Boolean booleanValue
An attribute value of Boolean type.
Example: {"boolean": true}
EntityIdentifier entityIdentifier
An attribute value of type EntityIdentifier.
Example: "entityIdentifier": { "entityId": "<id>", "entityType": "<entity type>"}
Long longValue
An attribute value of Long type.
Example: {"long": 0}
String string
An attribute value of String type.
Example: {"string": "abc"}
List<E> set
An attribute value of Set type.
Example: {"set": [ {} ] }
Map<K,V> record
An attribute value of Record type.
Example: {"record": { "keyName": {} } }
EntityIdentifier principal
Specifies the principal for which the authorization decision is to be made.
ActionIdentifier action
Specifies the requested action to be authorized. For example, PhotoFlash::ReadPhoto.
EntityIdentifier resource
Specifies the resource that you want an authorization decision for. For example, PhotoFlash::Photo.
ContextDefinition context
Specifies additional context that can be used to make more granular authorization decisions.
BatchIsAuthorizedInputItem request
The authorization request that initiated the decision.
String decision
An authorization decision that indicates if the authorization request should be allowed or denied.
List<E> determiningPolicies
The list of determining policies used to make the authorization decision. For example, if there are two matching policies, where one is a forbid and the other is a permit, then the forbid policy will be the determining policy. In the case of multiple matching permit policies then there would be multiple determining policies. In the case that no policies match, and hence the response is DENY, there would be no determining policies.
List<E> errors
Errors that occurred while making an authorization decision. For example, a policy might reference an entity or attribute that doesn't exist in the request.
String policyStoreId
Specifies the ID of the policy store. Policies in this policy store will be used to make the authorization decisions for the input.
EntitiesDefinition entities
Specifies the list of resources and principals and their associated attributes that Verified Permissions can examine when evaluating the policies.
You can include only principal and resource entities in this parameter; you can't include actions. You must specify actions in the schema.
List<E> requests
An array of up to 30 requests that you want Verified Permissions to evaluate.
ActionIdentifier action
Specifies the requested action to be authorized. For example, PhotoFlash::ReadPhoto.
EntityIdentifier resource
Specifies the resource that you want an authorization decision for. For example, PhotoFlash::Photo.
ContextDefinition context
Specifies additional context that can be used to make more granular authorization decisions.
BatchIsAuthorizedWithTokenInputItem request
The authorization request that initiated the decision.
String decision
An authorization decision that indicates if the authorization request should be allowed or denied.
List<E> determiningPolicies
The list of determining policies used to make the authorization decision. For example, if there are two matching policies, where one is a forbid and the other is a permit, then the forbid policy will be the determining policy. In the case of multiple matching permit policies then there would be multiple determining policies. In the case that no policies match, and hence the response is DENY, there would be no determining policies.
List<E> errors
Errors that occurred while making an authorization decision. For example, a policy might reference an entity or attribute that doesn't exist in the request.
String policyStoreId
Specifies the ID of the policy store. Policies in this policy store will be used to make an authorization decision for the input.
String identityToken
Specifies an identity (ID) token for the principal that you want to authorize in each request. This token is
provided to you by the identity provider (IdP) associated with the specified identity source. You must specify
either an accessToken, an identityToken, or both.
Must be an ID token. Verified Permissions returns an error if the token_use claim in the submitted
token isn't id.
String accessToken
Specifies an access token for the principal that you want to authorize in each request. This token is provided to
you by the identity provider (IdP) associated with the specified identity source. You must specify either an
accessToken, an identityToken, or both.
Must be an access token. Verified Permissions returns an error if the token_use claim in the
submitted token isn't access.
EntitiesDefinition entities
Specifies the list of resources and their associated attributes that Verified Permissions can examine when evaluating the policies.
You can't include principals in this parameter, only resource and action entities. This parameter can't include any entities of a type that matches the user or group entity types that you defined in your identity source.
The BatchIsAuthorizedWithToken operation takes principal attributes from only the
identityToken or accessToken passed to the operation.
For action entities, you can include only their Identifier and EntityType.
List<E> requests
An array of up to 30 requests that you want Verified Permissions to evaluate.
EntityIdentifier principal
The identifier of the principal in the ID or access token.
List<E> results
A series of Allow or Deny decisions for each request, and the policies that produced
them.
String groupEntityType
The name of the schema entity type that's mapped to the user pool group. Defaults to
AWS::CognitoGroup.
String groupEntityType
The name of the schema entity type that's mapped to the user pool group. Defaults to
AWS::CognitoGroup.
String groupEntityType
The name of the schema entity type that's mapped to the user pool group. Defaults to
AWS::CognitoGroup.
String userPoolArn
The Amazon Resource Name (ARN) of the Amazon Cognito user pool that contains the identities to be authorized.
Example: "UserPoolArn": "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5"
List<E> clientIds
The unique application client IDs that are associated with the specified Amazon Cognito user pool.
Example: "ClientIds": ["&ExampleCogClientId;"]
CognitoGroupConfiguration groupConfiguration
The type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source.
String userPoolArn
The Amazon Resource Name (ARN) of the Amazon Cognito user pool that contains the identities to be authorized.
Example: "userPoolArn": "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5"
List<E> clientIds
The unique application client IDs that are associated with the specified Amazon Cognito user pool.
Example: "clientIds": ["&ExampleCogClientId;"]
String issuer
The OpenID Connect (OIDC) issuer ID of the Amazon Cognito user pool that contains the identities to
be authorized.
Example: "issuer": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_1a2b3c4d5"
CognitoGroupConfigurationDetail groupConfiguration
The type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source.
String userPoolArn
The Amazon Resource Name (ARN) of the Amazon Cognito user pool that contains the identities to be authorized.
Example: "userPoolArn": "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5"
List<E> clientIds
The unique application client IDs that are associated with the specified Amazon Cognito user pool.
Example: "clientIds": ["&ExampleCogClientId;"]
String issuer
The OpenID Connect (OIDC) issuer ID of the Amazon Cognito user pool that contains the identities to
be authorized.
Example: "issuer": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_1a2b3c4d5"
CognitoGroupConfigurationItem groupConfiguration
The type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source.
CognitoUserPoolConfiguration cognitoUserPoolConfiguration
Contains configuration details of a Amazon Cognito user pool that Verified Permissions can use as a source of authenticated identities as entities. It specifies the Amazon Resource Name (ARN) of a Amazon Cognito user pool and one or more application client IDs.
Example:
"configuration":{"cognitoUserPoolConfiguration":{"userPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","clientIds": ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration": {"groupEntityType": "MyCorp::Group"}}}
OpenIdConnectConfiguration openIdConnectConfiguration
Contains configuration details of an OpenID Connect (OIDC) identity provider, or identity source, that Verified Permissions can use to generate entities from authenticated identities. It specifies the issuer URL, token type that you want to use, and policy store entity details.
Example:
"configuration":{"openIdConnectConfiguration":{"issuer":"https://auth.example.com","tokenSelection":{"accessTokenOnly":{"audiences":["https://myapp.example.com","https://myapp2.example.com"],"principalIdClaim":"sub"}},"entityIdPrefix":"MyOIDCProvider","groupConfiguration":{"groupClaim":"groups","groupEntityType":"MyCorp::UserGroup"}}}
CognitoUserPoolConfigurationDetail cognitoUserPoolConfiguration
Contains configuration details of a Amazon Cognito user pool that Verified Permissions can use as a source of authenticated identities as entities. It specifies the Amazon Resource Name (ARN) of a Amazon Cognito user pool, the policy store entity that you want to assign to user groups, and one or more application client IDs.
Example:
"configuration":{"cognitoUserPoolConfiguration":{"userPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","clientIds": ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration": {"groupEntityType": "MyCorp::Group"}}}
OpenIdConnectConfigurationDetail openIdConnectConfiguration
Contains configuration details of an OpenID Connect (OIDC) identity provider, or identity source, that Verified Permissions can use to generate entities from authenticated identities. It specifies the issuer URL, token type that you want to use, and policy store entity details.
Example:
"configuration":{"openIdConnectConfiguration":{"issuer":"https://auth.example.com","tokenSelection":{"accessTokenOnly":{"audiences":["https://myapp.example.com","https://myapp2.example.com"],"principalIdClaim":"sub"}},"entityIdPrefix":"MyOIDCProvider","groupConfiguration":{"groupClaim":"groups","groupEntityType":"MyCorp::UserGroup"}}}
CognitoUserPoolConfigurationItem cognitoUserPoolConfiguration
Contains configuration details of a Amazon Cognito user pool that Verified Permissions can use as a source of authenticated identities as entities. It specifies the Amazon Resource Name (ARN) of a Amazon Cognito user pool, the policy store entity that you want to assign to user groups, and one or more application client IDs.
Example:
"configuration":{"cognitoUserPoolConfiguration":{"userPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","clientIds": ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration": {"groupEntityType": "MyCorp::Group"}}}
OpenIdConnectConfigurationItem openIdConnectConfiguration
Contains configuration details of an OpenID Connect (OIDC) identity provider, or identity source, that Verified Permissions can use to generate entities from authenticated identities. It specifies the issuer URL, token type that you want to use, and policy store entity details.
Example:
"configuration":{"openIdConnectConfiguration":{"issuer":"https://auth.example.com","tokenSelection":{"accessTokenOnly":{"audiences":["https://myapp.example.com","https://myapp2.example.com"],"principalIdClaim":"sub"}},"entityIdPrefix":"MyOIDCProvider","groupConfiguration":{"groupClaim":"groups","groupEntityType":"MyCorp::UserGroup"}}}
String clientToken
Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..
If you don't provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same ClientToken, but with different parameters, the retry fails
with an ConflictException error.
Verified Permissions recognizes a ClientToken for eight hours. After eight hours, the next request
with the same parameters performs the operation again regardless of the value of ClientToken.
String policyStoreId
Specifies the ID of the policy store in which you want to store this identity source. Only policies and requests made using this policy store can reference identities from the identity provider configured in the new identity source.
Configuration configuration
Specifies the details required to communicate with the identity provider (IdP) associated with this identity source.
String principalEntityType
Specifies the namespace and data type of the principals generated for identities authenticated by the new identity source.
Date createdDate
The date and time the identity source was originally created.
String identitySourceId
The unique ID of the new identity source.
Date lastUpdatedDate
The date and time the identity source was most recently updated.
String policyStoreId
The ID of the policy store that contains the identity source.
String clientToken
Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..
If you don't provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same ClientToken, but with different parameters, the retry fails
with an ConflictException error.
Verified Permissions recognizes a ClientToken for eight hours. After eight hours, the next request
with the same parameters performs the operation again regardless of the value of ClientToken.
String policyStoreId
Specifies the PolicyStoreId of the policy store you want to store the policy in.
PolicyDefinition definition
A structure that specifies the policy type and content to use for the new policy. You must include either a static or a templateLinked element. The policy content must be written in the Cedar policy language.
String policyStoreId
The ID of the policy store that contains the new policy.
String policyId
The unique ID of the new policy.
String policyType
The policy type of the new policy.
EntityIdentifier principal
The principal specified in the new policy's scope. This response element isn't present when
principal isn't specified in the policy content.
EntityIdentifier resource
The resource specified in the new policy's scope. This response element isn't present when the
resource isn't specified in the policy content.
List<E> actions
The action that a policy permits or forbids. For example,
{"actions": [{"actionId": "ViewPhoto", "actionType": "PhotoFlash::Action"}, {"entityID": "SharePhoto", "entityType": "PhotoFlash::Action"}]}
.
Date createdDate
The date and time the policy was originally created.
Date lastUpdatedDate
The date and time the policy was last updated.
String effect
The effect of the decision that a policy returns to an authorization request. For example,
"effect": "Permit".
String clientToken
Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..
If you don't provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same ClientToken, but with different parameters, the retry fails
with an ConflictException error.
Verified Permissions recognizes a ClientToken for eight hours. After eight hours, the next request
with the same parameters performs the operation again regardless of the value of ClientToken.
ValidationSettings validationSettings
Specifies the validation setting for this policy store.
Currently, the only valid and required value is Mode.
We recommend that you turn on STRICT mode only after you define a schema. If a schema doesn't exist,
then STRICT mode causes any policy to fail validation, and Verified Permissions rejects the policy.
You can turn off validation by using the UpdatePolicyStore. Then, when you have a schema defined, use UpdatePolicyStore again to turn validation back on.
String description
Descriptive text that you can provide to help with identification of the current policy store.
String policyStoreId
The unique ID of the new policy store.
String arn
The Amazon Resource Name (ARN) of the new policy store.
Date createdDate
The date and time the policy store was originally created.
Date lastUpdatedDate
The date and time the policy store was last updated.
String clientToken
Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..
If you don't provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same ClientToken, but with different parameters, the retry fails
with an ConflictException error.
Verified Permissions recognizes a ClientToken for eight hours. After eight hours, the next request
with the same parameters performs the operation again regardless of the value of ClientToken.
String policyStoreId
The ID of the policy store in which to create the policy template.
String description
Specifies a description for the policy template.
String statement
Specifies the content that you want to use for the new policy template, written in the Cedar policy language.
String policyStoreId
The ID of the policy store that contains the policy template.
String policyTemplateId
The unique ID of the new policy template.
Date createdDate
The date and time the policy template was originally created.
Date lastUpdatedDate
The date and time the policy template was most recently updated.
String policyStoreId
Specifies the ID of the policy store that you want to delete.
String policyId
The Id of a policy that determined to an authorization decision.
Example: "policyId":"SPEXAMPLEabcdefg111111"
EntityIdentifier identifier
The identifier of the entity.
Map<K,V> attributes
A list of attributes for the entity.
List<E> parents
The parent entities in the hierarchy that contains the entity. A principal or resource entity can be defined with at most 99 transitive parents per authorization request.
A transitive parent is an entity in the hierarchy of entities including all direct parents, and parents of parents. For example, a user can be a member of 91 groups if one of those groups is a member of eight groups, for a total of 100: one entity, 91 entity parents, and eight parents of parents.
Boolean unspecified
Used to indicate that a principal or resource is not specified. This can be used to search for policies that are not associated with a specific principal or resource.
EntityIdentifier identifier
The identifier of the entity. It can consist of either an EntityType and EntityId, a principal, or a resource.
String errorDescription
The error description.
Date createdDate
The date and time that the identity source was originally created.
IdentitySourceDetails details
A structure that describes the configuration of the identity source.
String identitySourceId
The ID of the identity source.
Date lastUpdatedDate
The date and time that the identity source was most recently updated.
String policyStoreId
The ID of the policy store that contains the identity source.
String principalEntityType
The data type of principals generated for identities authenticated by this identity source.
ConfigurationDetail configuration
Contains configuration information about an identity source.
String policyStoreId
The ID of the policy store that contains the policy that you want information about.
String policyId
The unique ID of the policy that you want information about.
String policyType
The type of the policy.
EntityIdentifier principal
The principal specified in the policy's scope. This element isn't included in the response when
Principal isn't present in the policy content.
EntityIdentifier resource
The resource specified in the policy's scope. This element isn't included in the response when
Resource isn't present in the policy content.
List<E> actions
The action that a policy permits or forbids. For example,
{"actions": [{"actionId": "ViewPhoto", "actionType": "PhotoFlash::Action"}, {"entityID": "SharePhoto", "entityType": "PhotoFlash::Action"}]}
.
PolicyDefinitionDetail definition
The definition of the requested policy.
Date createdDate
The date and time that the policy was originally created.
Date lastUpdatedDate
The date and time that the policy was last updated.
String effect
The effect of the decision that a policy returns to an authorization request. For example,
"effect": "Permit".
String policyStoreId
Specifies the ID of the policy store that you want information about.
String policyStoreId
The ID of the policy store;
String arn
The Amazon Resource Name (ARN) of the policy store.
ValidationSettings validationSettings
The current validation settings for the policy store.
Date createdDate
The date and time that the policy store was originally created.
Date lastUpdatedDate
The date and time that the policy store was last updated.
String description
Descriptive text that you can provide to help with identification of the current policy store.
String policyStoreId
The ID of the policy store that contains the policy template.
String policyTemplateId
The ID of the policy template.
String description
The description of the policy template.
String statement
The content of the body of the policy template written in the Cedar policy language.
Date createdDate
The date and time that the policy template was originally created.
Date lastUpdatedDate
The date and time that the policy template was most recently updated.
String policyStoreId
Specifies the ID of the policy store that contains the schema.
String policyStoreId
The ID of the policy store that contains the schema.
String schema
The body of the schema, written in Cedar schema JSON.
Date createdDate
The date and time that the schema was originally created.
Date lastUpdatedDate
The date and time that the schema was most recently updated.
List<E> namespaces
The namespaces of the entities referenced by this schema.
List<E> clientIds
The application client IDs associated with the specified Amazon Cognito user pool that are enabled for this identity source.
String userPoolArn
The Amazon Resource Name (ARN) of the Amazon Cognito user pool whose identities are accessible to this Verified Permissions policy store.
String discoveryUrl
The well-known URL that points to this user pool's OIDC discovery endpoint. This is a URL string in the following format. This URL replaces the placeholders for both the Amazon Web Services Region and the user pool identifier with those appropriate for this user pool.
https://cognito-idp.<region>.amazonaws.com/<user-pool-id>/.well-known/openid-configuration
String openIdIssuer
A string that identifies the type of OIDC service represented by this identity source.
At this time, the only valid value is cognito.
String principalEntityType
The Cedar entity type of the principals returned by the identity provider (IdP) associated with this identity source.
Date createdDate
The date and time the identity source was originally created.
IdentitySourceItemDetails details
A structure that contains the details of the associated identity provider (IdP).
String identitySourceId
The unique identifier of the identity source.
Date lastUpdatedDate
The date and time the identity source was most recently updated.
String policyStoreId
The identifier of the policy store that contains the identity source.
String principalEntityType
The Cedar entity type of the principals returned from the IdP associated with this identity source.
ConfigurationItem configuration
Contains configuration information about an identity source.
List<E> clientIds
The application client IDs associated with the specified Amazon Cognito user pool that are enabled for this identity source.
String userPoolArn
The Amazon Cognito user pool whose identities are accessible to this Verified Permissions policy store.
String discoveryUrl
The well-known URL that points to this user pool's OIDC discovery endpoint. This is a URL string in the following format. This URL replaces the placeholders for both the Amazon Web Services Region and the user pool identifier with those appropriate for this user pool.
https://cognito-idp.<region>.amazonaws.com/<user-pool-id>/.well-known/openid-configuration
String openIdIssuer
A string that identifies the type of OIDC service represented by this identity source.
At this time, the only valid value is cognito.
String policyStoreId
Specifies the ID of the policy store. Policies in this policy store will be used to make an authorization decision for the input.
EntityIdentifier principal
Specifies the principal for which the authorization decision is to be made.
ActionIdentifier action
Specifies the requested action to be authorized. For example, is the principal authorized to perform this action on the resource?
EntityIdentifier resource
Specifies the resource for which the authorization decision is to be made.
ContextDefinition context
Specifies additional context that can be used to make more granular authorization decisions.
EntitiesDefinition entities
Specifies the list of resources and principals and their associated attributes that Verified Permissions can examine when evaluating the policies.
You can include only principal and resource entities in this parameter; you can't include actions. You must specify actions in the schema.
String decision
An authorization decision that indicates if the authorization request should be allowed or denied.
List<E> determiningPolicies
The list of determining policies used to make the authorization decision. For example, if there are two matching policies, where one is a forbid and the other is a permit, then the forbid policy will be the determining policy. In the case of multiple matching permit policies then there would be multiple determining policies. In the case that no policies match, and hence the response is DENY, there would be no determining policies.
List<E> errors
Errors that occurred while making an authorization decision, for example, a policy references an Entity or entity Attribute that does not exist in the slice.
String policyStoreId
Specifies the ID of the policy store. Policies in this policy store will be used to make an authorization decision for the input.
String identityToken
Specifies an identity token for the principal to be authorized. This token is provided to you by the identity
provider (IdP) associated with the specified identity source. You must specify either an accessToken
, an identityToken, or both.
Must be an ID token. Verified Permissions returns an error if the token_use claim in the submitted
token isn't id.
String accessToken
Specifies an access token for the principal to be authorized. This token is provided to you by the identity
provider (IdP) associated with the specified identity source. You must specify either an accessToken
, an identityToken, or both.
Must be an access token. Verified Permissions returns an error if the token_use claim in the
submitted token isn't access.
ActionIdentifier action
Specifies the requested action to be authorized. Is the specified principal authorized to perform this action on the specified resource.
EntityIdentifier resource
Specifies the resource for which the authorization decision is made. For example, is the principal allowed to perform the action on the resource?
ContextDefinition context
Specifies additional context that can be used to make more granular authorization decisions.
EntitiesDefinition entities
Specifies the list of resources and their associated attributes that Verified Permissions can examine when evaluating the policies.
You can't include principals in this parameter, only resource and action entities. This parameter can't include any entities of a type that matches the user or group entity types that you defined in your identity source.
The IsAuthorizedWithToken operation takes principal attributes from only the
identityToken or accessToken passed to the operation.
For action entities, you can include only their Identifier and EntityType.
String decision
An authorization decision that indicates if the authorization request should be allowed or denied.
List<E> determiningPolicies
The list of determining policies used to make the authorization decision. For example, if there are multiple matching policies, where at least one is a forbid policy, then because forbid always overrides permit the forbid policies are the determining policies. If all matching policies are permit policies, then those policies are the determining policies. When no policies match and the response is the default DENY, there are no determining policies.
List<E> errors
Errors that occurred while making an authorization decision. For example, a policy references an entity or entity attribute that does not exist in the slice.
EntityIdentifier principal
The identifier of the principal in the ID or access token.
String policyStoreId
Specifies the ID of the policy store that contains the identity sources that you want to list.
String nextToken
Specifies that you want to receive the next page of results. Valid only if you received a NextToken
response in the previous request. If you did, it indicates that more output is available. Set this parameter to
the value provided by the previous call's NextToken response to request the next page of results.
Integer maxResults
Specifies the total number of results that you want included in each response. If additional items exist beyond
the number you specify, the NextToken response element is returned with a value (not null). Include
the specified value as the NextToken request parameter in the next call to the operation to get the
next set of results. Note that the service might return fewer results than the maximum even when there are more
results available. You should check NextToken after every operation to ensure that you receive all
of the results.
If you do not specify this parameter, the operation defaults to 10 identity sources per response. You can specify a maximum of 50 identity sources per response.
List<E> filters
Specifies characteristics of an identity source that you can use to limit the output to matching identity sources.
String nextToken
If present, this value indicates that more output is available than is included in the current response. Use this
value in the NextToken request parameter in a subsequent call to the operation to get the next part
of the output. You should repeat this until the NextToken response element comes back as
null. This indicates that this is the last page of results.
List<E> identitySources
The list of identity sources stored in the specified policy store.
String policyStoreId
Specifies the ID of the policy store you want to list policies from.
String nextToken
Specifies that you want to receive the next page of results. Valid only if you received a NextToken
response in the previous request. If you did, it indicates that more output is available. Set this parameter to
the value provided by the previous call's NextToken response to request the next page of results.
Integer maxResults
Specifies the total number of results that you want included in each response. If additional items exist beyond
the number you specify, the NextToken response element is returned with a value (not null). Include
the specified value as the NextToken request parameter in the next call to the operation to get the
next set of results. Note that the service might return fewer results than the maximum even when there are more
results available. You should check NextToken after every operation to ensure that you receive all
of the results.
If you do not specify this parameter, the operation defaults to 10 policies per response. You can specify a maximum of 50 policies per response.
PolicyFilter filter
Specifies a filter that limits the response to only policies that match the specified criteria. For example, you list only the policies that reference a specified principal.
String nextToken
If present, this value indicates that more output is available than is included in the current response. Use this
value in the NextToken request parameter in a subsequent call to the operation to get the next part
of the output. You should repeat this until the NextToken response element comes back as
null. This indicates that this is the last page of results.
List<E> policies
Lists all policies that are available in the specified policy store.
String nextToken
Specifies that you want to receive the next page of results. Valid only if you received a NextToken
response in the previous request. If you did, it indicates that more output is available. Set this parameter to
the value provided by the previous call's NextToken response to request the next page of results.
Integer maxResults
Specifies the total number of results that you want included in each response. If additional items exist beyond
the number you specify, the NextToken response element is returned with a value (not null). Include
the specified value as the NextToken request parameter in the next call to the operation to get the
next set of results. Note that the service might return fewer results than the maximum even when there are more
results available. You should check NextToken after every operation to ensure that you receive all
of the results.
If you do not specify this parameter, the operation defaults to 10 policy stores per response. You can specify a maximum of 50 policy stores per response.
String nextToken
If present, this value indicates that more output is available than is included in the current response. Use this
value in the NextToken request parameter in a subsequent call to the operation to get the next part
of the output. You should repeat this until the NextToken response element comes back as
null. This indicates that this is the last page of results.
List<E> policyStores
The list of policy stores in the account.
String policyStoreId
Specifies the ID of the policy store that contains the policy templates you want to list.
String nextToken
Specifies that you want to receive the next page of results. Valid only if you received a NextToken
response in the previous request. If you did, it indicates that more output is available. Set this parameter to
the value provided by the previous call's NextToken response to request the next page of results.
Integer maxResults
Specifies the total number of results that you want included in each response. If additional items exist beyond
the number you specify, the NextToken response element is returned with a value (not null). Include
the specified value as the NextToken request parameter in the next call to the operation to get the
next set of results. Note that the service might return fewer results than the maximum even when there are more
results available. You should check NextToken after every operation to ensure that you receive all
of the results.
If you do not specify this parameter, the operation defaults to 10 policy templates per response. You can specify a maximum of 50 policy templates per response.
String nextToken
If present, this value indicates that more output is available than is included in the current response. Use this
value in the NextToken request parameter in a subsequent call to the operation to get the next part
of the output. You should repeat this until the NextToken response element comes back as
null. This indicates that this is the last page of results.
List<E> policyTemplates
The list of the policy templates in the specified policy store.
String issuer
The issuer URL of an OIDC identity provider. This URL must have an OIDC discovery endpoint at the path
.well-known/openid-configuration.
String entityIdPrefix
A descriptive string that you want to prefix to user entities from your OIDC identity provider. For example, if
you set an entityIdPrefix of MyOIDCProvider, you can reference principals in your
policies in the format MyCorp::User::MyOIDCProvider|Carlos.
OpenIdConnectGroupConfiguration groupConfiguration
The claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you
want to map it to. For example, this object can map the contents of a groups claim to
MyCorp::UserGroup.
OpenIdConnectTokenSelection tokenSelection
The token type that you want to process from your OIDC identity provider. Your policy store can process either identity (ID) or access tokens from a given OIDC identity source.
String issuer
The issuer URL of an OIDC identity provider. This URL must have an OIDC discovery endpoint at the path
.well-known/openid-configuration.
String entityIdPrefix
A descriptive string that you want to prefix to user entities from your OIDC identity provider. For example, if
you set an entityIdPrefix of MyOIDCProvider, you can reference principals in your
policies in the format MyCorp::User::MyOIDCProvider|Carlos.
OpenIdConnectGroupConfigurationDetail groupConfiguration
The claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you
want to map it to. For example, this object can map the contents of a groups claim to
MyCorp::UserGroup.
OpenIdConnectTokenSelectionDetail tokenSelection
The token type that you want to process from your OIDC identity provider. Your policy store can process either identity (ID) or access tokens from a given OIDC identity source.
String issuer
The issuer URL of an OIDC identity provider. This URL must have an OIDC discovery endpoint at the path
.well-known/openid-configuration.
String entityIdPrefix
A descriptive string that you want to prefix to user entities from your OIDC identity provider. For example, if
you set an entityIdPrefix of MyOIDCProvider, you can reference principals in your
policies in the format MyCorp::User::MyOIDCProvider|Carlos.
OpenIdConnectGroupConfigurationItem groupConfiguration
The claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you
want to map it to. For example, this object can map the contents of a groups claim to
MyCorp::UserGroup.
OpenIdConnectTokenSelectionItem tokenSelection
The token type that you want to process from your OIDC identity provider. Your policy store can process either identity (ID) or access tokens from a given OIDC identity source.
String groupClaim
The token claim that you want Verified Permissions to interpret as group membership. For example,
groups.
String groupEntityType
The policy store entity type that you want to map your users' group claim to. For example,
MyCorp::UserGroup. A group entity type is an entity that can have a user entity type as a member.
String groupClaim
The token claim that you want Verified Permissions to interpret as group membership. For example,
groups.
String groupEntityType
The policy store entity type that you want to map your users' group claim to. For example,
MyCorp::UserGroup. A group entity type is an entity that can have a user entity type as a member.
String groupClaim
The token claim that you want Verified Permissions to interpret as group membership. For example,
groups.
String groupEntityType
The policy store entity type that you want to map your users' group claim to. For example,
MyCorp::UserGroup. A group entity type is an entity that can have a user entity type as a member.
String principalIdClaim
The claim that determines the principal in OIDC access tokens. For example, sub.
List<E> clientIds
The ID token audience, or client ID, claim values that you want to accept in your policy store from an OIDC
identity provider. For example, 1example23456789, 2example10111213.
String principalIdClaim
The claim that determines the principal in OIDC access tokens. For example, sub.
List<E> clientIds
The ID token audience, or client ID, claim values that you want to accept in your policy store from an OIDC
identity provider. For example, 1example23456789, 2example10111213.
String principalIdClaim
The claim that determines the principal in OIDC access tokens. For example, sub.
List<E> clientIds
The ID token audience, or client ID, claim values that you want to accept in your policy store from an OIDC
identity provider. For example, 1example23456789, 2example10111213.
OpenIdConnectAccessTokenConfiguration accessTokenOnly
The OIDC configuration for processing access tokens. Contains allowed audience claims, for example
https://auth.example.com, and the claim that you want to map to the principal, for example
sub.
OpenIdConnectIdentityTokenConfiguration identityTokenOnly
The OIDC configuration for processing identity (ID) tokens. Contains allowed client ID claims, for example
1example23456789, and the claim that you want to map to the principal, for example sub.
OpenIdConnectAccessTokenConfigurationDetail accessTokenOnly
The OIDC configuration for processing access tokens. Contains allowed audience claims, for example
https://auth.example.com, and the claim that you want to map to the principal, for example
sub.
OpenIdConnectIdentityTokenConfigurationDetail identityTokenOnly
The OIDC configuration for processing identity (ID) tokens. Contains allowed client ID claims, for example
1example23456789, and the claim that you want to map to the principal, for example sub.
OpenIdConnectAccessTokenConfigurationItem accessTokenOnly
The OIDC configuration for processing access tokens. Contains allowed audience claims, for example
https://auth.example.com, and the claim that you want to map to the principal, for example
sub.
OpenIdConnectIdentityTokenConfigurationItem identityTokenOnly
The OIDC configuration for processing identity (ID) tokens. Contains allowed client ID claims, for example
1example23456789, and the claim that you want to map to the principal, for example sub.
StaticPolicyDefinition staticValue
A structure that describes a static policy. An static policy doesn't use a template or allow placeholders for entities.
TemplateLinkedPolicyDefinition templateLinked
A structure that describes a policy that was instantiated from a template. The template can specify placeholders
for principal and resource. When you use CreatePolicy
to create a policy from a template, you specify the exact principal and resource to use for the instantiated
policy.
StaticPolicyDefinitionDetail staticValue
Information about a static policy that wasn't created with a policy template.
TemplateLinkedPolicyDefinitionDetail templateLinked
Information about a template-linked policy that was created by instantiating a policy template.
StaticPolicyDefinitionItem staticValue
Information about a static policy that wasn't created with a policy template.
TemplateLinkedPolicyDefinitionItem templateLinked
Information about a template-linked policy that was created by instantiating a policy template.
EntityReference principal
Filters the output to only policies that reference the specified principal.
EntityReference resource
Filters the output to only policies that reference the specified resource.
String policyType
Filters the output to only policies of the specified type.
String policyTemplateId
Filters the output to only template-linked policies that were instantiated from the specified policy template.
String policyStoreId
The identifier of the PolicyStore where the policy you want information about is stored.
String policyId
The identifier of the policy you want information about.
String policyType
The type of the policy. This is one of the following values:
static
templateLinked
EntityIdentifier principal
The principal associated with the policy.
EntityIdentifier resource
The resource associated with the policy.
List<E> actions
The action that a policy permits or forbids. For example,
{"actions": [{"actionId": "ViewPhoto", "actionType": "PhotoFlash::Action"}, {"entityID": "SharePhoto", "entityType": "PhotoFlash::Action"}]}
.
PolicyDefinitionItem definition
The policy definition of an item in the list of policies returned.
Date createdDate
The date and time the policy was created.
Date lastUpdatedDate
The date and time the policy was most recently updated.
String effect
The effect of the decision that a policy returns to an authorization request. For example,
"effect": "Permit".
String policyStoreId
The unique identifier of the policy store.
String arn
The Amazon Resource Name (ARN) of the policy store.
Date createdDate
The date and time the policy was created.
Date lastUpdatedDate
The date and time the policy store was most recently updated.
String description
Descriptive text that you can provide to help with identification of the current policy store.
String policyStoreId
The unique identifier of the policy store that contains the template.
String policyTemplateId
The unique identifier of the policy template.
String description
The description attached to the policy template.
Date createdDate
The date and time that the policy template was created.
Date lastUpdatedDate
The date and time that the policy template was most recently updated.
String policyStoreId
Specifies the ID of the policy store in which to place the schema.
SchemaDefinition definition
Specifies the definition of the schema to be stored. The schema definition must be written in Cedar schema JSON.
String policyStoreId
The unique ID of the policy store that contains the schema.
List<E> namespaces
Identifies the namespaces of the entities referenced by this schema.
Date createdDate
The date and time that the schema was originally created.
Date lastUpdatedDate
The date and time that the schema was last updated.
String cedarJson
A JSON string representation of the schema supported by applications that use this policy store. For more information, see Policy store schema in the Amazon Verified Permissions User Guide.
String resourceId
The unique ID of the resource referenced in the failed request.
String resourceType
The resource type of the resource referenced in the failed request.
String serviceCode
The code for the Amazon Web Service that owns the quota.
String quotaCode
The quota code recognized by the Amazon Web Services Service Quotas service.
String description
A description of the static policy.
String policyTemplateId
The unique identifier of the policy template used to create this policy.
EntityIdentifier principal
The principal associated with this template-linked policy. Verified Permissions substitutes this principal for
the ?principal placeholder in the policy template when it evaluates an authorization request.
EntityIdentifier resource
The resource associated with this template-linked policy. Verified Permissions substitutes this resource for the
?resource placeholder in the policy template when it evaluates an authorization request.
String policyTemplateId
The unique identifier of the policy template used to create this policy.
EntityIdentifier principal
The principal associated with this template-linked policy. Verified Permissions substitutes this principal for
the ?principal placeholder in the policy template when it evaluates an authorization request.
EntityIdentifier resource
The resource associated with this template-linked policy. Verified Permissions substitutes this resource for the
?resource placeholder in the policy template when it evaluates an authorization request.
String policyTemplateId
The unique identifier of the policy template used to create this policy.
EntityIdentifier principal
The principal associated with this template-linked policy. Verified Permissions substitutes this principal for
the ?principal placeholder in the policy template when it evaluates an authorization request.
EntityIdentifier resource
The resource associated with this template-linked policy. Verified Permissions substitutes this resource for the
?resource placeholder in the policy template when it evaluates an authorization request.
String groupEntityType
The name of the schema entity type that's mapped to the user pool group. Defaults to
AWS::CognitoGroup.
String userPoolArn
The Amazon Resource Name (ARN) of the Amazon Cognito user pool associated with this identity source.
List<E> clientIds
The client ID of an app client that is configured for the specified Amazon Cognito user pool.
UpdateCognitoGroupConfiguration groupConfiguration
The configuration of the user groups from an Amazon Cognito user pool identity source.
UpdateCognitoUserPoolConfiguration cognitoUserPoolConfiguration
Contains configuration details of a Amazon Cognito user pool.
UpdateOpenIdConnectConfiguration openIdConnectConfiguration
Contains configuration details of an OpenID Connect (OIDC) identity provider, or identity source, that Verified Permissions can use to generate entities from authenticated identities. It specifies the issuer URL, token type that you want to use, and policy store entity details.
String policyStoreId
Specifies the ID of the policy store that contains the identity source that you want to update.
String identitySourceId
Specifies the ID of the identity source that you want to update.
UpdateConfiguration updateConfiguration
Specifies the details required to communicate with the identity provider (IdP) associated with this identity source.
At this time, the only valid member of this structure is a Amazon Cognito user pool configuration.
You must specify a userPoolArn, and optionally, a ClientId.
String principalEntityType
Specifies the data type of principals generated for identities authenticated by the identity source.
Date createdDate
The date and time that the updated identity source was originally created.
String identitySourceId
The ID of the updated identity source.
Date lastUpdatedDate
The date and time that the identity source was most recently updated.
String policyStoreId
The ID of the policy store that contains the updated identity source.
String issuer
The issuer URL of an OIDC identity provider. This URL must have an OIDC discovery endpoint at the path
.well-known/openid-configuration.
String entityIdPrefix
A descriptive string that you want to prefix to user entities from your OIDC identity provider. For example, if
you set an entityIdPrefix of MyOIDCProvider, you can reference principals in your
policies in the format MyCorp::User::MyOIDCProvider|Carlos.
UpdateOpenIdConnectGroupConfiguration groupConfiguration
The claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you
want to map it to. For example, this object can map the contents of a groups claim to
MyCorp::UserGroup.
UpdateOpenIdConnectTokenSelection tokenSelection
The token type that you want to process from your OIDC identity provider. Your policy store can process either identity (ID) or access tokens from a given OIDC identity source.
String groupClaim
The token claim that you want Verified Permissions to interpret as group membership. For example,
groups.
String groupEntityType
The policy store entity type that you want to map your users' group claim to. For example,
MyCorp::UserGroup. A group entity type is an entity that can have a user entity type as a member.
String principalIdClaim
The claim that determines the principal in OIDC access tokens. For example, sub.
List<E> clientIds
The ID token audience, or client ID, claim values that you want to accept in your policy store from an OIDC
identity provider. For example, 1example23456789, 2example10111213.
UpdateOpenIdConnectAccessTokenConfiguration accessTokenOnly
The OIDC configuration for processing access tokens. Contains allowed audience claims, for example
https://auth.example.com, and the claim that you want to map to the principal, for example
sub.
UpdateOpenIdConnectIdentityTokenConfiguration identityTokenOnly
The OIDC configuration for processing identity (ID) tokens. Contains allowed client ID claims, for example
1example23456789, and the claim that you want to map to the principal, for example sub.
UpdateStaticPolicyDefinition staticValue
Contains details about the updates to be applied to a static policy.
String policyStoreId
Specifies the ID of the policy store that contains the policy that you want to update.
String policyId
Specifies the ID of the policy that you want to update. To find this value, you can use ListPolicies.
UpdatePolicyDefinition definition
Specifies the updated policy content that you want to replace on the specified policy. The content must be valid Cedar policy language text.
You can change only the following elements from the policy definition:
The action referenced by the policy.
Any conditional clauses, such as when or unless clauses.
You can't change the following elements:
Changing from static to templateLinked.
Changing the effect of the policy from permit or forbid.
The principal referenced by the policy.
The resource referenced by the policy.
String policyStoreId
The ID of the policy store that contains the policy that was updated.
String policyId
The ID of the policy that was updated.
String policyType
The type of the policy that was updated.
EntityIdentifier principal
The principal specified in the policy's scope. This element isn't included in the response when
Principal isn't present in the policy content.
EntityIdentifier resource
The resource specified in the policy's scope. This element isn't included in the response when
Resource isn't present in the policy content.
List<E> actions
The action that a policy permits or forbids. For example,
{"actions": [{"actionId": "ViewPhoto", "actionType": "PhotoFlash::Action"}, {"entityID": "SharePhoto", "entityType": "PhotoFlash::Action"}]}
.
Date createdDate
The date and time that the policy was originally created.
Date lastUpdatedDate
The date and time that the policy was most recently updated.
String effect
The effect of the decision that a policy returns to an authorization request. For example,
"effect": "Permit".
String policyStoreId
Specifies the ID of the policy store that you want to update
ValidationSettings validationSettings
A structure that defines the validation settings that want to enable for the policy store.
String description
Descriptive text that you can provide to help with identification of the current policy store.
String policyStoreId
The ID of the updated policy store.
String arn
The Amazon Resource Name (ARN) of the updated policy store.
Date createdDate
The date and time that the policy store was originally created.
Date lastUpdatedDate
The date and time that the policy store was most recently updated.
String policyStoreId
Specifies the ID of the policy store that contains the policy template that you want to update.
String policyTemplateId
Specifies the ID of the policy template that you want to update.
String description
Specifies a new description to apply to the policy template.
String statement
Specifies new statement content written in Cedar policy language to replace the current body of the policy template.
You can change only the following elements of the policy body:
The action referenced by the policy template.
Any conditional clauses, such as when or unless clauses.
You can't change the following elements:
The effect (permit or forbid) of the policy template.
The principal referenced by the policy template.
The resource referenced by the policy template.
String policyStoreId
The ID of the policy store that contains the updated policy template.
String policyTemplateId
The ID of the updated policy template.
Date createdDate
The date and time that the policy template was originally created.
Date lastUpdatedDate
The date and time that the policy template was most recently updated.
String description
Specifies the description to be added to or replaced on the static policy.
String statement
Specifies the Cedar policy language text to be added to or replaced on the static policy.
You can change only the following elements from the original content:
The action referenced by the policy.
Any conditional clauses, such as when or unless clauses.
You can't change the following elements:
Changing from StaticPolicy to TemplateLinkedPolicy.
The effect (permit or forbid) of the policy.
The principal referenced by the policy.
The resource referenced by the policy.
String mode
The validation mode currently configured for this policy store. The valid values are:
OFF – Neither Verified Permissions nor Cedar perform any validation on policies. No validation errors are reported by either service.
STRICT – Requires a schema to be present in the policy store. Cedar performs validation on all submitted new or updated static policies and policy templates. Any that fail validation are rejected and Cedar doesn't store them in the policy store.
If Mode=STRICT and the policy store doesn't contain a schema, Verified Permissions rejects all
static policies and policy templates because there is no schema to validate against.
To submit a static policy or policy template without a schema, you must turn off validation.
Copyright © 2024. All rights reserved.