Module Awso_verifiedpermissions.ValuesSource

You don't have sufficient access to perform this action.

Contains information about an action for a request for which an authorization decision is made. This data type is used as a request parameter to the IsAuthorized, BatchIsAuthorized, and IsAuthorizedWithToken operations. Example: { "actionId": "<action name>", "actionType": "Action" }

An Amazon Resource Name (ARN) uniquely identifies an AWS resource.

Contains the identifier of an entity, including its ID and type. This data type is used as a request parameter for IsAuthorized operation, and as a response parameter for the CreatePolicy, GetPolicy, and UpdatePolicy operations. Example: {"entityId":"string","entityType":"string"}

The value of an attribute. Contains information about the runtime context for a request for which an authorization decision is made. This data type is used as a member of the ContextDefinition structure which is used as a request parameter for the IsAuthorized, BatchIsAuthorized, and IsAuthorizedWithToken operations.

Contains the information about an error resulting from a BatchGetPolicy API call.

Information about a policy that you include in a BatchGetPolicy API request.

Retrieves information about a group (batch) of policies. The BatchGetPolicy operation doesn't have its own IAM permission. To authorize this operation for Amazon Web Services principals, include the permission verifiedpermissions:GetPolicy in their IAM policies.

Details about a field that failed policy validation.

The request failed because one or more input parameters don't satisfy their constraint requirements. The output is provided as a list of fields and a reason for each field that isn't valid. The possible reasons include the following: UnrecognizedEntityType The policy includes an entity type that isn't found in the schema. UnrecognizedActionId The policy includes an action id that isn't found in the schema. InvalidActionApplication The policy includes an action that, according to the schema, doesn't support the specified principal and resource. UnexpectedType The policy included an operand that isn't a valid type for the specified operation. IncompatibleTypes The types of elements included in a set, or the types of expressions used in an if...then...else clause aren't compatible in this context. MissingAttribute The policy attempts to access a record or entity attribute that isn't specified in the schema. Test for the existence of the attribute first before attempting to access its value. For more information, see the has (presence of attribute test) operator in the Cedar Policy Language Guide. UnsafeOptionalAttributeAccess The policy attempts to access a record or entity attribute that is optional and isn't guaranteed to be present. Test for the existence of the attribute first before attempting to access its value. For more information, see the has (presence of attribute test) operator in the Cedar Policy Language Guide. ImpossiblePolicy Cedar has determined that a policy condition always evaluates to false. If the policy is always false, it can never apply to any query, and so it can never affect an authorization decision. WrongNumberArguments The policy references an extension type with the wrong number of arguments. FunctionArgumentValidationError Cedar couldn't parse the argument passed to an extension type. For example, a string that is to be parsed as an IPv4 address can contain only digits and the period character.

The request failed because it exceeded a throttling quota.

The request failed because of an internal error. Try your request again later

Contains information about a policy that was created by instantiating a policy template.

A structure that contains details about a static policy. It includes the description and policy body. This data type is used within a PolicyDefinition structure as part of a request parameter for the CreatePolicy operation.

A structure that describes a policy definition. It must always have either an static or a templateLinked element. This data type is used as a response parameter for the GetPolicy operation.

Contains information about a policy returned from a BatchGetPolicy API request.

Retrieves information about a group (batch) of policies. The BatchGetPolicy operation doesn't have its own IAM permission. To authorize this operation for Amazon Web Services principals, include the permission verifiedpermissions:GetPolicy in their IAM policies.

The value of an entity's Cedar tag. This data type is used as a member of the EntityItem structure that forms the body of the Entities request parameter for the IsAuthorized, BatchIsAuthorized, IsAuthorizedWithToken, and BatchIsAuthorizedWithToken operations.

Contains information about an entity that can be referenced in a Cedar policy. This data type is used as one of the fields in the EntitiesDefinition structure. { "identifier": { "entityType": "Photo", "entityId": "VacationPhoto94.jpg" }, "attributes": {}, "parents": [ { "entityType": "Album", "entityId": "alice_folder" } ] }

Contains the list of entities to be considered during an authorization request. This includes all principals, resources, and actions required to successfully evaluate the request. This data type is used as a field in the response parameter for the IsAuthorized and IsAuthorizedWithToken operations.

Contains additional details about the context of the request. Verified Permissions evaluates this information in an authorization request as part of the when and unless clauses in a policy. This data type is used as a request parameter for the IsAuthorized, BatchIsAuthorized, and IsAuthorizedWithToken operations. If you're passing context as part of the request, exactly one instance of context must be passed. If you don't want to pass context, omit the context parameter from your request rather than sending context {}. Example: "context":{"contextMap":{"<KeyName1>":{"boolean":true},"<KeyName2>":{"long":1234}}}

An authorization request that you include in a BatchIsAuthorized API request.

Makes a series of decisions about multiple authorization requests for one principal or resource. Each request contains the equivalent content of an IsAuthorized request: principal, action, resource, and context. Either the principal or the resource parameter must be identical across all requests. For example, Verified Permissions won't evaluate a pair of requests where bob views photo1 and alice views photo2. Authorization of bob to view photo1 and photo2, or bob and alice to view photo1, are valid batches. The request is evaluated against all policies in the specified policy store that match the entities that you declare. The result of the decisions is a series of Allow or Deny responses, along with the IDs of the policies that produced each decision. The entities of a BatchIsAuthorized API request can contain up to 100 principals and up to 100 resources. The requests of a BatchIsAuthorized API request can contain up to 30 requests. The BatchIsAuthorized operation doesn't have its own IAM permission. To authorize this operation for Amazon Web Services principals, include the permission verifiedpermissions:IsAuthorized in their IAM policies.

The request failed because it references a resource that doesn't exist.

Contains a description of an evaluation error. This data type is a response parameter of the IsAuthorized, BatchIsAuthorized, and IsAuthorizedWithToken operations.

Contains information about one of the policies that determined an authorization decision. This data type is used as an element in a response parameter for the IsAuthorized, BatchIsAuthorized, and IsAuthorizedWithToken operations. Example: "determiningPolicies":[{"policyId":"SPEXAMPLEabcdefg111111"}]

The decision, based on policy evaluation, from an individual authorization request in a BatchIsAuthorized API request.

Makes a series of decisions about multiple authorization requests for one principal or resource. Each request contains the equivalent content of an IsAuthorized request: principal, action, resource, and context. Either the principal or the resource parameter must be identical across all requests. For example, Verified Permissions won't evaluate a pair of requests where bob views photo1 and alice views photo2. Authorization of bob to view photo1 and photo2, or bob and alice to view photo1, are valid batches. The request is evaluated against all policies in the specified policy store that match the entities that you declare. The result of the decisions is a series of Allow or Deny responses, along with the IDs of the policies that produced each decision. The entities of a BatchIsAuthorized API request can contain up to 100 principals and up to 100 resources. The requests of a BatchIsAuthorized API request can contain up to 30 requests. The BatchIsAuthorized operation doesn't have its own IAM permission. To authorize this operation for Amazon Web Services principals, include the permission verifiedpermissions:IsAuthorized in their IAM policies.

An authorization request that you include in a BatchIsAuthorizedWithToken API request.

Makes a series of decisions about multiple authorization requests for one token. The principal in this request comes from an external identity source in the form of an identity or access token, formatted as a JSON web token (JWT). The information in the parameters can also define additional context that Verified Permissions can include in the evaluations. The request is evaluated against all policies in the specified policy store that match the entities that you provide in the entities declaration and in the token. The result of the decisions is a series of Allow or Deny responses, along with the IDs of the policies that produced each decision. The entities of a BatchIsAuthorizedWithToken API request can contain up to 100 resources and up to 99 user groups. The requests of a BatchIsAuthorizedWithToken API request can contain up to 30 requests. The BatchIsAuthorizedWithToken operation doesn't have its own IAM permission. To authorize this operation for Amazon Web Services principals, include the permission verifiedpermissions:IsAuthorizedWithToken in their IAM policies.

The decision, based on policy evaluation, from an individual authorization request in a BatchIsAuthorizedWithToken API request.

Makes a series of decisions about multiple authorization requests for one token. The principal in this request comes from an external identity source in the form of an identity or access token, formatted as a JSON web token (JWT). The information in the parameters can also define additional context that Verified Permissions can include in the evaluations. The request is evaluated against all policies in the specified policy store that match the entities that you provide in the entities declaration and in the token. The result of the decisions is a series of Allow or Deny responses, along with the IDs of the policies that produced each decision. The entities of a BatchIsAuthorizedWithToken API request can contain up to 100 resources and up to 99 user groups. The requests of a BatchIsAuthorizedWithToken API request can contain up to 30 requests. The BatchIsAuthorizedWithToken operation doesn't have its own IAM permission. To authorize this operation for Amazon Web Services principals, include the permission verifiedpermissions:IsAuthorizedWithToken in their IAM policies.

The type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source. This data type is part of a CognitoUserPoolConfiguration structure and is a request parameter in CreateIdentitySource.

The type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source. This data type is part of an CognitoUserPoolConfigurationDetail structure and is a response parameter to GetIdentitySource.

The type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source. This data type is part of an CognitoUserPoolConfigurationItem structure and is a response parameter to ListIdentitySources.

The configuration for an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions. This data type part of a Configuration structure that is used as a parameter to CreateIdentitySource. Example:"CognitoUserPoolConfiguration":{"UserPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","ClientIds": ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration": {"groupEntityType": "MyCorp::Group"}}

The configuration for an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions. This data type is used as a field that is part of an ConfigurationDetail structure that is part of the response to GetIdentitySource. Example:"CognitoUserPoolConfiguration":{"UserPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","ClientIds": ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration": {"groupEntityType": "MyCorp::Group"}}

The configuration for an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions. This data type is used as a field that is part of the ConfigurationItem structure that is part of the response to ListIdentitySources. Example:"CognitoUserPoolConfiguration":{"UserPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","ClientIds": ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration": {"groupEntityType": "MyCorp::Group"}}

The configuration of an OpenID Connect (OIDC) identity source for handling identity (ID) token claims. Contains the claim that you want to identify as the principal in an authorization request, and the values of the aud claim, or audiences, that you want to accept. This data type is part of a OpenIdConnectTokenSelection structure, which is a parameter of CreateIdentitySource.

The configuration of an OpenID Connect (OIDC) identity source for handling access token claims. Contains the claim that you want to identify as the principal in an authorization request, and the values of the aud claim, or audiences, that you want to accept. This data type is part of a OpenIdConnectTokenSelection structure, which is a parameter of CreateIdentitySource.

The token type that you want to process from your OIDC identity provider. Your policy store can process either identity (ID) or access tokens from a given OIDC identity source. This data type is part of a OpenIdConnectConfiguration structure, which is a parameter of CreateIdentitySource.

The claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you want to map it to. For example, this object can map the contents of a groups claim to MyCorp::UserGroup. This data type is part of a OpenIdConnectConfiguration structure, which is a parameter of CreateIdentitySource.

Contains configuration details of an OpenID Connect (OIDC) identity provider, or identity source, that Verified Permissions can use to generate entities from authenticated identities. It specifies the issuer URL, token type that you want to use, and policy store entity details. This data type is part of a Configuration structure, which is a parameter to CreateIdentitySource.

Contains configuration information used when creating a new identity source. This data type is used as a request parameter for the CreateIdentitySource operation.

The configuration of an OpenID Connect (OIDC) identity source for handling identity (ID) token claims. Contains the claim that you want to identify as the principal in an authorization request, and the values of the aud claim, or audiences, that you want to accept. This data type is part of a OpenIdConnectTokenSelectionDetail structure, which is a parameter of GetIdentitySource.

The configuration of an OpenID Connect (OIDC) identity source for handling access token claims. Contains the claim that you want to identify as the principal in an authorization request, and the values of the aud claim, or audiences, that you want to accept. This data type is part of a OpenIdConnectTokenSelectionDetail structure, which is a parameter of GetIdentitySource.

The token type that you want to process from your OIDC identity provider. Your policy store can process either identity (ID) or access tokens from a given OIDC identity source. This data type is part of a OpenIdConnectConfigurationDetail structure, which is a parameter of GetIdentitySource.

The claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you want to map it to. For example, this object can map the contents of a groups claim to MyCorp::UserGroup. This data type is part of a OpenIdConnectConfigurationDetail structure, which is a parameter of GetIdentitySource.

Contains configuration details of an OpenID Connect (OIDC) identity provider, or identity source, that Verified Permissions can use to generate entities from authenticated identities. It specifies the issuer URL, token type that you want to use, and policy store entity details. This data type is part of a ConfigurationDetail structure, which is a parameter to GetIdentitySource.

Contains configuration information about an identity source. This data type is a response parameter to the GetIdentitySource operation.

The configuration of an OpenID Connect (OIDC) identity source for handling identity (ID) token claims. Contains the claim that you want to identify as the principal in an authorization request, and the values of the aud claim, or audiences, that you want to accept. This data type is part of a OpenIdConnectTokenSelectionItem structure, which is a parameter of ListIdentitySources.

The configuration of an OpenID Connect (OIDC) identity source for handling access token claims. Contains the claim that you want to identify as the principal in an authorization request, and the values of the aud claim, or audiences, that you want to accept. This data type is part of a OpenIdConnectTokenSelectionItem structure, which is a parameter of ListIdentitySources.

The token type that you want to process from your OIDC identity provider. Your policy store can process either identity (ID) or access tokens from a given OIDC identity source. This data type is part of a OpenIdConnectConfigurationItem structure, which is a parameter of ListIdentitySources.

The claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you want to map it to. For example, this object can map the contents of a groups claim to MyCorp::UserGroup. This data type is part of a OpenIdConnectConfigurationItem structure, which is a parameter of ListIdentitySourcea.

Contains configuration details of an OpenID Connect (OIDC) identity provider, or identity source, that Verified Permissions can use to generate entities from authenticated identities. It specifies the issuer URL, token type that you want to use, and policy store entity details. This data type is part of a ConfigurationItem structure, which is a parameter to ListIdentitySources.

Contains configuration information about an identity source. This data type is a response parameter to the ListIdentitySources operation.

Contains information about a resource conflict.

The request failed because another request to modify a resource occurred at the same time.

Adds an identity source to a policy store–an Amazon Cognito user pool or OpenID Connect (OIDC) identity provider (IdP). After you create an identity source, you can use the identities provided by the IdP as proxies for the principal in authorization queries that use the IsAuthorizedWithToken or BatchIsAuthorizedWithToken API operations. These identities take the form of tokens that contain claims about the user, such as IDs, attributes and group memberships. Identity sources provide identity (ID) tokens and access tokens. Verified Permissions derives information about your user and session from token claims. Access tokens provide action context to your policies, and ID tokens provide principal Attributes. Tokens from an identity source user continue to be usable until they expire. Token revocation and resource deletion have no effect on the validity of a token in your policy store To reference a user from this identity source in your Cedar policies, refer to the following syntax examples. Amazon Cognito user pool: Namespace::[Entity type]::[User pool ID]|[user principal attribute], for example MyCorp::User::us-east-1_EXAMPLE|a1b2c3d4-5678-90ab-cdef-EXAMPLE11111. OpenID Connect (OIDC) provider: Namespace::[Entity type]::[entityIdPrefix]|[user principal attribute], for example MyCorp::User::MyOIDCProvider|a1b2c3d4-5678-90ab-cdef-EXAMPLE22222. Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

The request failed because it would cause a service quota to be exceeded.

Adds an identity source to a policy store–an Amazon Cognito user pool or OpenID Connect (OIDC) identity provider (IdP). After you create an identity source, you can use the identities provided by the IdP as proxies for the principal in authorization queries that use the IsAuthorizedWithToken or BatchIsAuthorizedWithToken API operations. These identities take the form of tokens that contain claims about the user, such as IDs, attributes and group memberships. Identity sources provide identity (ID) tokens and access tokens. Verified Permissions derives information about your user and session from token claims. Access tokens provide action context to your policies, and ID tokens provide principal Attributes. Tokens from an identity source user continue to be usable until they expire. Token revocation and resource deletion have no effect on the validity of a token in your policy store To reference a user from this identity source in your Cedar policies, refer to the following syntax examples. Amazon Cognito user pool: Namespace::[Entity type]::[User pool ID]|[user principal attribute], for example MyCorp::User::us-east-1_EXAMPLE|a1b2c3d4-5678-90ab-cdef-EXAMPLE11111. OpenID Connect (OIDC) provider: Namespace::[Entity type]::[entityIdPrefix]|[user principal attribute], for example MyCorp::User::MyOIDCProvider|a1b2c3d4-5678-90ab-cdef-EXAMPLE22222. Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Contains information about a policy created by instantiating a policy template.

Contains information about a static policy. This data type is used as a field that is part of the PolicyDefinitionDetail type.

A structure that contains the details for a Cedar policy definition. It includes the policy type, a description, and a policy body. This is a top level data type used to create a policy. This data type is used as a request parameter for the CreatePolicy operation. This structure must always have either an static or a templateLinked element.

Creates a Cedar policy and saves it in the specified policy store. You can create either a static policy or a policy linked to a policy template. To create a static policy, provide the Cedar policy text in the StaticPolicy section of the PolicyDefinition. To create a policy that is dynamically linked to a policy template, specify the policy template ID and the principal and resource to associate with this policy in the templateLinked section of the PolicyDefinition. If the policy template is ever updated, any policies linked to the policy template automatically use the updated template. Creating a policy causes it to be validated against the schema in the policy store. If the policy doesn't pass validation, the operation fails and the policy isn't stored. Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Creates a Cedar policy and saves it in the specified policy store. You can create either a static policy or a policy linked to a policy template. To create a static policy, provide the Cedar policy text in the StaticPolicy section of the PolicyDefinition. To create a policy that is dynamically linked to a policy template, specify the policy template ID and the principal and resource to associate with this policy in the templateLinked section of the PolicyDefinition. If the policy template is ever updated, any policies linked to the policy template automatically use the updated template. Creating a policy causes it to be validated against the schema in the policy store. If the policy doesn't pass validation, the operation fails and the policy isn't stored. Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Creates a policy store alias for the specified policy store. A policy store alias is an alternative identifier that you can use to reference a policy store in API operations. This operation is idempotent. If multiple CreatePolicyStoreAlias requests are made where the aliasName and policyStoreId fields are the same between the requests, subsequent requests will be ignored. For each duplicate CreatePolicyStoreAlias request, a Success response will be returned and a new policy store alias will not be created. Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Creates a policy store alias for the specified policy store. A policy store alias is an alternative identifier that you can use to reference a policy store in API operations. This operation is idempotent. If multiple CreatePolicyStoreAlias requests are made where the aliasName and policyStoreId fields are the same between the requests, subsequent requests will be ignored. For each duplicate CreatePolicyStoreAlias request, a Success response will be returned and a new policy store alias will not be created. Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

A structure that contains Cedar policy validation settings for the policy store. The validation mode determines which validation failures that Cedar considers serious enough to block acceptance of a new or edited static policy or policy template. This data type is used as a request parameter in the CreatePolicyStore and UpdatePolicyStore operations.

A structure that contains the KMS encryption configuration for the policy store. The encryption settings determine what customer-managed KMS key will be used to encrypt all resources within the policy store, and any user-defined context key-value pairs to append during encryption processes. This data type is used as a field that is part of the EncryptionSettings type.

A structure that contains the encryption configuration for the policy store and child resources. This data type is used as a request parameter in the CreatePolicyStore operation.

Creates a policy store. A policy store is a container for policy resources. Although Cedar supports multiple namespaces, Verified Permissions currently supports only one namespace per policy store. Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Creates a policy store. A policy store is a container for policy resources. Although Cedar supports multiple namespaces, Verified Permissions currently supports only one namespace per policy store. Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Creates a policy template. A template can use placeholders for the principal and resource. A template must be instantiated into a policy by associating it with specific principals and resources to use for the placeholders. That instantiated policy can then be considered in authorization decisions. The instantiated policy works identically to any other policy, except that it is dynamically linked to the template. If the template changes, then any policies that are linked to that template are immediately updated as well. Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Creates a policy template. A template can use placeholders for the principal and resource. A template must be instantiated into a policy by associating it with specific principals and resources to use for the placeholders. That instantiated policy can then be considered in authorization decisions. The instantiated policy works identically to any other policy, except that it is dynamically linked to the template. If the template changes, then any policies that are linked to that template are immediately updated as well. Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Deletes an identity source that references an identity provider (IdP) such as Amazon Cognito. After you delete the identity source, you can no longer use tokens for identities from that identity source to represent principals in authorization queries made using IsAuthorizedWithToken. operations.

Deletes an identity source that references an identity provider (IdP) such as Amazon Cognito. After you delete the identity source, you can no longer use tokens for identities from that identity source to represent principals in authorization queries made using IsAuthorizedWithToken. operations.

Deletes the specified policy from the policy store. This operation is idempotent; if you specify a policy that doesn't exist, the request response returns a successful HTTP 200 status code.

Deletes the specified policy from the policy store. This operation is idempotent; if you specify a policy that doesn't exist, the request response returns a successful HTTP 200 status code.

Deletes the specified policy store alias. This operation is idempotent. If you specify a policy store alias that does not exist, the request response will still return a successful HTTP 200 status code. When a policy store alias is deleted, it enters the PendingDeletion state. When a policy store alias is in the PendingDeletion state, new policy store aliases cannot be created with the same name. If the policy store alias is used in an API that has a policyStoreId field, the operation will fail with a ResourceNotFound exception.

The policy store can't be deleted because deletion protection is enabled. To delete this policy store, disable deletion protection.

Deletes the specified policy store alias. This operation is idempotent. If you specify a policy store alias that does not exist, the request response will still return a successful HTTP 200 status code. When a policy store alias is deleted, it enters the PendingDeletion state. When a policy store alias is in the PendingDeletion state, new policy store aliases cannot be created with the same name. If the policy store alias is used in an API that has a policyStoreId field, the operation will fail with a ResourceNotFound exception.

Deletes the specified policy store. This operation is idempotent. If you specify a policy store that does not exist, the request response will still return a successful HTTP 200 status code.

Deletes the specified policy store. This operation is idempotent. If you specify a policy store that does not exist, the request response will still return a successful HTTP 200 status code.

Deletes the specified policy template from the policy store. This operation also deletes any policies that were created from the specified policy template. Those policies are immediately removed from all future API responses, and are asynchronously deleted from the policy store.

Deletes the specified policy template from the policy store. This operation also deletes any policies that were created from the specified policy template. Those policies are immediately removed from all future API responses, and are asynchronously deleted from the policy store.

A structure that contains the KMS encryption configuration for the policy store. The encryption state shows what customer-managed KMS key is being used to encrypt all resources within the policy store, and any user-defined context key-value pairs added during encryption processes. This data type is used as a field that is part of the EncryptionState type.

A structure that contains the encryption configuration for the policy store and child resources. This data type is used as a response parameter field for the GetPolicyStore operation.

Contains information about a principal or resource that can be referenced in a Cedar policy. This data type is used as part of the PolicyFilter structure that is used as a request parameter for the ListPolicies operation..

Retrieves the details about the specified identity source.

A structure that contains configuration of the identity source. This data type was a response parameter for the GetIdentitySource operation. Replaced by ConfigurationDetail.

Retrieves the details about the specified identity source.

Retrieves information about the specified policy.

Retrieves information about the specified policy.

Retrieves details about the specified policy store alias.

Retrieves details about the specified policy store alias.

Retrieves details about a policy store.

Retrieves details about a policy store.

Retrieve the details for the specified policy template in the specified policy store.

Retrieve the details for the specified policy template in the specified policy store.

Retrieve the details for the specified schema in the specified policy store.

Retrieve the details for the specified schema in the specified policy store.

A structure that defines characteristics of an identity source that you can use to filter. This data type is a request parameter for the ListIdentityStores operation.

A structure that contains configuration of the identity source. This data type was a response parameter for the ListIdentitySources operation. Replaced by ConfigurationItem.

A structure that defines an identity source. This data type is a response parameter to the ListIdentitySources operation.

Makes an authorization decision about a service request described in the parameters. The information in the parameters can also define additional context that Verified Permissions can include in the evaluation. The request is evaluated against all matching policies in the specified policy store. The result of the decision is either Allow or Deny, along with a list of the policies that resulted in the decision.

Makes an authorization decision about a service request described in the parameters. The information in the parameters can also define additional context that Verified Permissions can include in the evaluation. The request is evaluated against all matching policies in the specified policy store. The result of the decision is either Allow or Deny, along with a list of the policies that resulted in the decision.

Makes an authorization decision about a service request described in the parameters. The principal in this request comes from an external identity source in the form of an identity token formatted as a JSON web token (JWT). The information in the parameters can also define additional context that Verified Permissions can include in the evaluation. The request is evaluated against all matching policies in the specified policy store. The result of the decision is either Allow or Deny, along with a list of the policies that resulted in the decision. Verified Permissions validates each token that is specified in a request by checking its expiration date and its signature. Tokens from an identity source user continue to be usable until they expire. Token revocation and resource deletion have no effect on the validity of a token in your policy store

Makes an authorization decision about a service request described in the parameters. The principal in this request comes from an external identity source in the form of an identity token formatted as a JSON web token (JWT). The information in the parameters can also define additional context that Verified Permissions can include in the evaluation. The request is evaluated against all matching policies in the specified policy store. The result of the decision is either Allow or Deny, along with a list of the policies that resulted in the decision. Verified Permissions validates each token that is specified in a request by checking its expiration date and its signature. Tokens from an identity source user continue to be usable until they expire. Token revocation and resource deletion have no effect on the validity of a token in your policy store

Returns a paginated list of all of the identity sources defined in the specified policy store.

Returns a paginated list of all of the identity sources defined in the specified policy store.

Contains information about a filter to refine policies returned in a query. This data type is used as a response parameter for the ListPolicies operation.

Returns a paginated list of all policies stored in the specified policy store.

Contains information about a policy created by instantiating a policy template.

A structure that contains details about a static policy. It includes the description and policy statement. This data type is used within a PolicyDefinition structure as part of a request parameter for the CreatePolicy operation.

A structure that describes a PolicyDefinintion. It will always have either an StaticPolicy or a TemplateLinkedPolicy element. This data type is used as a response parameter for the CreatePolicy and ListPolicies operations.

Contains information about a policy. This data type is used as a response parameter for the ListPolicies operation.

Returns a paginated list of all policies stored in the specified policy store.

Contains filters for the ListPolicyStoreAliases operation.

Returns a paginated list of all policy store aliases in the calling Amazon Web Services account.

Contains information about a policy store alias. This data type is used as a response parameter for the ListPolicyStoreAliases operation.

Returns a paginated list of all policy store aliases in the calling Amazon Web Services account.

Returns a paginated list of all policy stores in the calling Amazon Web Services account.

Contains information about a policy store. This data type is used as a response parameter for the ListPolicyStores operation.

Returns a paginated list of all policy stores in the calling Amazon Web Services account.

Returns a paginated list of all policy templates in the specified policy store.

Contains details about a policy template This data type is used as a response parameter for the ListPolicyTemplates operation.

Returns a paginated list of all policy templates in the specified policy store.

Returns the tags associated with the specified Amazon Verified Permissions resource. In Verified Permissions, policy stores can be tagged.

Returns the tags associated with the specified Amazon Verified Permissions resource. In Verified Permissions, policy stores can be tagged.

Contains a list of principal types, resource types, and actions that can be specified in policies stored in the same policy store. If the validation mode for the policy store is set to STRICT, then policies that can't be validated by this schema are rejected by Verified Permissions and can't be stored in the policy store.

Creates or updates the policy schema in the specified policy store. The schema is used to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time. Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Creates or updates the policy schema in the specified policy store. The schema is used to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time. Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Assigns one or more tags (key-value pairs) to the specified Amazon Verified Permissions resource. Tags can help you organize and categorize your resources. You can also use them to scope user permissions by granting a user permission to access or change only resources with certain tag values. In Verified Permissions, policy stores can be tagged. Tags don't have any semantic meaning to Amazon Web Services and are interpreted strictly as strings of characters. You can use the TagResource action with a resource that already has tags. If you specify a new tag key, this tag is appended to the list of tags associated with the resource. If you specify a tag key that is already associated with the resource, the new tag value that you specify replaces the previous value for that tag. You can associate as many as 50 tags with a resource.

No more tags be added because the limit (50) has been reached. To add new tags, use UntagResource to remove existing tags.

Assigns one or more tags (key-value pairs) to the specified Amazon Verified Permissions resource. Tags can help you organize and categorize your resources. You can also use them to scope user permissions by granting a user permission to access or change only resources with certain tag values. In Verified Permissions, policy stores can be tagged. Tags don't have any semantic meaning to Amazon Web Services and are interpreted strictly as strings of characters. You can use the TagResource action with a resource that already has tags. If you specify a new tag key, this tag is appended to the list of tags associated with the resource. If you specify a tag key that is already associated with the resource, the new tag value that you specify replaces the previous value for that tag. You can associate as many as 50 tags with a resource.

Removes one or more tags from the specified Amazon Verified Permissions resource. In Verified Permissions, policy stores can be tagged.

Removes one or more tags from the specified Amazon Verified Permissions resource. In Verified Permissions, policy stores can be tagged.

The user group entities from an Amazon Cognito user pool identity source.

Contains configuration details of a Amazon Cognito user pool for use with an identity source.

The configuration of an OpenID Connect (OIDC) identity source for handling identity (ID) token claims. Contains the claim that you want to identify as the principal in an authorization request, and the values of the aud claim, or audiences, that you want to accept. This data type is part of a UpdateOpenIdConnectTokenSelection structure, which is a parameter to UpdateIdentitySource.

The configuration of an OpenID Connect (OIDC) identity source for handling access token claims. Contains the claim that you want to identify as the principal in an authorization request, and the values of the aud claim, or audiences, that you want to accept. This data type is part of a UpdateOpenIdConnectTokenSelection structure, which is a parameter to UpdateIdentitySource.

The token type that you want to process from your OIDC identity provider. Your policy store can process either identity (ID) or access tokens from a given OIDC identity source. This data type is part of a UpdateOpenIdConnectConfiguration structure, which is a parameter to UpdateIdentitySource.

The claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you want to map it to. For example, this object can map the contents of a groups claim to MyCorp::UserGroup. This data type is part of a UpdateOpenIdConnectConfiguration structure, which is a parameter to UpdateIdentitySource.

Contains configuration details of an OpenID Connect (OIDC) identity provider, or identity source, that Verified Permissions can use to generate entities from authenticated identities. It specifies the issuer URL, token type that you want to use, and policy store entity details. This data type is part of a UpdateConfiguration structure, which is a parameter to UpdateIdentitySource.

Contains an update to replace the configuration in an existing identity source.

Updates the specified identity source to use a new identity provider (IdP), or to change the mapping of identities from the IdP to a different principal entity type. Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Updates the specified identity source to use a new identity provider (IdP), or to change the mapping of identities from the IdP to a different principal entity type. Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Contains information about an update to a static policy.

Contains information about updates to be applied to a policy. This data type is used as a request parameter in the UpdatePolicy operation.

Modifies a Cedar static policy in the specified policy store. You can change only certain elements of the UpdatePolicyDefinition parameter. You can directly update only static policies. To change a template-linked policy, you must update the template instead, using UpdatePolicyTemplate. If policy validation is enabled in the policy store, then updating a static policy causes Verified Permissions to validate the policy against the schema in the policy store. If the updated static policy doesn't pass validation, the operation fails and the update isn't stored. When you edit a static policy, you can change only certain elements of a static policy: The action referenced by the policy. A condition clause, such as when and unless. You can't change these elements of a static policy: Changing a policy from a static policy to a template-linked policy. Changing the effect of a static policy from permit or forbid. The principal referenced by a static policy. The resource referenced by a static policy. To update a template-linked policy, you must update the template instead. Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Modifies a Cedar static policy in the specified policy store. You can change only certain elements of the UpdatePolicyDefinition parameter. You can directly update only static policies. To change a template-linked policy, you must update the template instead, using UpdatePolicyTemplate. If policy validation is enabled in the policy store, then updating a static policy causes Verified Permissions to validate the policy against the schema in the policy store. If the updated static policy doesn't pass validation, the operation fails and the update isn't stored. When you edit a static policy, you can change only certain elements of a static policy: The action referenced by the policy. A condition clause, such as when and unless. You can't change these elements of a static policy: Changing a policy from a static policy to a template-linked policy. Changing the effect of a static policy from permit or forbid. The principal referenced by a static policy. The resource referenced by a static policy. To update a template-linked policy, you must update the template instead. Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Modifies the validation setting for a policy store. Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Modifies the validation setting for a policy store. Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Updates the specified policy template. You can update only the description and the some elements of the policyBody. Changes you make to the policy template content are immediately (within the constraints of eventual consistency) reflected in authorization decisions that involve all template-linked policies instantiated from this template. Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.

Updates the specified policy template. You can update only the description and the some elements of the policyBody. Changes you make to the policy template content are immediately (within the constraints of eventual consistency) reflected in authorization decisions that involve all template-linked policies instantiated from this template. Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.