Creating Amazon Verified Permissions template-linked policies - Amazon Verified Permissions
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating Amazon Verified Permissions template-linked policies

You can create template-linked policies, or policies that are based on a policy template, using the Amazon Web Services Management Console, Amazon CLI, or the Amazon SDKs. Template-linked policies stay linked to their policy templates. If you change the policy statement in the policy template, any policies linked to that template automatically use the new statement for all authorization decisions made from that moment forward.

For template-linked policy examples, see Amazon Verified Permissions example template-linked policies.

Amazon Web Services Management Console
To create a template-linked policy by instantiating a policy template

  1. Open the Verified Permissions console. Choose your policy store.

  2. In the navigation pane on the left, choose Policies.

  3. Choose Create policy and then choose Create template-linked policy.

  4. Choose the radio button next to the policy template to use and then choose Next.

  5. Type the Principal and Resource to be used for this specific instance of the template-linked policy. The specified values are displayed in the Policy statement preview field.

    Note

    The Principal and Resource values must have the same formatting as static policies. For example, to specify the AdminUsers group for the principal, type Group::"AdminUsers". If you type AdminUsers, a validation error is displayed.

  6. Choose Create template-linked policy.

    The new template-linked policy is displayed under Policies.

Amazon CLI
To create a template-linked policy by instantiating a policy template

You can create a template-linked policy that references an existing policy template and that specifies values for any placeholders used by the template.

The following example creates a template-linked policy that uses a template with the following statement:

permit(
    principal in ?principal,
    action == PhotoFlash::Action::"view",
    resource == PhotoFlash::Photo::"VacationPhoto94.jpg"
);

It also uses the following definition.txt file to supply the value for the definition parameter:

{
    "templateLinked": {
        "policyTemplateId": "PTEXAMPLEabcdefg111111",
        "principal": {
            "entityType": "PhotoFlash::User",
            "entityId": "alice"
        }
    }
}

The output shows both the resource, which it gets from the template, and the principal, which it gets from the definition parameter

$ aws verifiedpermissions create-policy \
    --definition file://definition.txt
    --policy-store-id PSEXAMPLEabcdefg111111
{
    "createdDate": "2023-05-22T18:57:53.298278+00:00",
    "lastUpdatedDate": "2023-05-22T18:57:53.298278+00:00",
    "policyId": "TPEXAMPLEabcdefg111111",
    "policyStoreId": "PSEXAMPLEabcdefg111111",
    "policyType": "TEMPLATELINKED",
    "principal": {
        "entityId": "alice",
        "entityType": "PhotoFlash::User"
    },
    "resource": {
        "entityId": "VacationPhoto94.jpg",
        "entityType": "PhotoFlash::Photo"
    }
}