Retrieving external data for a PDP in Amazon Verified Permissions
Amazon Verified Permissions doesn't support retrieving external data for a PDP, but it can store user-provided data as part of its schema. As in OPA, if all data for an authorization decision can be provided as part of an authorization request or as part of a JSON Web Token (JWT) that is passed as part of the request, no additional configuration is required. However, you can provide additional data from external sources to Verified Permissions through the authorization request as part of an application's authorizer service that calls Verified Permissions. For example, an application's authorizer service can query an external source such as DynamoDB or Amazon RDS for data, and these services can then include the externally provided data as part of an authorization request.
The following diagram shows an example of how additional data can be retrieved and incorporated into a Verified Permissions authorization request. It might be necessary to use this method to retrieve data such as RBAC role mappings, to retrieve additional attributes that are relevant to resources or principals, or in cases where data resides in different parts of an application and cannot be provided through an identity provider (IdP) token.
Application flow:
-
The application receives an API call to Amazon API Gateway and forwards the call to the AWS Lambda authorizer.
-
The Lambda authorizer calls Amazon DynamoDB to retrieve additional data about the principal that made the request.
-
The Lambda authorizer incorporates the additional data into the authorization request that was made to Verified Permissions.
-
The Lambda authorizer makes an authorization request to Verified Permissions and receives an authorization decision.
The diagram includes a feature of Amazon API Gateway called a Lambda authorizer. Although this feature might not be available for APIs that are provided by other services or applications, you can replicate the general model of using an authorizer to fetch additional data to incorporate into a Verified Permissions authorization request across a multitude of use cases.