Class: Aws::VerifiedPermissions::Client

Inherits:
Seahorse::Client::Base show all
Includes:
ClientStubs
Defined in:
gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb

Overview

An API client for VerifiedPermissions. To construct a client, you need to configure a :region and :credentials.

client = Aws::VerifiedPermissions::Client.new(
  region: region_name,
  credentials: credentials,
  # ...
)

For details on configuring region and credentials see the developer guide.

See #initialize for a full list of supported configuration options.

Instance Attribute Summary

Attributes inherited from Seahorse::Client::Base

#config, #handlers

API Operations collapse

Instance Method Summary collapse

Methods included from ClientStubs

#api_requests, #stub_data, #stub_responses

Methods inherited from Seahorse::Client::Base

add_plugin, api, clear_plugins, define, new, #operation_names, plugins, remove_plugin, set_api, set_plugins

Methods included from Seahorse::Client::HandlerBuilder

#handle, #handle_request, #handle_response

Constructor Details

#initialize(options) ⇒ Client

Returns a new instance of Client.

Parameters:

  • options (Hash)

Options Hash (options):

  • :credentials (required, Aws::CredentialProvider)

    Your AWS credentials. This can be an instance of any one of the following classes:

    • Aws::Credentials - Used for configuring static, non-refreshing credentials.

    • Aws::SharedCredentials - Used for loading static credentials from a shared file, such as ~/.aws/config.

    • Aws::AssumeRoleCredentials - Used when you need to assume a role.

    • Aws::AssumeRoleWebIdentityCredentials - Used when you need to assume a role after providing credentials via the web.

    • Aws::SSOCredentials - Used for loading credentials from AWS SSO using an access token generated from aws login.

    • Aws::ProcessCredentials - Used for loading credentials from a process that outputs to stdout.

    • Aws::InstanceProfileCredentials - Used for loading credentials from an EC2 IMDS on an EC2 instance.

    • Aws::ECSCredentials - Used for loading credentials from instances running in ECS.

    • Aws::CognitoIdentityCredentials - Used for loading credentials from the Cognito Identity service.

    When :credentials are not configured directly, the following locations will be searched for credentials:

    • Aws.config[:credentials]
    • The :access_key_id, :secret_access_key, and :session_token options.
    • ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
    • ~/.aws/credentials
    • ~/.aws/config
    • EC2/ECS IMDS instance profile - When used by default, the timeouts are very aggressive. Construct and pass an instance of Aws::InstanceProfileCredentails or Aws::ECSCredentials to enable retries and extended timeouts. Instance profile credential fetching can be disabled by setting ENV['AWS_EC2_METADATA_DISABLED'] to true.
  • :region (required, String)

    The AWS region to connect to. The configured :region is used to determine the service :endpoint. When not passed, a default :region is searched for in the following locations:

    • Aws.config[:region]
    • ENV['AWS_REGION']
    • ENV['AMAZON_REGION']
    • ENV['AWS_DEFAULT_REGION']
    • ~/.aws/credentials
    • ~/.aws/config
  • :access_key_id (String)
  • :active_endpoint_cache (Boolean) — default: false

    When set to true, a thread polling for endpoints will be running in the background every 60 secs (default). Defaults to false.

  • :adaptive_retry_wait_to_fill (Boolean) — default: true

    Used only in adaptive retry mode. When true, the request will sleep until there is sufficent client side capacity to retry the request. When false, the request will raise a RetryCapacityNotAvailableError and will not retry instead of sleeping.

  • :client_side_monitoring (Boolean) — default: false

    When true, client-side metrics will be collected for all API requests from this client.

  • :client_side_monitoring_client_id (String) — default: ""

    Allows you to provide an identifier for this client which will be attached to all generated client side metrics. Defaults to an empty string.

  • :client_side_monitoring_host (String) — default: "127.0.0.1"

    Allows you to specify the DNS hostname or IPv4 or IPv6 address that the client side monitoring agent is running on, where client metrics will be published via UDP.

  • :client_side_monitoring_port (Integer) — default: 31000

    Required for publishing client metrics. The port that the client side monitoring agent is running on, where client metrics will be published via UDP.

  • :client_side_monitoring_publisher (Aws::ClientSideMonitoring::Publisher) — default: Aws::ClientSideMonitoring::Publisher

    Allows you to provide a custom client-side monitoring publisher class. By default, will use the Client Side Monitoring Agent Publisher.

  • :convert_params (Boolean) — default: true

    When true, an attempt is made to coerce request parameters into the required types.

  • :correct_clock_skew (Boolean) — default: true

    Used only in standard and adaptive retry modes. Specifies whether to apply a clock skew correction and retry requests with skewed client clocks.

  • :defaults_mode (String) — default: "legacy"

    See DefaultsModeConfiguration for a list of the accepted modes and the configuration defaults that are included.

  • :disable_host_prefix_injection (Boolean) — default: false

    Set to true to disable SDK automatically adding host prefix to default service endpoint when available.

  • :disable_request_compression (Boolean) — default: false

    When set to 'true' the request body will not be compressed for supported operations.

  • :endpoint (String, URI::HTTPS, URI::HTTP)

    Normally you should not configure the :endpoint option directly. This is normally constructed from the :region option. Configuring :endpoint is normally reserved for connecting to test or custom endpoints. The endpoint should be a URI formatted like:

    'http://example.com'
'https://example.com'
'http://example.com:123'
  • :endpoint_cache_max_entries (Integer) — default: 1000

    Used for the maximum size limit of the LRU cache storing endpoints data for endpoint discovery enabled operations. Defaults to 1000.

  • :endpoint_cache_max_threads (Integer) — default: 10

    Used for the maximum threads in use for polling endpoints to be cached, defaults to 10.

  • :endpoint_cache_poll_interval (Integer) — default: 60

    When :endpoint_discovery and :active_endpoint_cache is enabled, Use this option to config the time interval in seconds for making requests fetching endpoints information. Defaults to 60 sec.

  • :endpoint_discovery (Boolean) — default: false

    When set to true, endpoint discovery will be enabled for operations when available.

  • :ignore_configured_endpoint_urls (Boolean)

    Setting to true disables use of endpoint URLs provided via environment variables and the shared configuration file.

  • :log_formatter (Aws::Log::Formatter) — default: Aws::Log::Formatter.default

    The log formatter.

  • :log_level (Symbol) — default: :info

    The log level to send messages to the :logger at.

  • :logger (Logger)

    The Logger instance to send log messages to. If this option is not set, logging will be disabled.

  • :max_attempts (Integer) — default: 3

    An integer representing the maximum number attempts that will be made for a single request, including the initial attempt. For example, setting this value to 5 will result in a request being retried up to 4 times. Used in standard and adaptive retry modes.

  • :profile (String) — default: "default"

    Used when loading credentials from the shared credentials file at HOME/.aws/credentials. When not specified, 'default' is used.

  • :request_min_compression_size_bytes (Integer) — default: 10240

    The minimum size in bytes that triggers compression for request bodies. The value must be non-negative integer value between 0 and 10485780 bytes inclusive.

  • :retry_backoff (Proc)

    A proc or lambda used for backoff. Defaults to 2**retries * retry_base_delay. This option is only used in the legacy retry mode.

  • :retry_base_delay (Float) — default: 0.3

    The base delay in seconds used by the default backoff function. This option is only used in the legacy retry mode.

  • :retry_jitter (Symbol) — default: :none

    A delay randomiser function used by the default backoff function. Some predefined functions can be referenced by name - :none, :equal, :full, otherwise a Proc that takes and returns a number. This option is only used in the legacy retry mode.

    @see https://www.awsarchitectureblog.com/2015/03/backoff.html

  • :retry_limit (Integer) — default: 3

    The maximum number of times to retry failed requests. Only ~ 500 level server errors and certain ~ 400 level client errors are retried. Generally, these are throttling errors, data checksum errors, networking errors, timeout errors, auth errors, endpoint discovery, and errors from expired credentials. This option is only used in the legacy retry mode.

  • :retry_max_delay (Integer) — default: 0

    The maximum number of seconds to delay between retries (0 for no limit) used by the default backoff function. This option is only used in the legacy retry mode.

  • :retry_mode (String) — default: "legacy"

    Specifies which retry algorithm to use. Values are:

    • legacy - The pre-existing retry behavior. This is default value if no retry mode is provided.

    • standard - A standardized set of retry rules across the AWS SDKs. This includes support for retry quotas, which limit the number of unsuccessful retries a client can make.

    • adaptive - An experimental retry mode that includes all the functionality of standard mode along with automatic client side throttling. This is a provisional mode that may change behavior in the future.

  • :sdk_ua_app_id (String)

    A unique and opaque application ID that is appended to the User-Agent header as app/. It should have a maximum length of 50.

  • :secret_access_key (String)
  • :session_token (String)
  • :simple_json (Boolean) — default: false

    Disables request parameter conversion, validation, and formatting. Also disable response data type conversions. This option is useful when you want to ensure the highest level of performance by avoiding overhead of walking request parameters and response data structures.

    When :simple_json is enabled, the request parameters hash must be formatted exactly as the DynamoDB API expects.

  • :stub_responses (Boolean) — default: false

    Causes the client to return stubbed responses. By default fake responses are generated and returned. You can specify the response data to return or errors to raise by calling ClientStubs#stub_responses. See ClientStubs for more information.

    Please note When response stubbing is enabled, no HTTP requests are made, and retries are disabled.

  • :token_provider (Aws::TokenProvider)

    A Bearer Token Provider. This can be an instance of any one of the following classes:

    • Aws::StaticTokenProvider - Used for configuring static, non-refreshing tokens.

    • Aws::SSOTokenProvider - Used for loading tokens from AWS SSO using an access token generated from aws login.

    When :token_provider is not configured directly, the Aws::TokenProviderChain will be used to search for tokens configured for your profile in shared configuration files.

  • :use_dualstack_endpoint (Boolean)

    When set to true, dualstack enabled endpoints (with .aws TLD) will be used if available.

  • :use_fips_endpoint (Boolean)

    When set to true, fips compatible endpoints will be used if available. When a fips region is used, the region is normalized and this config is set to true.

  • :validate_params (Boolean) — default: true

    When true, request parameters are validated before sending the request.

  • :endpoint_provider (Aws::VerifiedPermissions::EndpointProvider)

    The endpoint provider used to resolve endpoints. Any object that responds to #resolve_endpoint(parameters) where parameters is a Struct similar to Aws::VerifiedPermissions::EndpointParameters

  • :http_continue_timeout (Float) — default: 1

    The number of seconds to wait for a 100-continue response before sending the request body. This option has no effect unless the request has "Expect" header set to "100-continue". Defaults to nil which disables this behaviour. This value can safely be set per request on the session.

  • :http_idle_timeout (Float) — default: 5

    The number of seconds a connection is allowed to sit idle before it is considered stale. Stale connections are closed and removed from the pool before making a request.

  • :http_open_timeout (Float) — default: 15

    The default number of seconds to wait for response data. This value can safely be set per-request on the session.

  • :http_proxy (URI::HTTP, String)

    A proxy to send requests through. Formatted like 'http://proxy.com:123'.

  • :http_read_timeout (Float) — default: 60

    The default number of seconds to wait for response data. This value can safely be set per-request on the session.

  • :http_wire_trace (Boolean) — default: false

    When true, HTTP debug output will be sent to the :logger.

  • :on_chunk_received (Proc)

    When a Proc object is provided, it will be used as callback when each chunk of the response body is received. It provides three arguments: the chunk, the number of bytes received, and the total number of bytes in the response (or nil if the server did not send a content-length).

  • :on_chunk_sent (Proc)

    When a Proc object is provided, it will be used as callback when each chunk of the request body is sent. It provides three arguments: the chunk, the number of bytes read from the body, and the total number of bytes in the body.

  • :raise_response_errors (Boolean) — default: true

    When true, response errors are raised.

  • :ssl_ca_bundle (String)

    Full path to the SSL certificate authority bundle file that should be used when verifying peer certificates. If you do not pass :ssl_ca_bundle or :ssl_ca_directory the the system default will be used if available.

  • :ssl_ca_directory (String)

    Full path of the directory that contains the unbundled SSL certificate authority files for verifying peer certificates. If you do not pass :ssl_ca_bundle or :ssl_ca_directory the the system default will be used if available.

  • :ssl_ca_store (String)

    Sets the X509::Store to verify peer certificate.

  • :ssl_timeout (Float)

    Sets the SSL timeout in seconds

  • :ssl_verify_peer (Boolean) — default: true

    When true, SSL peer certificates are verified when establishing a connection.



419
420
421
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 419

def initialize(*args)
  super
end

Instance Method Details

#batch_is_authorized(params = {}) ⇒ Types::BatchIsAuthorizedOutput

Makes a series of decisions about multiple authorization requests for one principal or resource. Each request contains the equivalent content of an IsAuthorized request: principal, action, resource, and context. Either the principal or the resource parameter must be identical across all requests. For example, Verified Permissions won't evaluate a pair of requests where bob views photo1 and alice views photo2. Authorization of bob to view photo1 and photo2, or bob and alice to view photo1, are valid batches.

The request is evaluated against all policies in the specified policy store that match the entities that you declare. The result of the decisions is a series of Allow or Deny responses, along with the IDs of the policies that produced each decision.

The entities of a BatchIsAuthorized API request can contain up to 100 principals and up to 100 resources. The requests of a BatchIsAuthorized API request can contain up to 30 requests.

The BatchIsAuthorized operation doesn't have its own IAM permission. To authorize this operation for Amazon Web Services principals, include the permission verifiedpermissions:IsAuthorized in their IAM policies.

Examples:

Request syntax with placeholder values


resp = client.batch_is_authorized({
  policy_store_id: "PolicyStoreId", # required
  entities: {
    entity_list: [
      {
        identifier: { # required
          entity_type: "EntityType", # required
          entity_id: "EntityId", # required
        },
        attributes: {
          "String" => "value", # value <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
        },
        parents: [
          {
            entity_type: "EntityType", # required
            entity_id: "EntityId", # required
          },
        ],
      },
    ],
  },
  requests: [ # required
    {
      principal: {
        entity_type: "EntityType", # required
        entity_id: "EntityId", # required
      },
      action: {
        action_type: "ActionType", # required
        action_id: "ActionId", # required
      },
      resource: {
        entity_type: "EntityType", # required
        entity_id: "EntityId", # required
      },
      context: {
        context_map: {
          "String" => "value", # value <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
        },
      },
    },
  ],
})

Response structure


resp.results #=> Array
resp.results[0].request.principal.entity_type #=> String
resp.results[0].request.principal.entity_id #=> String
resp.results[0].request.action.action_type #=> String
resp.results[0].request.action.action_id #=> String
resp.results[0].request.resource.entity_type #=> String
resp.results[0].request.resource.entity_id #=> String
resp.results[0].request.context.context_map #=> Hash
resp.results[0].request.context.context_map["String"] #=> <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
resp.results[0].decision #=> String, one of "ALLOW", "DENY"
resp.results[0].determining_policies #=> Array
resp.results[0].determining_policies[0].policy_id #=> String
resp.results[0].errors #=> Array
resp.results[0].errors[0].error_description #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store. Policies in this policy store will be used to make the authorization decisions for the input.

  • :entities (Types::EntitiesDefinition)

    Specifies the list of resources and principals and their associated attributes that Verified Permissions can examine when evaluating the policies.

    You can include only principal and resource entities in this parameter; you can't include actions. You must specify actions in the schema.

  • :requests (required, Array<Types::BatchIsAuthorizedInputItem>)

    An array of up to 30 requests that you want Verified Permissions to evaluate.

Returns:

See Also:



540
541
542
543
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 540

def batch_is_authorized(params = {}, options = {})
  req = build_request(:batch_is_authorized, params)
  req.send_request(options)
end

#batch_is_authorized_with_token(params = {}) ⇒ Types::BatchIsAuthorizedWithTokenOutput

Makes a series of decisions about multiple authorization requests for one token. The principal in this request comes from an external identity source in the form of an identity or access token, formatted as a JSON web token (JWT). The information in the parameters can also define additional context that Verified Permissions can include in the evaluations.

The request is evaluated against all policies in the specified policy store that match the entities that you provide in the entities declaration and in the token. The result of the decisions is a series of Allow or Deny responses, along with the IDs of the policies that produced each decision.

The entities of a BatchIsAuthorizedWithToken API request can contain up to 100 resources and up to 99 user groups. The requests of a BatchIsAuthorizedWithToken API request can contain up to 30 requests.

The BatchIsAuthorizedWithToken operation doesn't have its own IAM permission. To authorize this operation for Amazon Web Services principals, include the permission verifiedpermissions:IsAuthorizedWithToken in their IAM policies.

Examples:

Request syntax with placeholder values


resp = client.batch_is_authorized_with_token({
  policy_store_id: "PolicyStoreId", # required
  identity_token: "Token",
  access_token: "Token",
  entities: {
    entity_list: [
      {
        identifier: { # required
          entity_type: "EntityType", # required
          entity_id: "EntityId", # required
        },
        attributes: {
          "String" => "value", # value <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
        },
        parents: [
          {
            entity_type: "EntityType", # required
            entity_id: "EntityId", # required
          },
        ],
      },
    ],
  },
  requests: [ # required
    {
      action: {
        action_type: "ActionType", # required
        action_id: "ActionId", # required
      },
      resource: {
        entity_type: "EntityType", # required
        entity_id: "EntityId", # required
      },
      context: {
        context_map: {
          "String" => "value", # value <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
        },
      },
    },
  ],
})

Response structure


resp.principal.entity_type #=> String
resp.principal.entity_id #=> String
resp.results #=> Array
resp.results[0].request.action.action_type #=> String
resp.results[0].request.action.action_id #=> String
resp.results[0].request.resource.entity_type #=> String
resp.results[0].request.resource.entity_id #=> String
resp.results[0].request.context.context_map #=> Hash
resp.results[0].request.context.context_map["String"] #=> <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
resp.results[0].decision #=> String, one of "ALLOW", "DENY"
resp.results[0].determining_policies #=> Array
resp.results[0].determining_policies[0].policy_id #=> String
resp.results[0].errors #=> Array
resp.results[0].errors[0].error_description #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store. Policies in this policy store will be used to make an authorization decision for the input.

  • :identity_token (String)

    Specifies an identity (ID) token for the principal that you want to authorize in each request. This token is provided to you by the identity provider (IdP) associated with the specified identity source. You must specify either an accessToken, an identityToken, or both.

    Must be an ID token. Verified Permissions returns an error if the token_use claim in the submitted token isn't id.

  • :access_token (String)

    Specifies an access token for the principal that you want to authorize in each request. This token is provided to you by the identity provider (IdP) associated with the specified identity source. You must specify either an accessToken, an identityToken, or both.

    Must be an access token. Verified Permissions returns an error if the token_use claim in the submitted token isn't access.

  • :entities (Types::EntitiesDefinition)

    Specifies the list of resources and their associated attributes that Verified Permissions can examine when evaluating the policies.

    You can't include principals in this parameter, only resource and action entities. This parameter can't include any entities of a type that matches the user or group entity types that you defined in your identity source.

    • The BatchIsAuthorizedWithToken operation takes principal attributes from only the identityToken or accessToken passed to the operation.

    • For action entities, you can include only their Identifier and EntityType.

  • :requests (required, Array<Types::BatchIsAuthorizedWithTokenInputItem>)

    An array of up to 30 requests that you want Verified Permissions to evaluate.

Returns:

See Also:



686
687
688
689
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 686

def batch_is_authorized_with_token(params = {}, options = {})
  req = build_request(:batch_is_authorized_with_token, params)
  req.send_request(options)
end

#create_identity_source(params = {}) ⇒ Types::CreateIdentitySourceOutput

Creates a reference to an Amazon Cognito user pool as an external identity provider (IdP).

After you create an identity source, you can use the identities provided by the IdP as proxies for the principal in authorization queries that use the IsAuthorizedWithToken operation. These identities take the form of tokens that contain claims about the user, such as IDs, attributes and group memberships. Amazon Cognito provides both identity tokens and access tokens, and Verified Permissions can use either or both. Any combination of identity and access tokens results in the same Cedar principal. Verified Permissions automatically translates the information about the identities into the standard Cedar attributes that can be evaluated by your policies. Because the Amazon Cognito identity and access tokens can contain different information, the tokens you choose to use determine which principal attributes are available to access when evaluating Cedar policies.

If you delete a Amazon Cognito user pool or user, tokens from that deleted pool or that deleted user continue to be usable until they expire.

To reference a user from this identity source in your Cedar policies, use the following syntax.

IdentityType::"<CognitoUserPoolIdentifier>|<CognitoClientId>

Where IdentityType is the string that you provide to the PrincipalEntityType parameter for this operation. The CognitoUserPoolId and CognitoClientId are defined by the Amazon Cognito user pool.

Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Examples:

Request syntax with placeholder values


resp = client.create_identity_source({
  client_token: "IdempotencyToken",
  policy_store_id: "PolicyStoreId", # required
  configuration: { # required
    cognito_user_pool_configuration: {
      user_pool_arn: "UserPoolArn", # required
      client_ids: ["ClientId"],
      group_configuration: {
        group_entity_type: "GroupEntityType", # required
      },
    },
  },
  principal_entity_type: "PrincipalEntityType",
})

Response structure


resp.created_date #=> Time
resp.identity_source_id #=> String
resp.last_updated_date #=> Time
resp.policy_store_id #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :client_token (String)

    Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

    If you don't provide this value, then Amazon Web Services generates a random one for you.

    If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an ConflictException error.

    Verified Permissions recognizes a ClientToken for eight hours. After eight hours, the next request with the same parameters performs the operation again regardless of the value of ClientToken.

    A suitable default value is auto-generated. You should normally not need to pass this option.**

  • :policy_store_id (required, String)

    Specifies the ID of the policy store in which you want to store this identity source. Only policies and requests made using this policy store can reference identities from the identity provider configured in the new identity source.

  • :configuration (required, Types::Configuration)

    Specifies the details required to communicate with the identity provider (IdP) associated with this identity source.

    At this time, the only valid member of this structure is a Amazon Cognito user pool configuration.

    You must specify a UserPoolArn, and optionally, a ClientId.

  • :principal_entity_type (String)

    Specifies the namespace and data type of the principals generated for identities authenticated by the new identity source.

Returns:

See Also:



819
820
821
822
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 819

def create_identity_source(params = {}, options = {})
  req = build_request(:create_identity_source, params)
  req.send_request(options)
end

#create_policy(params = {}) ⇒ Types::CreatePolicyOutput

Creates a Cedar policy and saves it in the specified policy store. You can create either a static policy or a policy linked to a policy template.

  • To create a static policy, provide the Cedar policy text in the StaticPolicy section of the PolicyDefinition.

  • To create a policy that is dynamically linked to a policy template, specify the policy template ID and the principal and resource to associate with this policy in the templateLinked section of the PolicyDefinition. If the policy template is ever updated, any policies linked to the policy template automatically use the updated template.

Creating a policy causes it to be validated against the schema in the policy store. If the policy doesn't pass validation, the operation fails and the policy isn't stored.

Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Examples:

Request syntax with placeholder values


resp = client.create_policy({
  client_token: "IdempotencyToken",
  policy_store_id: "PolicyStoreId", # required
  definition: { # required
    static: {
      description: "StaticPolicyDescription",
      statement: "PolicyStatement", # required
    },
    template_linked: {
      policy_template_id: "PolicyTemplateId", # required
      principal: {
        entity_type: "EntityType", # required
        entity_id: "EntityId", # required
      },
      resource: {
        entity_type: "EntityType", # required
        entity_id: "EntityId", # required
      },
    },
  },
})

Response structure


resp.policy_store_id #=> String
resp.policy_id #=> String
resp.policy_type #=> String, one of "STATIC", "TEMPLATE_LINKED"
resp.principal.entity_type #=> String
resp.principal.entity_id #=> String
resp.resource.entity_type #=> String
resp.resource.entity_id #=> String
resp.created_date #=> Time
resp.last_updated_date #=> Time

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :client_token (String)

    Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

    If you don't provide this value, then Amazon Web Services generates a random one for you.

    If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an ConflictException error.

    Verified Permissions recognizes a ClientToken for eight hours. After eight hours, the next request with the same parameters performs the operation again regardless of the value of ClientToken.

    A suitable default value is auto-generated. You should normally not need to pass this option.**

  • :policy_store_id (required, String)

    Specifies the PolicyStoreId of the policy store you want to store the policy in.

  • :definition (required, Types::PolicyDefinition)

    A structure that specifies the policy type and content to use for the new policy. You must include either a static or a templateLinked element. The policy content must be written in the Cedar policy language.

Returns:

See Also:



938
939
940
941
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 938

def create_policy(params = {}, options = {})
  req = build_request(:create_policy, params)
  req.send_request(options)
end

#create_policy_store(params = {}) ⇒ Types::CreatePolicyStoreOutput

Creates a policy store. A policy store is a container for policy resources.

Although Cedar supports multiple namespaces, Verified Permissions currently supports only one namespace per policy store.

Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Examples:

Request syntax with placeholder values


resp = client.create_policy_store({
  client_token: "IdempotencyToken",
  validation_settings: { # required
    mode: "OFF", # required, accepts OFF, STRICT
  },
  description: "PolicyStoreDescription",
})

Response structure


resp.policy_store_id #=> String
resp.arn #=> String
resp.created_date #=> Time
resp.last_updated_date #=> Time

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :client_token (String)

    Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

    If you don't provide this value, then Amazon Web Services generates a random one for you.

    If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an ConflictException error.

    Verified Permissions recognizes a ClientToken for eight hours. After eight hours, the next request with the same parameters performs the operation again regardless of the value of ClientToken.

    A suitable default value is auto-generated. You should normally not need to pass this option.**

  • :validation_settings (required, Types::ValidationSettings)

    Specifies the validation setting for this policy store.

    Currently, the only valid and required value is Mode.

    We recommend that you turn on STRICT mode only after you define a schema. If a schema doesn't exist, then STRICT mode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the UpdatePolicyStore. Then, when you have a schema defined, use UpdatePolicyStore again to turn validation back on.

  • :description (String)

    Descriptive text that you can provide to help with identification of the current policy store.

Returns:

See Also:



1037
1038
1039
1040
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 1037

def create_policy_store(params = {}, options = {})
  req = build_request(:create_policy_store, params)
  req.send_request(options)
end

#create_policy_template(params = {}) ⇒ Types::CreatePolicyTemplateOutput

Creates a policy template. A template can use placeholders for the principal and resource. A template must be instantiated into a policy by associating it with specific principals and resources to use for the placeholders. That instantiated policy can then be considered in authorization decisions. The instantiated policy works identically to any other policy, except that it is dynamically linked to the template. If the template changes, then any policies that are linked to that template are immediately updated as well.

Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Examples:

Request syntax with placeholder values


resp = client.create_policy_template({
  client_token: "IdempotencyToken",
  policy_store_id: "PolicyStoreId", # required
  description: "PolicyTemplateDescription",
  statement: "PolicyStatement", # required
})

Response structure


resp.policy_store_id #=> String
resp.policy_template_id #=> String
resp.created_date #=> Time
resp.last_updated_date #=> Time

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :client_token (String)

    Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

    If you don't provide this value, then Amazon Web Services generates a random one for you.

    If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an ConflictException error.

    Verified Permissions recognizes a ClientToken for eight hours. After eight hours, the next request with the same parameters performs the operation again regardless of the value of ClientToken.

    A suitable default value is auto-generated. You should normally not need to pass this option.**

  • :policy_store_id (required, String)

    The ID of the policy store in which to create the policy template.

  • :description (String)

    Specifies a description for the policy template.

  • :statement (required, String)

    Specifies the content that you want to use for the new policy template, written in the Cedar policy language.

Returns:

See Also:



1122
1123
1124
1125
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 1122

def create_policy_template(params = {}, options = {})
  req = build_request(:create_policy_template, params)
  req.send_request(options)
end

#delete_identity_source(params = {}) ⇒ Struct

Deletes an identity source that references an identity provider (IdP) such as Amazon Cognito. After you delete the identity source, you can no longer use tokens for identities from that identity source to represent principals in authorization queries made using IsAuthorizedWithToken. operations.

Examples:

Request syntax with placeholder values


resp = client.delete_identity_source({
  policy_store_id: "PolicyStoreId", # required
  identity_source_id: "IdentitySourceId", # required
})

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the identity source that you want to delete.

  • :identity_source_id (required, String)

    Specifies the ID of the identity source that you want to delete.

Returns:

  • (Struct)

    Returns an empty response.

See Also:



1157
1158
1159
1160
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 1157

def delete_identity_source(params = {}, options = {})
  req = build_request(:delete_identity_source, params)
  req.send_request(options)
end

#delete_policy(params = {}) ⇒ Struct

Deletes the specified policy from the policy store.

This operation is idempotent; if you specify a policy that doesn't exist, the request response returns a successful HTTP 200 status code.

Examples:

Request syntax with placeholder values


resp = client.delete_policy({
  policy_store_id: "PolicyStoreId", # required
  policy_id: "PolicyId", # required
})

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the policy that you want to delete.

  • :policy_id (required, String)

    Specifies the ID of the policy that you want to delete.

Returns:

  • (Struct)

    Returns an empty response.

See Also:



1188
1189
1190
1191
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 1188

def delete_policy(params = {}, options = {})
  req = build_request(:delete_policy, params)
  req.send_request(options)
end

#delete_policy_store(params = {}) ⇒ Struct

Deletes the specified policy store.

This operation is idempotent. If you specify a policy store that does not exist, the request response will still return a successful HTTP 200 status code.

Examples:

Request syntax with placeholder values


resp = client.delete_policy_store({
  policy_store_id: "PolicyStoreId", # required
})

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that you want to delete.

Returns:

  • (Struct)

    Returns an empty response.

See Also:



1214
1215
1216
1217
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 1214

def delete_policy_store(params = {}, options = {})
  req = build_request(:delete_policy_store, params)
  req.send_request(options)
end

#delete_policy_template(params = {}) ⇒ Struct

Deletes the specified policy template from the policy store.

This operation also deletes any policies that were created from the specified policy template. Those policies are immediately removed from all future API responses, and are asynchronously deleted from the policy store.

Examples:

Request syntax with placeholder values


resp = client.delete_policy_template({
  policy_store_id: "PolicyStoreId", # required
  policy_template_id: "PolicyTemplateId", # required
})

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the policy template that you want to delete.

  • :policy_template_id (required, String)

    Specifies the ID of the policy template that you want to delete.

Returns:

  • (Struct)

    Returns an empty response.

See Also:



1246
1247
1248
1249
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 1246

def delete_policy_template(params = {}, options = {})
  req = build_request(:delete_policy_template, params)
  req.send_request(options)
end

#get_identity_source(params = {}) ⇒ Types::GetIdentitySourceOutput

Retrieves the details about the specified identity source.

Examples:

Request syntax with placeholder values


resp = client.get_identity_source({
  policy_store_id: "PolicyStoreId", # required
  identity_source_id: "IdentitySourceId", # required
})

Response structure


resp.created_date #=> Time
resp.details.client_ids #=> Array
resp.details.client_ids[0] #=> String
resp.details.user_pool_arn #=> String
resp.details.discovery_url #=> String
resp.details.open_id_issuer #=> String, one of "COGNITO"
resp.identity_source_id #=> String
resp.last_updated_date #=> Time
resp.policy_store_id #=> String
resp.principal_entity_type #=> String
resp.configuration.cognito_user_pool_configuration.user_pool_arn #=> String
resp.configuration.cognito_user_pool_configuration.client_ids #=> Array
resp.configuration.cognito_user_pool_configuration.client_ids[0] #=> String
resp.configuration.cognito_user_pool_configuration.issuer #=> String
resp.configuration.cognito_user_pool_configuration.group_configuration.group_entity_type #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the identity source you want information about.

  • :identity_source_id (required, String)

    Specifies the ID of the identity source you want information about.

Returns:

See Also:



1299
1300
1301
1302
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 1299

def get_identity_source(params = {}, options = {})
  req = build_request(:get_identity_source, params)
  req.send_request(options)
end

#get_policy(params = {}) ⇒ Types::GetPolicyOutput

Retrieves information about the specified policy.

Examples:

Request syntax with placeholder values


resp = client.get_policy({
  policy_store_id: "PolicyStoreId", # required
  policy_id: "PolicyId", # required
})

Response structure


resp.policy_store_id #=> String
resp.policy_id #=> String
resp.policy_type #=> String, one of "STATIC", "TEMPLATE_LINKED"
resp.principal.entity_type #=> String
resp.principal.entity_id #=> String
resp.resource.entity_type #=> String
resp.resource.entity_id #=> String
resp.definition.static.description #=> String
resp.definition.static.statement #=> String
resp.definition.template_linked.policy_template_id #=> String
resp.definition.template_linked.principal.entity_type #=> String
resp.definition.template_linked.principal.entity_id #=> String
resp.definition.template_linked.resource.entity_type #=> String
resp.definition.template_linked.resource.entity_id #=> String
resp.created_date #=> Time
resp.last_updated_date #=> Time

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the policy that you want information about.

  • :policy_id (required, String)

    Specifies the ID of the policy you want information about.

Returns:

See Also:



1354
1355
1356
1357
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 1354

def get_policy(params = {}, options = {})
  req = build_request(:get_policy, params)
  req.send_request(options)
end

#get_policy_store(params = {}) ⇒ Types::GetPolicyStoreOutput

Retrieves details about a policy store.

Examples:

Request syntax with placeholder values


resp = client.get_policy_store({
  policy_store_id: "PolicyStoreId", # required
})

Response structure


resp.policy_store_id #=> String
resp.arn #=> String
resp.validation_settings.mode #=> String, one of "OFF", "STRICT"
resp.created_date #=> Time
resp.last_updated_date #=> Time
resp.description #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that you want information about.

Returns:

See Also:



1392
1393
1394
1395
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 1392

def get_policy_store(params = {}, options = {})
  req = build_request(:get_policy_store, params)
  req.send_request(options)
end

#get_policy_template(params = {}) ⇒ Types::GetPolicyTemplateOutput

Retrieve the details for the specified policy template in the specified policy store.

Examples:

Request syntax with placeholder values


resp = client.get_policy_template({
  policy_store_id: "PolicyStoreId", # required
  policy_template_id: "PolicyTemplateId", # required
})

Response structure


resp.policy_store_id #=> String
resp.policy_template_id #=> String
resp.description #=> String
resp.statement #=> String
resp.created_date #=> Time
resp.last_updated_date #=> Time

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the policy template that you want information about.

  • :policy_template_id (required, String)

    Specifies the ID of the policy template that you want information about.

Returns:

See Also:



1437
1438
1439
1440
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 1437

def get_policy_template(params = {}, options = {})
  req = build_request(:get_policy_template, params)
  req.send_request(options)
end

#get_schema(params = {}) ⇒ Types::GetSchemaOutput

Retrieve the details for the specified schema in the specified policy store.

Examples:

Request syntax with placeholder values


resp = client.get_schema({
  policy_store_id: "PolicyStoreId", # required
})

Response structure


resp.policy_store_id #=> String
resp.schema #=> String
resp.created_date #=> Time
resp.last_updated_date #=> Time
resp.namespaces #=> Array
resp.namespaces[0] #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the schema.

Returns:

See Also:



1475
1476
1477
1478
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 1475

def get_schema(params = {}, options = {})
  req = build_request(:get_schema, params)
  req.send_request(options)
end

#is_authorized(params = {}) ⇒ Types::IsAuthorizedOutput

Makes an authorization decision about a service request described in the parameters. The information in the parameters can also define additional context that Verified Permissions can include in the evaluation. The request is evaluated against all matching policies in the specified policy store. The result of the decision is either Allow or Deny, along with a list of the policies that resulted in the decision.

Examples:

Request syntax with placeholder values


resp = client.is_authorized({
  policy_store_id: "PolicyStoreId", # required
  principal: {
    entity_type: "EntityType", # required
    entity_id: "EntityId", # required
  },
  action: {
    action_type: "ActionType", # required
    action_id: "ActionId", # required
  },
  resource: {
    entity_type: "EntityType", # required
    entity_id: "EntityId", # required
  },
  context: {
    context_map: {
      "String" => "value", # value <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
    },
  },
  entities: {
    entity_list: [
      {
        identifier: { # required
          entity_type: "EntityType", # required
          entity_id: "EntityId", # required
        },
        attributes: {
          "String" => "value", # value <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
        },
        parents: [
          {
            entity_type: "EntityType", # required
            entity_id: "EntityId", # required
          },
        ],
      },
    ],
  },
})

Response structure


resp.decision #=> String, one of "ALLOW", "DENY"
resp.determining_policies #=> Array
resp.determining_policies[0].policy_id #=> String
resp.errors #=> Array
resp.errors[0].error_description #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store. Policies in this policy store will be used to make an authorization decision for the input.

  • :principal (Types::EntityIdentifier)

    Specifies the principal for which the authorization decision is to be made.

  • :action (Types::ActionIdentifier)

    Specifies the requested action to be authorized. For example, is the principal authorized to perform this action on the resource?

  • :resource (Types::EntityIdentifier)

    Specifies the resource for which the authorization decision is to be made.

  • :context (Types::ContextDefinition)

    Specifies additional context that can be used to make more granular authorization decisions.

  • :entities (Types::EntitiesDefinition)

    Specifies the list of resources and principals and their associated attributes that Verified Permissions can examine when evaluating the policies.

    You can include only principal and resource entities in this parameter; you can't include actions. You must specify actions in the schema.

Returns:

See Also:



1579
1580
1581
1582
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 1579

def is_authorized(params = {}, options = {})
  req = build_request(:is_authorized, params)
  req.send_request(options)
end

#is_authorized_with_token(params = {}) ⇒ Types::IsAuthorizedWithTokenOutput

Makes an authorization decision about a service request described in the parameters. The principal in this request comes from an external identity source in the form of an identity token formatted as a JSON web token (JWT). The information in the parameters can also define additional context that Verified Permissions can include in the evaluation. The request is evaluated against all matching policies in the specified policy store. The result of the decision is either Allow or Deny, along with a list of the policies that resulted in the decision.

At this time, Verified Permissions accepts tokens from only Amazon Cognito.

Verified Permissions validates each token that is specified in a request by checking its expiration date and its signature.

If you delete a Amazon Cognito user pool or user, tokens from that deleted pool or that deleted user continue to be usable until they expire.

Examples:

Request syntax with placeholder values


resp = client.is_authorized_with_token({
  policy_store_id: "PolicyStoreId", # required
  identity_token: "Token",
  access_token: "Token",
  action: {
    action_type: "ActionType", # required
    action_id: "ActionId", # required
  },
  resource: {
    entity_type: "EntityType", # required
    entity_id: "EntityId", # required
  },
  context: {
    context_map: {
      "String" => "value", # value <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
    },
  },
  entities: {
    entity_list: [
      {
        identifier: { # required
          entity_type: "EntityType", # required
          entity_id: "EntityId", # required
        },
        attributes: {
          "String" => "value", # value <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
        },
        parents: [
          {
            entity_type: "EntityType", # required
            entity_id: "EntityId", # required
          },
        ],
      },
    ],
  },
})

Response structure


resp.decision #=> String, one of "ALLOW", "DENY"
resp.determining_policies #=> Array
resp.determining_policies[0].policy_id #=> String
resp.errors #=> Array
resp.errors[0].error_description #=> String
resp.principal.entity_type #=> String
resp.principal.entity_id #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store. Policies in this policy store will be used to make an authorization decision for the input.

  • :identity_token (String)

    Specifies an identity token for the principal to be authorized. This token is provided to you by the identity provider (IdP) associated with the specified identity source. You must specify either an accessToken, an identityToken, or both.

    Must be an ID token. Verified Permissions returns an error if the token_use claim in the submitted token isn't id.

  • :access_token (String)

    Specifies an access token for the principal to be authorized. This token is provided to you by the identity provider (IdP) associated with the specified identity source. You must specify either an accessToken, an identityToken, or both.

    Must be an access token. Verified Permissions returns an error if the token_use claim in the submitted token isn't access.

  • :action (Types::ActionIdentifier)

    Specifies the requested action to be authorized. Is the specified principal authorized to perform this action on the specified resource.

  • :resource (Types::EntityIdentifier)

    Specifies the resource for which the authorization decision is made. For example, is the principal allowed to perform the action on the resource?

  • :context (Types::ContextDefinition)

    Specifies additional context that can be used to make more granular authorization decisions.

  • :entities (Types::EntitiesDefinition)

    Specifies the list of resources and their associated attributes that Verified Permissions can examine when evaluating the policies.

    You can't include principals in this parameter, only resource and action entities. This parameter can't include any entities of a type that matches the user or group entity types that you defined in your identity source.

    • The IsAuthorizedWithToken operation takes principal attributes from only the identityToken or accessToken passed to the operation.

    • For action entities, you can include only their Identifier and EntityType.

Returns:

See Also:



1720
1721
1722
1723
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 1720

def is_authorized_with_token(params = {}, options = {})
  req = build_request(:is_authorized_with_token, params)
  req.send_request(options)
end

#list_identity_sources(params = {}) ⇒ Types::ListIdentitySourcesOutput

Returns a paginated list of all of the identity sources defined in the specified policy store.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.list_identity_sources({
  policy_store_id: "PolicyStoreId", # required
  next_token: "NextToken",
  max_results: 1,
  filters: [
    {
      principal_entity_type: "PrincipalEntityType",
    },
  ],
})

Response structure


resp.next_token #=> String
resp.identity_sources #=> Array
resp.identity_sources[0].created_date #=> Time
resp.identity_sources[0].details.client_ids #=> Array
resp.identity_sources[0].details.client_ids[0] #=> String
resp.identity_sources[0].details.user_pool_arn #=> String
resp.identity_sources[0].details.discovery_url #=> String
resp.identity_sources[0].details.open_id_issuer #=> String, one of "COGNITO"
resp.identity_sources[0].identity_source_id #=> String
resp.identity_sources[0].last_updated_date #=> Time
resp.identity_sources[0].policy_store_id #=> String
resp.identity_sources[0].principal_entity_type #=> String
resp.identity_sources[0].configuration.cognito_user_pool_configuration.user_pool_arn #=> String
resp.identity_sources[0].configuration.cognito_user_pool_configuration.client_ids #=> Array
resp.identity_sources[0].configuration.cognito_user_pool_configuration.client_ids[0] #=> String
resp.identity_sources[0].configuration.cognito_user_pool_configuration.issuer #=> String
resp.identity_sources[0].configuration.cognito_user_pool_configuration.group_configuration.group_entity_type #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the identity sources that you want to list.

  • :next_token (String)

    Specifies that you want to receive the next page of results. Valid only if you received a NextToken response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's NextToken response to request the next page of results.

  • :max_results (Integer)

    Specifies the total number of results that you want included in each response. If additional items exist beyond the number you specify, the NextToken response element is returned with a value (not null). Include the specified value as the NextToken request parameter in the next call to the operation to get the next set of results. Note that the service might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.

    If you do not specify this parameter, the operation defaults to 10 identity sources per response. You can specify a maximum of 200 identity sources per response.

  • :filters (Array<Types::IdentitySourceFilter>)

    Specifies characteristics of an identity source that you can use to limit the output to matching identity sources.

Returns:

See Also:



1801
1802
1803
1804
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 1801

def list_identity_sources(params = {}, options = {})
  req = build_request(:list_identity_sources, params)
  req.send_request(options)
end

#list_policies(params = {}) ⇒ Types::ListPoliciesOutput

Returns a paginated list of all policies stored in the specified policy store.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.list_policies({
  policy_store_id: "PolicyStoreId", # required
  next_token: "NextToken",
  max_results: 1,
  filter: {
    principal: {
      unspecified: false,
      identifier: {
        entity_type: "EntityType", # required
        entity_id: "EntityId", # required
      },
    },
    resource: {
      unspecified: false,
      identifier: {
        entity_type: "EntityType", # required
        entity_id: "EntityId", # required
      },
    },
    policy_type: "STATIC", # accepts STATIC, TEMPLATE_LINKED
    policy_template_id: "PolicyTemplateId",
  },
})

Response structure


resp.next_token #=> String
resp.policies #=> Array
resp.policies[0].policy_store_id #=> String
resp.policies[0].policy_id #=> String
resp.policies[0].policy_type #=> String, one of "STATIC", "TEMPLATE_LINKED"
resp.policies[0].principal.entity_type #=> String
resp.policies[0].principal.entity_id #=> String
resp.policies[0].resource.entity_type #=> String
resp.policies[0].resource.entity_id #=> String
resp.policies[0].definition.static.description #=> String
resp.policies[0].definition.template_linked.policy_template_id #=> String
resp.policies[0].definition.template_linked.principal.entity_type #=> String
resp.policies[0].definition.template_linked.principal.entity_id #=> String
resp.policies[0].definition.template_linked.resource.entity_type #=> String
resp.policies[0].definition.template_linked.resource.entity_id #=> String
resp.policies[0].created_date #=> Time
resp.policies[0].last_updated_date #=> Time

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store you want to list policies from.

  • :next_token (String)

    Specifies that you want to receive the next page of results. Valid only if you received a NextToken response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's NextToken response to request the next page of results.

  • :max_results (Integer)

    Specifies the total number of results that you want included in each response. If additional items exist beyond the number you specify, the NextToken response element is returned with a value (not null). Include the specified value as the NextToken request parameter in the next call to the operation to get the next set of results. Note that the service might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.

    If you do not specify this parameter, the operation defaults to 10 policies per response. You can specify a maximum of 50 policies per response.

  • :filter (Types::PolicyFilter)

    Specifies a filter that limits the response to only policies that match the specified criteria. For example, you list only the policies that reference a specified principal.

Returns:

See Also:



1895
1896
1897
1898
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 1895

def list_policies(params = {}, options = {})
  req = build_request(:list_policies, params)
  req.send_request(options)
end

#list_policy_stores(params = {}) ⇒ Types::ListPolicyStoresOutput

Returns a paginated list of all policy stores in the calling Amazon Web Services account.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.list_policy_stores({
  next_token: "NextToken",
  max_results: 1,
})

Response structure


resp.next_token #=> String
resp.policy_stores #=> Array
resp.policy_stores[0].policy_store_id #=> String
resp.policy_stores[0].arn #=> String
resp.policy_stores[0].created_date #=> Time
resp.policy_stores[0].last_updated_date #=> Time
resp.policy_stores[0].description #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :next_token (String)

    Specifies that you want to receive the next page of results. Valid only if you received a NextToken response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's NextToken response to request the next page of results.

  • :max_results (Integer)

    Specifies the total number of results that you want included in each response. If additional items exist beyond the number you specify, the NextToken response element is returned with a value (not null). Include the specified value as the NextToken request parameter in the next call to the operation to get the next set of results. Note that the service might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.

    If you do not specify this parameter, the operation defaults to 10 policy stores per response. You can specify a maximum of 50 policy stores per response.

Returns:

See Also:



1952
1953
1954
1955
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 1952

def list_policy_stores(params = {}, options = {})
  req = build_request(:list_policy_stores, params)
  req.send_request(options)
end

#list_policy_templates(params = {}) ⇒ Types::ListPolicyTemplatesOutput

Returns a paginated list of all policy templates in the specified policy store.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.list_policy_templates({
  policy_store_id: "PolicyStoreId", # required
  next_token: "NextToken",
  max_results: 1,
})

Response structure


resp.next_token #=> String
resp.policy_templates #=> Array
resp.policy_templates[0].policy_store_id #=> String
resp.policy_templates[0].policy_template_id #=> String
resp.policy_templates[0].description #=> String
resp.policy_templates[0].created_date #=> Time
resp.policy_templates[0].last_updated_date #=> Time

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the policy templates you want to list.

  • :next_token (String)

    Specifies that you want to receive the next page of results. Valid only if you received a NextToken response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's NextToken response to request the next page of results.

  • :max_results (Integer)

    Specifies the total number of results that you want included in each response. If additional items exist beyond the number you specify, the NextToken response element is returned with a value (not null). Include the specified value as the NextToken request parameter in the next call to the operation to get the next set of results. Note that the service might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.

    If you do not specify this parameter, the operation defaults to 10 policy templates per response. You can specify a maximum of 50 policy templates per response.

Returns:

See Also:



2014
2015
2016
2017
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 2014

def list_policy_templates(params = {}, options = {})
  req = build_request(:list_policy_templates, params)
  req.send_request(options)
end

#put_schema(params = {}) ⇒ Types::PutSchemaOutput

Creates or updates the policy schema in the specified policy store. The schema is used to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.

Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Examples:

Request syntax with placeholder values


resp = client.put_schema({
  policy_store_id: "PolicyStoreId", # required
  definition: { # required
    cedar_json: "SchemaJson",
  },
})

Response structure


resp.policy_store_id #=> String
resp.namespaces #=> Array
resp.namespaces[0] #=> String
resp.created_date #=> Time
resp.last_updated_date #=> Time

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store in which to place the schema.

  • :definition (required, Types::SchemaDefinition)

    Specifies the definition of the schema to be stored. The schema definition must be written in Cedar schema JSON.

Returns:

See Also:



2070
2071
2072
2073
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 2070

def put_schema(params = {}, options = {})
  req = build_request(:put_schema, params)
  req.send_request(options)
end

#update_identity_source(params = {}) ⇒ Types::UpdateIdentitySourceOutput

Updates the specified identity source to use a new identity provider (IdP) source, or to change the mapping of identities from the IdP to a different principal entity type.

Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Examples:

Request syntax with placeholder values


resp = client.update_identity_source({
  policy_store_id: "PolicyStoreId", # required
  identity_source_id: "IdentitySourceId", # required
  update_configuration: { # required
    cognito_user_pool_configuration: {
      user_pool_arn: "UserPoolArn", # required
      client_ids: ["ClientId"],
      group_configuration: {
        group_entity_type: "GroupEntityType", # required
      },
    },
  },
  principal_entity_type: "PrincipalEntityType",
})

Response structure


resp.created_date #=> Time
resp.identity_source_id #=> String
resp.last_updated_date #=> Time
resp.policy_store_id #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the identity source that you want to update.

  • :identity_source_id (required, String)

    Specifies the ID of the identity source that you want to update.

  • :update_configuration (required, Types::UpdateConfiguration)

    Specifies the details required to communicate with the identity provider (IdP) associated with this identity source.

    At this time, the only valid member of this structure is a Amazon Cognito user pool configuration.

    You must specify a userPoolArn, and optionally, a ClientId.

  • :principal_entity_type (String)

    Specifies the data type of principals generated for identities authenticated by the identity source.

Returns:

See Also:



2144
2145
2146
2147
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 2144

def update_identity_source(params = {}, options = {})
  req = build_request(:update_identity_source, params)
  req.send_request(options)
end

#update_policy(params = {}) ⇒ Types::UpdatePolicyOutput

Modifies a Cedar static policy in the specified policy store. You can change only certain elements of the UpdatePolicyDefinition parameter. You can directly update only static policies. To change a template-linked policy, you must update the template instead, using UpdatePolicyTemplate.

* If policy validation is enabled in the policy store, then updating a static policy causes Verified Permissions to validate the policy against the schema in the policy store. If the updated static policy doesn't pass validation, the operation fails and the update isn't stored.

  • When you edit a static policy, you can change only certain elements of a static policy:

    • The action referenced by the policy.

    • A condition clause, such as when and unless.

    You can't change these elements of a static policy:

    • Changing a policy from a static policy to a template-linked policy.

    • Changing the effect of a static policy from permit or forbid.

    • The principal referenced by a static policy.

    • The resource referenced by a static policy.

  • To update a template-linked policy, you must update the template instead.

Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Examples:

Request syntax with placeholder values


resp = client.update_policy({
  policy_store_id: "PolicyStoreId", # required
  policy_id: "PolicyId", # required
  definition: { # required
    static: {
      description: "StaticPolicyDescription",
      statement: "PolicyStatement", # required
    },
  },
})

Response structure


resp.policy_store_id #=> String
resp.policy_id #=> String
resp.policy_type #=> String, one of "STATIC", "TEMPLATE_LINKED"
resp.principal.entity_type #=> String
resp.principal.entity_id #=> String
resp.resource.entity_type #=> String
resp.resource.entity_id #=> String
resp.created_date #=> Time
resp.last_updated_date #=> Time

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the policy that you want to update.

  • :policy_id (required, String)

    Specifies the ID of the policy that you want to update. To find this value, you can use ListPolicies.

  • :definition (required, Types::UpdatePolicyDefinition)

    Specifies the updated policy content that you want to replace on the specified policy. The content must be valid Cedar policy language text.

    You can change only the following elements from the policy definition:

    • The action referenced by the policy.

    • Any conditional clauses, such as when or unless clauses.

    You can't change the following elements:

    • Changing from static to templateLinked.

    • Changing the effect of the policy from permit or forbid.

    • The principal referenced by the policy.

    • The resource referenced by the policy.

Returns:

See Also:



2269
2270
2271
2272
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 2269

def update_policy(params = {}, options = {})
  req = build_request(:update_policy, params)
  req.send_request(options)
end

#update_policy_store(params = {}) ⇒ Types::UpdatePolicyStoreOutput

Modifies the validation setting for a policy store.

Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Examples:

Request syntax with placeholder values


resp = client.update_policy_store({
  policy_store_id: "PolicyStoreId", # required
  validation_settings: { # required
    mode: "OFF", # required, accepts OFF, STRICT
  },
  description: "PolicyStoreDescription",
})

Response structure


resp.policy_store_id #=> String
resp.arn #=> String
resp.created_date #=> Time
resp.last_updated_date #=> Time

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that you want to update

  • :validation_settings (required, Types::ValidationSettings)

    A structure that defines the validation settings that want to enable for the policy store.

  • :description (String)

    Descriptive text that you can provide to help with identification of the current policy store.

Returns:

See Also:



2323
2324
2325
2326
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 2323

def update_policy_store(params = {}, options = {})
  req = build_request(:update_policy_store, params)
  req.send_request(options)
end

#update_policy_template(params = {}) ⇒ Types::UpdatePolicyTemplateOutput

Updates the specified policy template. You can update only the description and the some elements of the policyBody.

Changes you make to the policy template content are immediately (within the constraints of eventual consistency) reflected in authorization decisions that involve all template-linked policies instantiated from this template.

Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Examples:

Request syntax with placeholder values


resp = client.update_policy_template({
  policy_store_id: "PolicyStoreId", # required
  policy_template_id: "PolicyTemplateId", # required
  description: "PolicyTemplateDescription",
  statement: "PolicyStatement", # required
})

Response structure


resp.policy_store_id #=> String
resp.policy_template_id #=> String
resp.created_date #=> Time
resp.last_updated_date #=> Time

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :policy_store_id (required, String)

    Specifies the ID of the policy store that contains the policy template that you want to update.

  • :policy_template_id (required, String)

    Specifies the ID of the policy template that you want to update.

  • :description (String)

    Specifies a new description to apply to the policy template.

  • :statement (required, String)

    Specifies new statement content written in Cedar policy language to replace the current body of the policy template.

    You can change only the following elements of the policy body:

    • The action referenced by the policy template.

    • Any conditional clauses, such as when or unless clauses.

    You can't change the following elements:

    • The effect (permit or forbid) of the policy template.

    • The principal referenced by the policy template.

    • The resource referenced by the policy template.

Returns:

See Also:



2403
2404
2405
2406
 
# File 'gems/aws-sdk-verifiedpermissions/lib/aws-sdk-verifiedpermissions/client.rb', line 2403

def update_policy_template(params = {}, options = {})
  req = build_request(:update_policy_template, params)
  req.send_request(options)
end