Creating Amazon Verified Permissions template-linked policies
You can create template-linked policies, or policies that are based on a policy template, using the AWS Management Console,
AWS CLI, or the AWS SDKs. Template-linked policies stay linked to their policy templates. If you change the policy
statement in the policy template, any policies linked to that template automatically use the new
statement for all authorization decisions made from that moment forward.
For template-linked policy examples, see Amazon Verified Permissions example template-linked policies.
- AWS Management Console
-
To create a template-linked policy by instantiating a policy template
Open the Verified Permissions console. Choose your policy store.
-
In the navigation pane on the left, choose
Policies.
-
Choose Create policy and then choose
Create template-linked policy.
-
Choose the radio button next to the policy template to use and then choose
Next.
-
Type the Principal and
Resource to be used for this specific instance
of the template-linked policy. The specified values are displayed in the Policy
statement preview field.
The Principal and
Resource values must have the same
formatting as static policies. For example, to specify the
AdminUsers
group for the principal, type
Group::"AdminUsers"
. If you type
AdminUsers
, a validation error is displayed.
-
Choose Create template-linked policy.
The new template-linked policy is displayed under Policies.
- AWS CLI
-
To create a template-linked policy by instantiating a policy template
You can create a template-linked policy that references an existing policy template and that specifies
values for any placeholders used by the template.
The following example creates a template-linked policy that uses a template with the
following statement:
permit(
principal in ?principal,
action == PhotoFlash::Action::"view",
resource == PhotoFlash::Photo::"VacationPhoto94.jpg"
);
It also uses the following definition.txt
file to supply
the value for the definition
parameter:
{
"templateLinked": {
"policyTemplateId": "PTEXAMPLEabcdefg111111",
"principal": {
"entityType": "PhotoFlash::User",
"entityId": "alice"
}
}
}
The output shows both the resource, which it gets from the template, and the
principal, which it gets from the definition parameter
$
aws verifiedpermissions create-policy \
--definition file://definition.txt
--policy-store-id PSEXAMPLEabcdefg111111
{
"createdDate": "2023-05-22T18:57:53.298278+00:00",
"lastUpdatedDate": "2023-05-22T18:57:53.298278+00:00",
"policyId": "TPEXAMPLEabcdefg111111",
"policyStoreId": "PSEXAMPLEabcdefg111111",
"policyType": "TEMPLATELINKED",
"principal": {
"entityId": "alice",
"entityType": "PhotoFlash::User"
},
"resource": {
"entityId": "VacationPhoto94.jpg",
"entityType": "PhotoFlash::Photo"
}
}