Verified Permissions examples using Amazon CLI - Amazon Command Line Interface
Actions
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Verified Permissions examples using Amazon CLI

The following code examples show you how to perform actions and implement common scenarios by using the Amazon Command Line Interface with Verified Permissions.

Actions are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios and cross-service examples.

Scenarios are code examples that show you how to accomplish a specific task by calling multiple functions within the same service.

Each example includes a link to GitHub, where you can find instructions on how to set up and run the code in context.

Topics

Actions

The following code example shows how to use create-identity-source.

Amazon CLI

To create an identity source

The following create-identity-source example creates an identity source that lets you reference identities stored in the specified Amazon Cognito user pool. Those identities are available in Verified Permissions as entities of type User.

aws verifiedpermissions create-identity-source \
    --configuration file://config.txt \
    --principal-entity-type "User" \
    --policy-store-id PSEXAMPLEabcdefg111111

Contents of config.txt:

{
    "cognitoUserPoolConfiguration": {
        "userPoolArn": "arn:aws:cognito-idp:us-west-2:123456789012:userpool/us-west-2_1a2b3c4d5",
        "clientIds":["a1b2c3d4e5f6g7h8i9j0kalbmc"]
    }
}

Output:

{
    "createdDate": "2023-05-19T20:30:28.214829+00:00",
    "identitySourceId": "ISEXAMPLEabcdefg111111",
    "lastUpdatedDate": "2023-05-19T20:30:28.214829+00:00",
    "policyStoreId": "PSEXAMPLEabcdefg111111"
}

For more information about identity sources, see Using Amazon Verified Permissions with identity providers in the Amazon Verified Permissions User Guide.

The following code example shows how to use create-policy-store.

Amazon CLI

To create a policy store

The following create-policy-store example creates a policy store in the current Amazon Region.

aws verifiedpermissions create-policy-store \
    --validation-settings "mode=STRICT"

Output:

{
    "arn": "arn:aws:verifiedpermissions::123456789012:policy-store/PSEXAMPLEabcdefg111111",
    "createdDate": "2023-05-16T17:41:29.103459+00:00",
    "lastUpdatedDate": "2023-05-16T17:41:29.103459+00:00",
    "policyStoreId": "PSEXAMPLEabcdefg111111"
}

For more information about policy stores, see Amazon Verified Permissions policy stores in the Amazon Verified Permissions User Guide.

The following code example shows how to use create-policy-template.

Amazon CLI

Example 1: To create a policy template

The following create-policy-template example creates a policy template with a statement that contains a placeholder for the principal.

aws verifiedpermissions create-policy-template \
    --definition file://template1.txt \
    --policy-store-id PSEXAMPLEabcdefg111111

Contents of file template1.txt:

permit(
    principal in ?principal,
    action == Action::"view",
    resource == Photo::"VacationPhoto94.jpg"
);

Output:

{
    "createdDate": "2023-06-12T20:47:42.804511+00:00",
    "lastUpdatedDate": "2023-06-12T20:47:42.804511+00:00",
    "policyStoreId": "PSEXAMPLEabcdefg111111",
    "policyTemplateId": "PTEXAMPLEabcdefg111111"
}

For more information about policy templates, see Amazon Verified Permissions policy templates in the Amazon Verified Permissions User Guide.

The following code example shows how to use create-policy.

Amazon CLI

Example 1: To create a static policy

The following create-policy example creates a static policy with a policy scope that specifies both a principal and a resource.

aws verifiedpermissions create-policy \
    --definition file://definition1.txt \
    --policy-store-id PSEXAMPLEabcdefg111111

Contents of file definition1.txt:

{
    "static": {
        "description":  "Grant everyone of janeFriends UserGroup access to the vacationFolder Album",
        "statement": "permit(principal in UserGroup::\"janeFriends\", action, resource in Album::\"vacationFolder\" );"
    }
}

Output:

{
    "createdDate": "2023-06-12T20:33:37.382907+00:00",
    "lastUpdatedDate": "2023-06-12T20:33:37.382907+00:00",
    "policyId": "SPEXAMPLEabcdefg111111",
    "policyStoreId": "PSEXAMPLEabcdefg111111",
    "policyType": "STATIC",
    "principal": {
        "entityId": "janeFriends",
        "entityType": "UserGroup"
    },
    "resource": {
        "entityId": "vacationFolder",
        "entityType": "Album"
    }
}

Example 2: To create a static policy that grants access to a resource to everyone

The following create-policy example creates a static policy with a policy scope that specifies only a resource.

aws verifiedpermissions create-policy \
    --definition file://definition2.txt \
    --policy-store-id PSEXAMPLEabcdefg111111

Contents of file definition2.txt:

{
    "static": {
        "description":  "Grant everyone access to the publicFolder Album",
        "statement": "permit(principal, action, resource in Album::\"publicFolder\");"
    }
}

Output:

{
    "createdDate": "2023-06-12T20:39:44.975897+00:00",
    "lastUpdatedDate": "2023-06-12T20:39:44.975897+00:00",
    "policyId": "PbfR73F8oh5MMfr9uRtFDB",
    "policyStoreId": "PSEXAMPLEabcdefg222222",
    "policyType": "STATIC",
    "resource": {
        "entityId": "publicFolder",
        "entityType": "Album"
    }
}

Example 3: To create a template-linked policy that is associated with the specified template

The following create-policy example creates a template-linked policy using the specified policy template and associates the specified principal to use with the new template-linked policy.

aws verifiedpermissions create-policy \
    --definition file://definition.txt \
    --policy-store-id PSEXAMPLEabcdefg111111

Contents of definition.txt:

{
    "templateLinked": {
        "policyTemplateId": "PTEXAMPLEabcdefg111111",
        "principal": {
            "entityType": "User",
            "entityId": "alice"
        }
    }
}

Output:

{
    "createdDate": "2023-06-12T20:49:51.490211+00:00",
    "lastUpdatedDate": "2023-06-12T20:49:51.490211+00:00",
    "policyId": "TPEXAMPLEabcdefg111111",
    "policyStoreId": "PSEXAMPLEabcdefg111111",
    "policyType": "TEMPLATE_LINKED",
    "principal": {
        "entityId": "alice",
        "entityType": "User"
    },
    "resource": {
        "entityId": "VacationPhoto94.jpg",
        "entityType": "Photo"
    }
}

For more information about policies, see Amazon Verified Permissions policies in the Amazon Verified Permissions User Guide.

  • For API details, see CreatePolicy in Amazon CLI Command Reference.

The following code example shows how to use delete-identity-source.

Amazon CLI

To delete an identity source

The following delete-identity-source example deletes the identity source that has the specified Id.

aws verifiedpermissions delete-identity-source \
    --identity-source-id ISEXAMPLEabcdefg111111 \
    --policy-store-id PSEXAMPLEabcdefg111111

This command produces no output.

For more information about identity sources, see Using Amazon Verified Permissions with identity providers in the Amazon Verified Permissions User Guide.

The following code example shows how to use delete-policy-store.

Amazon CLI

To delete a policy store

The following delete-policy-store example deletes the policy store that has the specified Id.

aws verifiedpermissions delete-policy-store \
    --policy-store-id PSEXAMPLEabcdefg111111

This command produces no output.

For more information about policy stores, see Amazon Verified Permissions policy stores in the Amazon Verified Permissions User Guide.

The following code example shows how to use delete-policy-template.

Amazon CLI

To delete a policy template

The following delete-policy-template example deletes the policy template that has the specified Id.

aws verifiedpermissions delete-policy \
    --policy-template-id PTEXAMPLEabcdefg111111 \
    --policy-store-id PSEXAMPLEabcdefg111111

This command produces no output.

For more information about policy templates, see Amazon Verified Permissions policy templates in the Amazon Verified Permissions User Guide.

The following code example shows how to use delete-policy.

Amazon CLI

To delete a static or template-linked policy

The following delete-policy example deletes the policy that has the specified Id.

aws verifiedpermissions delete-policy \
    --policy-id SPEXAMPLEabcdefg111111 \
    --policy-store-id PSEXAMPLEabcdefg111111

This command produces no output.

For more information about policies, see Amazon Verified Permissions policies in the Amazon Verified Permissions User Guide.

  • For API details, see DeletePolicy in Amazon CLI Command Reference.

The following code example shows how to use get-identity-source.

Amazon CLI

To retrieve details about an identity source

The following get-identity-source example displays the details for the identity source with the specified Id.

aws verifiedpermissions get-identity-source \
    --identity-source  ISEXAMPLEabcdefg111111 \
    --policy-store-id PSEXAMPLEabcdefg111111

Output:

{
    "createdDate": "2023-06-12T22:27:49.150035+00:00",
    "details": {
        "clientIds": [ "a1b2c3d4e5f6g7h8i9j0kalbmc" ],
        "discoveryUrl": "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_1a2b3c4d5",
        "openIdIssuer": "COGNITO",
        "userPoolArn": "arn:aws:cognito-idp:us-west-2:123456789012:userpool/us-west-2_1a2b3c4d5"
    },
    "identitySourceId": "ISEXAMPLEabcdefg111111",
    "lastUpdatedDate": "2023-06-12T22:27:49.150035+00:00",
    "policyStoreId": "PSEXAMPLEabcdefg111111",
    "principalEntityType": "User"
}

For more information about identity sources, see Using Amazon Verified Permissions with identity providers in the Amazon Verified Permissions User Guide.

The following code example shows how to use get-policy-store.

Amazon CLI

To retrieve details about a policy store

The following get-policy-store example displays the details for the policy store with the specified Id.

aws verifiedpermissions get-policy-store \
    --policy-store-id PSEXAMPLEabcdefg111111

Output:

{
    "arn": "arn:aws:verifiedpermissions::123456789012:policy-store/PSEXAMPLEabcdefg111111",
    "createdDate": "2023-06-05T20:16:46.225598+00:00",
    "lastUpdatedDate": "2023-06-08T20:40:23.173691+00:00",
    "policyStoreId": "PSEXAMPLEabcdefg111111",
    "validationSettings": { "mode": "OFF" }
}

For more information about policy stores, see Amazon Verified Permissions policy stores in the Amazon Verified Permissions User Guide.

  • For API details, see GetPolicyStore in Amazon CLI Command Reference.

The following code example shows how to use get-policy-template.

Amazon CLI

To retrieve details about a policy template

The following get-policy-template example displays the details for the policy template with the specified ID.

aws verifiedpermissions get-policy-template \
    --policy-template-id  PTEXAMPLEabcdefg111111 \
    --policy-store-id PSEXAMPLEabcdefg111111

Output:

{
    "createdDate": "2023-06-12T20:47:42.804511+00:00",
    "lastUpdatedDate": "2023-06-12T20:47:42.804511+00:00",
    "policyStoreId": "PSEXAMPLEabcdefg111111",
    "policyTemplateId": "PTEXAMPLEabcdefg111111",
    "statement": "permit(\n    principal in ?principal,\n    action == Action::\"view\",\n    resource == Photo::\"VacationPhoto94.jpg\"\n);"
}

For more information about policy templates, see Amazon Verified Permissions policy templates in the Amazon Verified Permissions User Guide.

The following code example shows how to use get-policy.

Amazon CLI

To retrieve details about a policy

The following get-policy example displays the details for the policy with the specified ID.

aws verifiedpermissions get-policy \
    --policy-id PSEXAMPLEabcdefg111111 \
    --policy-store-id PSEXAMPLEabcdefg111111

Output:

{
    "createdDate": "2023-06-12T20:33:37.382907+00:00",
    "definition": {
        "static": {
            "description": "Grant everyone of janeFriends UserGroup access to the vacationFolder Album",
            "statement": "permit(principal in UserGroup::\"janeFriends\", action, resource in Album::\"vacationFolder\" );"
        }
    },
    "lastUpdatedDate": "2023-06-12T20:33:37.382907+00:00",
    "policyId": "SPEXAMPLEabcdefg111111",
    "policyStoreId": "PSEXAMPLEabcdefg111111",
    "policyType": "STATIC",
    "principal": {
        "entityId": "janeFriends",
        "entityType": "UserGroup"
    },
    "resource": {
        "entityId": "vacationFolder",
        "entityType": "Album"
    }
}

For more information about policies, see Amazon Verified Permissions policies in the Amazon Verified Permissions User Guide.

  • For API details, see GetPolicy in Amazon CLI Command Reference.

The following code example shows how to use get-schema.

Amazon CLI

To retrieve the schema in a policy store

The following get-schema example displays the details of the schema in the specified policy store.

aws verifiedpermissions get-schema \
    --policy-store-id PSEXAMPLEabcdefg111111

Output:

{
    "policyStoreId": "PSEXAMPLEabcdefg111111",
    "schema": "{\"MySampleNamespace\":{\"entityTypes\":{\"Employee\":{\"shape\":{\"attributes\":{\"jobLevel\":{\"type\":\"Long\"},\"name\":{\"type\":\"String\"}},\"type\":\"Record\"}}},\"actions\":{\"remoteAccess\":{\"appliesTo\":{\"principalTypes\":[\"Employee\"]}}}}}",
    "createdDate": "2023-06-14T17:47:13.999885+00:00",
    "lastUpdatedDate": "2023-06-14T17:47:13.999885+00:00"
}

For more information about schema, see Policy store schema in the Amazon Verified Permissions User Guide.

  • For API details, see GetSchema in Amazon CLI Command Reference.

The following code example shows how to use is-authorized-with-token.

Amazon CLI

Example 1: To request an authorization decision for a user request (allow)

The following is-authorized-with-token example requests an authorization decision for a user who was authenticated by Amazon Cognito. The request uses the identity token provided by Cognito rather than the access token. In this example, the specified information store is configured to return principals as entities of type CognitoUser.

aws verifiedpermissions is-authorized-with-token \
    --action actionId="View",actionType="Action" \
    --resource entityId="vacationPhoto94.jpg",entityType="Photo" \
    --policy-store-id PSEXAMPLEabcdefg111111 \
    --identity-token "AbCdE12345...long.string...54321EdCbA"

The policy store contains a policy with the following statement that accepts identities from the specified Cognito user pool and application Id.

permit(
    principal == CognitoUser::"us-east-1_1a2b3c4d5|a1b2c3d4e5f6g7h8i9j0kalbmc",
    action,
    resource == Photo::"VacationPhoto94.jpg"
);

Output:

{
    "decision":"Allow",
    "determiningPolicies":[
        {
        "determiningPolicyId":"SPEXAMPLEabcdefg111111"
        }
    ],
    "errors":[]
}

For more information about using identities from a Cognito user pool, see Using Amazon Verified Permissions with identity providers in the Amazon Verified Permissions User Guide.

The following code example shows how to use is-authorized.

Amazon CLI

Example 1: To request an authorization decision for a user request (allow)

The following is-authorized example requests an authorization decision for a principal of type User named Alice, who wants to perform the updatePhoto operation, on a resource of type Photo named VacationPhoto94.jpg.

The response shows that the request is allowed by one policy.

aws verifiedpermissions is-authorized \
    --principal entityType=User,entityId=alice \
    --action actionType=Action,actionId=view \
    --resource entityType=Photo,entityId=VactionPhoto94.jpg \
    --policy-store-id PSEXAMPLEabcdefg111111

Output:

{
    "decision": "ALLOW",
    "determiningPolicies": [
        {
            "policyId": "SPEXAMPLEabcdefg111111"
        }
    ],
    "errors": []
}

Example 2: To request an authorization decision for a user request (deny)

The following example is the same as the previous example, except that the principal is User::"Bob". The policy store doesn't contain any policy that allows that user access to Album::"alice_folder".

The output indicates that the Deny was implicit because the list of DeterminingPolicies is empty.

aws verifiedpermissions create-policy \
    --definition file://definition2.txt \
    --policy-store-id PSEXAMPLEabcdefg111111

Output:

{
    "decision": "DENY",
    "determiningPolicies": [],
    "errors": []
}

For more information, see the Amazon Verified Permissions User Guide.

  • For API details, see IsAuthorized in Amazon CLI Command Reference.

The following code example shows how to use list-identity-sources.

Amazon CLI

To list the available identity sources

The following list-identity-sources example lists all identity sources in the specified policy store.

aws verifiedpermissions list-identity-sources \
    --policy-store-id PSEXAMPLEabcdefg111111

Output:

{
    "identitySources": [
        {
            "createdDate": "2023-06-12T22:27:49.150035+00:00",
            "details": {
                "clientIds": [ "a1b2c3d4e5f6g7h8i9j0kalbmc" ],
                "discoveryUrl": "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_1a2b3c4d5",
                "openIdIssuer": "COGNITO",
                "userPoolArn": "arn:aws:cognito-idp:us-west-2:123456789012:userpool/us-west-2_1a2b3c4d5"
            },
            "identitySourceId": "ISEXAMPLEabcdefg111111",
            "lastUpdatedDate": "2023-06-12T22:27:49.150035+00:00",
            "policyStoreId": "PSEXAMPLEabcdefg111111",
            "principalEntityType": "User"
        }
    ]
}

For more information about identity sources, see Using Amazon Verified Permissions with identity providers in the Amazon Verified Permissions User Guide.

The following code example shows how to use list-policies.

Amazon CLI

To list the available policies

The following list-policies example lists all policies in the specified policy store.

aws verifiedpermissions list-policies \
    --policy-store-id PSEXAMPLEabcdefg111111

Output:

{
    "policies": [
        {
            "createdDate": "2023-06-12T20:33:37.382907+00:00",
            "definition": {
                "static": {
                    "description": "Grant everyone of janeFriends UserGroup access to the vacationFolder Album"
                }
            },
            "lastUpdatedDate": "2023-06-12T20:33:37.382907+00:00",
            "policyId": "SPEXAMPLEabcdefg111111",
            "policyStoreId": "PSEXAMPLEabcdefg111111",
            "policyType": "STATIC",
            "principal": {
                "entityId": "janeFriends",
                "entityType": "UserGroup"
            },
            "resource": {
                "entityId": "vacationFolder",
                "entityType": "Album"
            }
        },
        {
            "createdDate": "2023-06-12T20:39:44.975897+00:00",
            "definition": {
                "static": {
                    "description": "Grant everyone access to the publicFolder Album"
                }
            },
            "lastUpdatedDate": "2023-06-12T20:39:44.975897+00:00",
            "policyId": "SPEXAMPLEabcdefg222222",
            "policyStoreId": "PSEXAMPLEabcdefg111111",
            "policyType": "STATIC",
            "resource": {
                "entityId": "publicFolder",
                "entityType": "Album"
            }
        },
        {
            "createdDate": "2023-06-12T20:49:51.490211+00:00",
            "definition": {
                "templateLinked": {
                    "policyTemplateId": "PTEXAMPLEabcdefg111111"
                }
            },
            "lastUpdatedDate": "2023-06-12T20:49:51.490211+00:00",
            "policyId": "SPEXAMPLEabcdefg333333",
            "policyStoreId": "PSEXAMPLEabcdefg111111",
            "policyType": "TEMPLATE_LINKED",
            "principal": {
                "entityId": "alice",
                "entityType": "User"
            },
            "resource": {
                "entityId": "VacationPhoto94.jpg",
                "entityType": "Photo"
            }
        }
    ]
}

For more information about policies, see Amazon Verified Permissions policies in the Amazon Verified Permissions User Guide.

  • For API details, see ListPolicies in Amazon CLI Command Reference.

The following code example shows how to use list-policy-stores.

Amazon CLI

To list the available policy stores

The following list-policy-stores example lists all policy stores in the Amazon Region. All commands for Verified Permissions except create-policy-store and list-policy-stores require that you specify the Id of the policy store you want to work with.

aws verifiedpermissions list-policy-stores

Output:

{
    "policyStores": [
        {
            "arn": "arn:aws:verifiedpermissions::123456789012:policy-store/PSEXAMPLEabcdefg111111",
            "createdDate": "2023-06-05T20:16:46.225598+00:00",
            "policyStoreId": "PSEXAMPLEabcdefg111111"
        },
        {
            "arn": "arn:aws:verifiedpermissions::123456789012:policy-store/PSEXAMPLEabcdefg222222",
            "createdDate": "2023-06-08T18:09:37.364356+00:00",
            "policyStoreId": "PSEXAMPLEabcdefg222222"
        },
        {
            "arn": "arn:aws:verifiedpermissions::123456789012:policy-store/PSEXAMPLEabcdefg333333",
            "createdDate": "2023-06-08T18:09:46.920600+00:00",
            "policyStoreId": "PSEXAMPLEabcdefg333333"
        }
    ]
}

For more information about policy stores, see Amazon Verified Permissions policy stores in the Amazon Verified Permissions User Guide.

The following code example shows how to use list-policy-templates.

Amazon CLI

To list the available policy templates

The following list-policy-templates example lists all policy templates in the specified policy store.

aws verifiedpermissions list-policy-templates \
    --policy-store-id PSEXAMPLEabcdefg111111

Output:

{
    "policyTemplates": [
        {
            "createdDate": "2023-06-12T20:47:42.804511+00:00",
            "lastUpdatedDate": "2023-06-12T20:47:42.804511+00:00",
            "policyStoreId": "PSEXAMPLEabcdefg111111",
            "policyTemplateId": "PTEXAMPLEabcdefg111111"
        }
    ]
}

For more information about policy templates, see Amazon Verified Permissions policy templates in the Amazon Verified Permissions User Guide.

The following code example shows how to use put-schema.

Amazon CLI

To save a schema to a policy store

The following put-schema example creates or replaces the schema in the specified policy store.

The cedarJson parameter in the input file takes a string representation of a JSON object. It contains embedded quotation marks (") within the outermost quotation mark pair. This requires you to convert the JSON to a string by preceding all embedded quotation marks with a backslash character ( " ) and combining all lines into a single text line with no line breaks.

Example strings can be displayed wrapped across multiple lines here for readability, but the operation requires the parameters be submitted as single line strings.

aws verifiedpermissions put-schema --definition file://schema.txt --policy-store-id PSEXAMPLEabcdefg111111

Contents of schema.txt:

{
    "cedarJson": "{\"MySampleNamespace\": {\"actions\": {\"remoteAccess\": {
            \"appliesTo\": {\"principalTypes\": [\"Employee\"]}}},\"entityTypes\": {
            \"Employee\": {\"shape\": {\"attributes\": {\"jobLevel\": {\"type\":
            \"Long\"},\"name\": {\"type\": \"String\"}},\"type\": \"Record\"}}}}}"
}

Output:

{
    "policyStoreId": "PSEXAMPLEabcdefg111111",
    "namespaces": [
        "MySampleNamespace"
    ],
    "createdDate": "2023-06-14T17:47:13.999885+00:00",
    "lastUpdatedDate": "2023-06-14T17:47:13.999885+00:00"
}

For more information about schema, see Policy store schema in the Amazon Verified Permissions User Guide.

  • For API details, see PutSchema in Amazon CLI Command Reference.

The following code example shows how to use update-identity-source.

Amazon CLI

To update an identity source

The following update-identity-source example modifies the specified identity source by providing a new Cognito user pool configuration and changing the entity type returned by the identity source.

aws verifiedpermissions update-identity-source
    --identity-source-id ISEXAMPLEabcdefg111111 \
    --update-configuration file://config.txt \
    --principal-entity-type "Employee" \
    --policy-store-id PSEXAMPLEabcdefg111111

Contents of config.txt:

{
        "cognitoUserPoolConfiguration": {
                "userPoolArn": "arn:aws:cognito-idp:us-west-2:123456789012:userpool/us-west-2_1a2b3c4d5",
                "clientIds":["a1b2c3d4e5f6g7h8i9j0kalbmc"]
        }
}

Output:

{
    "createdDate": "2023-05-19T20:30:28.214829+00:00",
    "identitySourceId": "ISEXAMPLEabcdefg111111",
    "lastUpdatedDate": "2023-05-19T20:30:28.214829+00:00",
    "policyStoreId": "PSEXAMPLEabcdefg111111"
}

For more information about identity sources, see Using Amazon Verified Permissions with identity providers in the Amazon Verified Permissions User Guide.

The following code example shows how to use update-policy-store.

Amazon CLI

To update a policy store

The following update-policy-store example modifies a policy store by changing its validation setting.

aws verifiedpermissions update-policy-store \
    --validation-settings "mode=STRICT" \
    --policy-store-id PSEXAMPLEabcdefg111111

Output:

{
    "arn": "arn:aws:verifiedpermissions::123456789012:policy-store/PSEXAMPLEabcdefg111111",
    "createdDate": "2023-05-16T17:41:29.103459+00:00",
    "lastUpdatedDate": "2023-05-16T17:41:29.103459+00:00",
    "policyStoreId": "PSEXAMPLEabcdefg111111"
}

For more information about policy stores, see Amazon Verified Permissions policy stores in the Amazon Verified Permissions User Guide.

The following code example shows how to use update-policy-template.

Amazon CLI

Example 1: To update a policy template

The following update-policy-template example modifies the specified template-linked policy to replace its policy statement.

aws verifiedpermissions update-policy-template \
    --policy-template-id PTEXAMPLEabcdefg111111 \
    --statement file://template1.txt \
    --policy-store-id PSEXAMPLEabcdefg111111

Contents of file template1.txt:

permit(
    principal in ?principal,
    action == Action::"view",
    resource == Photo::"VacationPhoto94.jpg"
);

Output:

{
    "createdDate": "2023-06-12T20:47:42.804511+00:00",
    "lastUpdatedDate": "2023-06-12T20:47:42.804511+00:00",
    "policyStoreId": "PSEXAMPLEabcdefg111111",
    "policyTemplateId": "PTEXAMPLEabcdefg111111"
}

For more information about policy templates, see Amazon Verified Permissions policy templates in the Amazon Verified Permissions User Guide.

The following code example shows how to use update-policy.

Amazon CLI

Example 1: To create a static policy

The following create-policy example creates a static policy with a policy scope that specifies both a principal and a resource.

aws verifiedpermissions create-policy \
    --definition file://definition.txt \
    --policy-store-id PSEXAMPLEabcdefg111111

The statement parameter takes a string representation of a JSON object. It contains embedded quotation marks (") within the outermost quotation mark pair. This requires you to convert the JSON to a string by preceding all embedded quotation marks with a backslash character ( " ) and combining all lines into a single text line with no line breaks.

Example strings can be displayed wrapped across multiple lines here for readability, but the operation requires the parameters be submitted as single line strings.

Contents of file definition.txt:

{
    "static": {
        "description":  "Grant everyone of janeFriends UserGroup access to the vacationFolder Album",
        "statement": "permit(principal in UserGroup::\"janeFriends\", action, resource in Album::\"vacationFolder\" );"
    }
}

Output:

{
    "createdDate": "2023-06-12T20:33:37.382907+00:00",
    "lastUpdatedDate": "2023-06-12T20:33:37.382907+00:00",
    "policyId": "SPEXAMPLEabcdefg111111",
    "policyStoreId": "PSEXAMPLEabcdefg111111",
    "policyType": "STATIC",
    "principal": {
        "entityId": "janeFriends",
        "entityType": "UserGroup"
    },
    "resource": {
        "entityId": "vacationFolder",
        "entityType": "Album"
    }
}

Example 2: To create a static policy that grants access to a resource to everyone

The following create-policy example creates a static policy with a policy scope that specifies only a resource.

aws verifiedpermissions create-policy \
    --definition file://definition2.txt \
    --policy-store-id PSEXAMPLEabcdefg111111

Contents of file definition2.txt:

{
    "static": {
        "description":  "Grant everyone access to the publicFolder Album",
        "statement": "permit(principal, action, resource in Album::\"publicFolder\");"
    }
}

Output:

{
    "createdDate": "2023-06-12T20:39:44.975897+00:00",
    "lastUpdatedDate": "2023-06-12T20:39:44.975897+00:00",
    "policyId": "PbfR73F8oh5MMfr9uRtFDB",
    "policyStoreId": "PSEXAMPLEabcdefg222222",
    "policyType": "STATIC",
    "resource": {
        "entityId": "publicFolder",
        "entityType": "Album"
    }
}

Example 3: To create a template-linked policy that is associated with the specified template

The following create-policy example creates a template-linked policy using the specified policy template and associates the specified principal to use with the new template-linked policy.

aws verifiedpermissions create-policy \
    --definition file://definition2.txt \
    --policy-store-id PSEXAMPLEabcdefg111111

Contents of definition3.txt:

{
    "templateLinked": {
        "policyTemplateId": "PTEXAMPLEabcdefg111111",
        "principal": {
            "entityType": "User",
            "entityId": "alice"
        }
    }
}

Output:

{
    "createdDate": "2023-06-12T20:49:51.490211+00:00",
    "lastUpdatedDate": "2023-06-12T20:49:51.490211+00:00",
    "policyId": "TPEXAMPLEabcdefg111111",
    "policyStoreId": "PSEXAMPLEabcdefg111111",
    "policyType": "TEMPLATE_LINKED",
    "principal": {
        "entityId": "alice",
        "entityType": "User"
    },
    "resource": {
        "entityId": "VacationPhoto94.jpg",
        "entityType": "Photo"
    }
}

For more information about policies, see Amazon Verified Permissions policies in the Amazon Verified Permissions User Guide.

  • For API details, see UpdatePolicy in Amazon CLI Command Reference.