_DENY | IMPLICIT_DENY

missingContextValues

list

member: MissingContextValue

java class: java.util.List

Contains any missing context values found while evaluating policy.

Errors:

ResourceNotFoundException

The specified resource does not exist.

InvalidRequestException

The contents of the request were invalid. For example, this code is returned when an UpdateJobExecution request contains invalid status details. The message contains details about the error.

ThrottlingException

The rate exceeds the limit.

UnauthorizedException

You are not authorized to perform this operation.

ServiceUnavailableException

The service is temporarily unavailable.

InternalFailureException

An unexpected error has occurred.

LimitExceededException

The number of attached entities exceeds the limit.