Creating Verified Permissions policy stores

You can create a policy store using the following methods:

• Follow a guided setup – You will define a resource type with valid actions and a principal type before creating your first policy.

• Set up with Cognito and API Gateway – Define your principals from an Amazon Cognito user pool and actions and resources from an Amazon API Gateway API. We recommend this option if you want your application to authorize API requests with users’ group membership.

• Start from a sample policy store – Choose a pre-defined sample project policy store. We recommend this option if you are learning about Verified Permissions and want to view and test example policies.

• Create an empty policy store – You will define the schema and all access policies yourself. We recommend this option if you are already familiar with configuring a policy store.

Guided setup

To create a policy store using the Guided setup configuration method

The guided setup wizard leads you through the process of creating the first iteration of your policy store. You will create a schema for your first resource type, describe the actions that are applicable for that resource type, and the principal type for which you are granting permissions. You will then create your first policy. Once you've completed this wizard, you will be able to add to your policy store, extend the schema to describe other resource and principal types, and create additional policies and templates.

1. In the Verified Permissions console, select Create new policy store.

2. In the Starting options section, choose Guided setup.

3. Enter a Policy store description. This text can be whatever suits your organization as a friendly reference to the function of the current policy store, for example Weather updates.

4. In the Details section, type a Namespace for your schema.

5. Choose Next.

6. On the Resource type window, type a name for your resource type.

7. (Optional) Choose Add an attribute to add resource attributes. Type the Attribute name and choose an Attribute type for each attribute of the resource. Choose whether each attribute is Required. Verified Permissions uses the specified attribute values when verifying policies against the schema. To remove an attribute that has been added for the resource type, choose Remove next to the attribute.

8. In the Actions field, type the actions to be authorized for the specified resource type. To add additional actions for the resource type, choose Add an action. To remove an action that has been added for the resource type, choose Remove next to the action.

9. In the Name of the principal type field, type the name for a type of principal that will be using the specified actions for your resource type.

10. Choose Next.

11. On the Principal type window, choose the identity source for your principal type.

    • Choose Custom if the principal's ID and attributes will be provided directly by your Verified Permissions application. Choose Add an attribute to add principal attributes. Type the Attribute name and choose an Attribute type for each attribute of the prinicpal. Verified Permissions uses the specified attribute values when verifying policies against the schema. To remove an attribute that has been added for the prinicpal type, choose Remove next to the attribute.

    • Choose Cognito User Pool if the principal's ID and attributes will be provided from an ID or access token generated by Amazon Cognito. Choose Connect user pool. Select the AWS Region and type User pool ID of the Amazon Cognito user pool to connect to. Choose Connect. For more information, see Authorization with Amazon Verified Permissions in the Amazon Cognito Developer Guide.

12. Choose Next.

13. In the Policy details section, type an optional Policy description for your first Cedar policy.

14. In the Principals scope field, choose the principals that will be granted permissions from the policy.

    • Choose Specific principal to apply the policy to a specific principal. Choose the principal in the Principal that will be permitted to take actions field and type an entity identifier for the principal.

    • Choose All principals to apply the policy to all principals in your policy store.

15. In the Resources scope field, choose which resources that the specified principals will be authorized to act on.

    • Choose Specific resource to apply the policy to a specific resource. Choose the resource in the Resource this policy should apply to field and type an entity identifier for the resource.

    • Choose All resources to apply the policy to all resources in your policy store.

16. In the Actions scope field, choose which actions that the specified principals will be authorized to perform.

    • Choose Specific set of actions to apply the policy to specific actions. Select the check boxes next to the actions in the Action(s) this policy should apply to field.

    • Choose All actions to apply the policy to all actions in your policy store.

17. Review the policy in the Policy preview section. Choose Create policy store.

Set up with Cognito and API Gateway

To create a policy store using the Set up with Amazon Cognito and API Gateway configuration method

The Amazon Cognito and API Gateway option builds a policy store for testing authorization with user pool groups and an API with a Lambda authorizer.

The users and their groups in an Amazon Cognito user pool become your principals. The methods and paths in an API Gateway API become the actions that your policies authorize. Your application becomes the resource and the provider of context. As a result of this workflow, Verified Permissions creates a policy store, a Lambda function, and an API Lambda authorizer. You must assign the Lambda authorizer to your API after you finish this workflow.

1. In the Verified Permissions console, select Create new policy store.

2. In the Starting options section, choose Set up with Cognito and API Gateway and select Next.

3. In the Import resources and actions step, under API, choose an API that will function as the model to your policy store resources and actions.

   1. Choose a Deployment stage from the stages configured in your API and select Import API.

   2. Preview your Map of imported resources and actions.

   3. To update resources or actions, modify your API paths or methods and select Import API.

   4. When you are satisfied with your choices, choose Next.

4. In the Choose identity source step, under Amazon Cognito user pools, configure your identity source.

   1. Choose a user pool in the same AWS Region and AWS account as your policy store.

   2. Choose the Token type to pass to API that you want to submit for authorization. Either token types contains user groups, the foundation of this API-linked authorization model.

   3. Under App client validation, you can limit the scope of a policy store to a subset of the Amazon Cognito app clients in a multi-tenant user pool. To require that user authenticate with one or more specified app clients in your user pool, select Only accept tokens with expected app client IDs. To accept any user who authenticates with the user pool, select Don't validate app client IDs.

   4. Choose Next.

5. Verified Permissions queries your user pool for groups. The Assign actions to groups step creates policies for your policy store that permit group members to perform actions.

   1. Choose the Groups from user pool that you want to include in your policies.

   2. Assign actions to each of the groups that you selected.

   3. Choose Next.

6. In the Deploy app integration, review the steps that Verified Permissions will take to create your policy store and Lambda authorizer.

7. When you're ready to create the new resources, choose Create and deploy.

8. Keep the Policy store status step open in your browser to monitor the progress of resource creation by Verified Permissions.

9. After about an hour, or when the Deploy Lambda authorizer step shows Success, configure your authorizer.

   Verified Permissions will have created a Lambda function and a Lambda authorizer in your API. Choose Open API to navigate to your API.

   To learn how to assign a Lambda authorizer, see Use API Gateway Lambda authorizers in the Amazon API Gateway Developer Guide.

   1. Navigate to Authorizers for your API and note the name of the authorizer that Verified Permissions created.

   2. Navigate to Resources and select a top-level method in your API.

   3. Select Edit under Method request settings.

   4. Set the Authorizer to be the authorizer name you noted earlier.

   5. Expand HTTP request headers, enter a Name or AUTHORIZATION, and select Required.

   6. Deploy the API stage.

   7. Save your changes.

10. Test your authorizer with a user pool token of the Token type that you selected in the Choose identity source step. For more information about user pool sign-in and retrieving tokens, see User pool authentication flow in the Amazon Cognito Developer Guide.

11. Test authentication again with a user pool token in the AUTHORIZATION header of a request to your API.

12. Examine your new policy store. Add and refine policies.

Sample policy store

To create a policy store using the Sample policy store configuration method

1. In the Starting options section, choose Sample policy store.

2. In the Sample project section, choose the type of sample Verified Permissions application to use.

   • PhotoFlash is a sample customer-facing web application that enables users to share individual photos and albums with friends. Users can set fine-grained permissions on who is allowed to view, comment on, and re-share their photos. Account owners can also create groups of friends and organize photos into albums.

   • DigitalPetStore is a sample application where anyone can register and become a customer. Customers can add pets for sale, search pets, and place orders. Customers who have added a pet are recorded as the pet owner. Pet owners can update the pet's details, upload a pet image, or delete the pet listing. Customers who have placed an order are recorded as the order owner. Order owners can get details on the order or cancel it. Pet store managers have administrative access.

     Note

     The DigitalPetStore sample policy store does not include policy templates. The PhotoFlash and TinyTodo sample policy stores include policy templates.

   • TinyTodo is a sample application that enables users to create taks and task lists. List owners can manage and share their lists and specify who can view or edit their lists.

3. A namespace for the schema of your sample policy store is automatically generated based on the sample project you chose.

4. Choose Create policy store.

   Your policy store is created with policies and a schema for the sample policy store you chose. For more information on template-linked policies you can create for the sample policy stores, see Example template-linked policies for Verified Permissions sample policy stores.

Empty policy store

To create a policy store using the Empty policy store configuration method

1. In the Starting options section, choose Empty policy store.

2. Choose Create policy store.

An empty policy store is created without a schema, which means policies are not validated. For more information about updating the schema for your policy store, see Amazon Verified Permissions policy store schema.

For more information about creating policies for your policy store, see Creating Amazon Verified Permissions static policies and Creating template-linked policies.

AWS CLI

To create an empty policy store by using the AWS CLI.

You can create a policy store by using the create-policy-store operation.

Note

A policy store that you create by using the AWS CLI is empty.

• To add schema, see Amazon Verified Permissions policy store schema.

• To add policies, see Creating Amazon Verified Permissions static policies.

• To add policy templates, see Creating policy templates.

$ aws verifiedpermissions create-policy-store \
    --validation-settings "mode=STRICT"
{
    "arn": "arn:aws:verifiedpermissions::123456789012:policy-store/PSEXAMPLEabcdefg111111",
    "createdDate": "2023-05-16T17:41:29.103459+00:00",
    "lastUpdatedDate": "2023-05-16T17:41:29.103459+00:00",
    "policyStoreId": "PSEXAMPLEabcdefg111111"
}

AWS SDKs

You can create a policy store using the CreatePolicyStore API. For more information, see CreatePolicyStore in the Amazon Verified Permissions API Reference Guide.