2026/03/20 - Amazon Verified Permissions - 4 new 9 updated api methods
Changes Adds support for Policy Store Aliases, Policy Names, and Policy Template Names. These are customizable identifiers that can be used in place of Policy Store ids, Policy ids, and Policy Template ids respectively in Amazon Verified Permissions APIs.
Creates a policy store alias for the specified policy store. A policy store alias is an alternative identifier that you can use to reference a policy store in API operations.
This operation is idempotent. If multiple CreatePolicyStoreAlias requests are made where the aliasName and policyStoreId fields are the same between the requests, subsequent requests will be ignored. For each duplicate CreatePolicyStoreAlias request, a Success response will be returned and a new policy store alias will not be created.
See also: AWS API Documentation
Request Syntax
client.create_policy_store_alias(
aliasName='string',
policyStoreId='string'
)
string
[REQUIRED]
Specifies the name of the policy store alias to create. The name must be unique within your Amazon Web Services account and Amazon Web Services Region.
string
[REQUIRED]
Specifies the ID of the policy store to associate with the alias.
dict
Response Syntax
{
'aliasName': 'string',
'policyStoreId': 'string',
'aliasArn': 'string',
'createdAt': datetime(2015, 1, 1)
}
Response Structure
(dict) --
aliasName (string) --
The name of the policy store alias.
policyStoreId (string) --
The ID of the policy store associated with the alias.
aliasArn (string) --
The Amazon Resource Name (ARN) of the policy store alias.
createdAt (datetime) --
The date and time the policy store alias was created.
Returns a paginated list of all policy store aliases in the calling Amazon Web Services account.
See also: AWS API Documentation
Request Syntax
client.list_policy_store_aliases(
nextToken='string',
maxResults=123,
filter={
'policyStoreId': 'string'
}
)
string
Specifies that you want to receive the next page of results. Valid only if you received a NextToken response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's NextToken response to request the next page of results.
integer
Specifies the total number of results that you want included in each response. If additional items exist beyond the number you specify, the NextToken response element is returned with a value (not null). Include the specified value as the NextToken request parameter in the next call to the operation to get the next set of results. Note that the service might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.
If you do not specify this parameter, the operation defaults to 5 policy store aliases per response. You can specify a maximum of 50 policy store aliases per response.
dict
Specifies a filter to narrow the results. You can filter by policyStoreId to list only the policy store aliases associated with a specific policy store.
policyStoreId (string) --
The ID of the policy store to filter by. Only policy store aliases associated with this policy store are returned.
dict
Response Syntax
{
'nextToken': 'string',
'policyStoreAliases': [
{
'aliasName': 'string',
'policyStoreId': 'string',
'aliasArn': 'string',
'createdAt': datetime(2015, 1, 1),
'state': 'Active'|'PendingDeletion'
},
]
}
Response Structure
(dict) --
nextToken (string) --
If present, this value indicates that more output is available than is included in the current response. Use this value in the NextToken request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the NextToken response element comes back as null. This indicates that this is the last page of results.
policyStoreAliases (list) --
The list of policy store aliases in the account.
(dict) --
Contains information about a policy store alias.
This data type is used as a response parameter for the ListPolicyStoreAliases operation.
aliasName (string) --
The name of the policy store alias.
policyStoreId (string) --
The ID of the policy store associated with the alias.
aliasArn (string) --
The Amazon Resource Name (ARN) of the policy store alias.
createdAt (datetime) --
The date and time the policy store alias was created.
state (string) --
The state of the policy store alias. Policy Store Aliases in the Active state can be used normally. When a policy store alias is deleted, it enters the PendingDeletion state. Policy Store Aliases in the PendingDeletion state cannot be used, and creating a policy store alias with the same alias name will fail.
Deletes the specified policy store alias.
This operation is idempotent. If you specify a policy store alias that does not exist, the request response will still return a successful HTTP 200 status code.
When a policy store alias is deleted, it enters the PendingDeletion state. When a policy store alias is in the PendingDeletion state, new policy store aliases cannot be created with the same name. If the policy store alias is used in an API that has a policyStoreId field, the operation will fail with a ResourceNotFound exception.
See also: AWS API Documentation
Request Syntax
client.delete_policy_store_alias(
aliasName='string'
)
string
[REQUIRED]
Specifies the name of the policy store alias that you want to delete.
dict
Response Syntax
{}
Response Structure
(dict) --
Retrieves details about the specified policy store alias.
See also: AWS API Documentation
Request Syntax
client.get_policy_store_alias(
aliasName='string'
)
string
[REQUIRED]
Specifies the name of the policy store alias that you want information about.
dict
Response Syntax
{
'aliasName': 'string',
'policyStoreId': 'string',
'aliasArn': 'string',
'createdAt': datetime(2015, 1, 1),
'state': 'Active'|'PendingDeletion'
}
Response Structure
(dict) --
aliasName (string) --
The name of the policy store alias.
policyStoreId (string) --
The ID of the policy store associated with the alias.
aliasArn (string) --
The Amazon Resource Name (ARN) of the policy store alias.
createdAt (datetime) --
The date and time the policy store alias was created.
state (string) --
The state of the policy store alias. Policy Store Aliases in the Active state can be used normally. When a policy store alias is deleted, it enters the PendingDeletion state. Policy Store Aliases in the PendingDeletion cannot be used, and creating a policy store alias with the same alias name will fail.
{'errors': {'code': {'POLICY_STORE_ALIAS_NOT_FOUND'}},
'results': {'name': 'string'}}
Retrieves information about a group (batch) of policies.
See also: AWS API Documentation
Request Syntax
client.batch_get_policy(
requests=[
{
'policyStoreId': 'string',
'policyId': 'string'
},
]
)
list
[REQUIRED]
An array of up to 100 policies you want information about.
(dict) --
Information about a policy that you include in a BatchGetPolicy API request.
policyStoreId (string) -- [REQUIRED]
The identifier of the policy store where the policy you want information about is stored.
policyId (string) -- [REQUIRED]
The identifier of the policy you want information about.
You can use the policy name in place of the policy ID. When using a name, prefix it with name/. For example:
ID: SPEXAMPLEabcdefg111111
Name: name/example-policy
dict
Response Syntax
{
'results': [
{
'policyStoreId': 'string',
'policyId': 'string',
'policyType': 'STATIC'|'TEMPLATE_LINKED',
'definition': {
'static': {
'description': 'string',
'statement': 'string'
},
'templateLinked': {
'policyTemplateId': 'string',
'principal': {
'entityType': 'string',
'entityId': 'string'
},
'resource': {
'entityType': 'string',
'entityId': 'string'
}
}
},
'createdDate': datetime(2015, 1, 1),
'lastUpdatedDate': datetime(2015, 1, 1),
'name': 'string'
},
],
'errors': [
{
'code': 'POLICY_STORE_NOT_FOUND'|'POLICY_NOT_FOUND'|'POLICY_STORE_ALIAS_NOT_FOUND',
'policyStoreId': 'string',
'policyId': 'string',
'message': 'string'
},
]
}
Response Structure
(dict) --
results (list) --
Information about the policies listed in the request that were successfully returned. These results are returned in the order they were requested.
(dict) --
Contains information about a policy returned from a BatchGetPolicy API request.
policyStoreId (string) --
The identifier of the policy store where the policy you want information about is stored.
policyId (string) --
The identifier of the policy you want information about.
policyType (string) --
The type of the policy. This is one of the following values:
STATIC
TEMPLATE_LINKED
definition (dict) --
The policy definition of an item in the list of policies returned.
static (dict) --
Information about a static policy that wasn't created with a policy template.
description (string) --
A description of the static policy.
statement (string) --
The content of the static policy written in the Cedar policy language.
templateLinked (dict) --
Information about a template-linked policy that was created by instantiating a policy template.
policyTemplateId (string) --
The unique identifier of the policy template used to create this policy.
principal (dict) --
The principal associated with this template-linked policy. Verified Permissions substitutes this principal for the ?principal placeholder in the policy template when it evaluates an authorization request.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
resource (dict) --
The resource associated with this template-linked policy. Verified Permissions substitutes this resource for the ?resource placeholder in the policy template when it evaluates an authorization request.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
createdDate (datetime) --
The date and time the policy was created.
lastUpdatedDate (datetime) --
The date and time the policy was most recently updated.
name (string) --
The name of the policy, if one was assigned when the policy was created or last updated.
errors (list) --
Information about the policies from the request that resulted in an error. These results are returned in the order they were requested.
(dict) --
Contains the information about an error resulting from a BatchGetPolicy API call.
code (string) --
The error code that was returned.
policyStoreId (string) --
The identifier of the policy store associated with the failed request.
policyId (string) --
The identifier of the policy associated with the failed request.
message (string) --
A detailed error message.
{'name': 'string'}
Creates a Cedar policy and saves it in the specified policy store. You can create either a static policy or a policy linked to a policy template.
To create a static policy, provide the Cedar policy text in the StaticPolicy section of the PolicyDefinition.
To create a policy that is dynamically linked to a policy template, specify the policy template ID and the principal and resource to associate with this policy in the templateLinked section of the PolicyDefinition. If the policy template is ever updated, any policies linked to the policy template automatically use the updated template.
See also: AWS API Documentation
Request Syntax
client.create_policy(
clientToken='string',
policyStoreId='string',
definition={
'static': {
'description': 'string',
'statement': 'string'
},
'templateLinked': {
'policyTemplateId': 'string',
'principal': {
'entityType': 'string',
'entityId': 'string'
},
'resource': {
'entityType': 'string',
'entityId': 'string'
}
}
},
name='string'
)
string
Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..
If you don't provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an ConflictException error.
Verified Permissions recognizes a ClientToken for eight hours. After eight hours, the next request with the same parameters performs the operation again regardless of the value of ClientToken.
This field is autopopulated if not provided.
string
[REQUIRED]
Specifies the PolicyStoreId of the policy store you want to store the policy in.
To specify a policy store, use its ID or alias name. When using an alias name, prefix it with policy-store-alias/. For example:
ID: PSEXAMPLEabcdefg111111
Alias name: policy-store-alias/example-policy-store
To view aliases, use ListPolicyStoreAliases.
dict
[REQUIRED]
A structure that specifies the policy type and content to use for the new policy. You must include either a static or a templateLinked element. The policy content must be written in the Cedar policy language.
static (dict) --
A structure that describes a static policy. An static policy doesn't use a template or allow placeholders for entities.
description (string) --
The description of the static policy.
statement (string) -- [REQUIRED]
The policy content of the static policy, written in the Cedar policy language.
templateLinked (dict) --
A structure that describes a policy that was instantiated from a template. The template can specify placeholders for principal and resource. When you use CreatePolicy to create a policy from a template, you specify the exact principal and resource to use for the instantiated policy.
policyTemplateId (string) -- [REQUIRED]
The unique identifier of the policy template used to create this policy.
principal (dict) --
The principal associated with this template-linked policy. Verified Permissions substitutes this principal for the ?principal placeholder in the policy template when it evaluates an authorization request.
entityType (string) -- [REQUIRED]
The type of an entity.
Example: "entityType":"typeName"
entityId (string) -- [REQUIRED]
The identifier of an entity.
"entityId":"identifier"
resource (dict) --
The resource associated with this template-linked policy. Verified Permissions substitutes this resource for the ?resource placeholder in the policy template when it evaluates an authorization request.
entityType (string) -- [REQUIRED]
The type of an entity.
Example: "entityType":"typeName"
entityId (string) -- [REQUIRED]
The identifier of an entity.
"entityId":"identifier"
string
Specifies a name for the policy that is unique among all policies within the policy store. You can use the name in place of the policy ID in API operations that reference the policy. The name must be prefixed with name/.
If you specify a name that is already associated with another policy in the policy store, you receive a ConflictException error.
dict
Response Syntax
{
'policyStoreId': 'string',
'policyId': 'string',
'policyType': 'STATIC'|'TEMPLATE_LINKED',
'principal': {
'entityType': 'string',
'entityId': 'string'
},
'resource': {
'entityType': 'string',
'entityId': 'string'
},
'actions': [
{
'actionType': 'string',
'actionId': 'string'
},
],
'createdDate': datetime(2015, 1, 1),
'lastUpdatedDate': datetime(2015, 1, 1),
'effect': 'Permit'|'Forbid'
}
Response Structure
(dict) --
policyStoreId (string) --
The ID of the policy store that contains the new policy.
policyId (string) --
The unique ID of the new policy.
policyType (string) --
The policy type of the new policy.
principal (dict) --
The principal specified in the new policy's scope. This response element isn't present when principal isn't specified in the policy content.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
resource (dict) --
The resource specified in the new policy's scope. This response element isn't present when the resource isn't specified in the policy content.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
actions (list) --
The action that a policy permits or forbids. For example, {"actions": [{"actionId": "ViewPhoto", "actionType": "PhotoFlash::Action"}, {"entityID": "SharePhoto", "entityType": "PhotoFlash::Action"}]}.
(dict) --
Contains information about an action for a request for which an authorization decision is made.
This data type is used as a request parameter to the IsAuthorized, BatchIsAuthorized, and IsAuthorizedWithToken operations.
Example: { "actionId": "<action name>", "actionType": "Action" }
actionType (string) --
The type of an action.
actionId (string) --
The ID of an action.
createdDate (datetime) --
The date and time the policy was originally created.
lastUpdatedDate (datetime) --
The date and time the policy was last updated.
effect (string) --
The effect of the decision that a policy returns to an authorization request. For example, "effect": "Permit".
{'name': 'string'}
Creates a policy template. A template can use placeholders for the principal and resource. A template must be instantiated into a policy by associating it with specific principals and resources to use for the placeholders. That instantiated policy can then be considered in authorization decisions. The instantiated policy works identically to any other policy, except that it is dynamically linked to the template. If the template changes, then any policies that are linked to that template are immediately updated as well.
See also: AWS API Documentation
Request Syntax
client.create_policy_template(
clientToken='string',
policyStoreId='string',
description='string',
statement='string',
name='string'
)
string
Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..
If you don't provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an ConflictException error.
Verified Permissions recognizes a ClientToken for eight hours. After eight hours, the next request with the same parameters performs the operation again regardless of the value of ClientToken.
This field is autopopulated if not provided.
string
[REQUIRED]
The ID of the policy store in which to create the policy template.
To specify a policy store, use its ID or alias name. When using an alias name, prefix it with policy-store-alias/. For example:
ID: PSEXAMPLEabcdefg111111
Alias name: policy-store-alias/example-policy-store
To view aliases, use ListPolicyStoreAliases.
string
Specifies a description for the policy template.
string
[REQUIRED]
Specifies the content that you want to use for the new policy template, written in the Cedar policy language.
string
Specifies a name for the policy template that is unique among all policy templates within the policy store. You can use the name in place of the policy template ID in API operations that reference the policy template. The name must be prefixed with name/.
If you specify a name that is already associated with another policy template in the policy store, you receive a ConflictException error.
dict
Response Syntax
{
'policyStoreId': 'string',
'policyTemplateId': 'string',
'createdDate': datetime(2015, 1, 1),
'lastUpdatedDate': datetime(2015, 1, 1)
}
Response Structure
(dict) --
policyStoreId (string) --
The ID of the policy store that contains the policy template.
policyTemplateId (string) --
The unique ID of the new policy template.
createdDate (datetime) --
The date and time the policy template was originally created.
lastUpdatedDate (datetime) --
The date and time the policy template was most recently updated.
{'name': 'string'}
Retrieves information about the specified policy.
See also: AWS API Documentation
Request Syntax
client.get_policy(
policyStoreId='string',
policyId='string'
)
string
[REQUIRED]
Specifies the ID of the policy store that contains the policy that you want information about.
To specify a policy store, use its ID or alias name. When using an alias name, prefix it with policy-store-alias/. For example:
ID: PSEXAMPLEabcdefg111111
Alias name: policy-store-alias/example-policy-store
To view aliases, use ListPolicyStoreAliases.
string
[REQUIRED]
Specifies the ID of the policy you want information about.
You can use the policy name in place of the policy ID. When using a name, prefix it with name/. For example:
ID: SPEXAMPLEabcdefg111111
Name: name/example-policy
dict
Response Syntax
{
'policyStoreId': 'string',
'policyId': 'string',
'policyType': 'STATIC'|'TEMPLATE_LINKED',
'principal': {
'entityType': 'string',
'entityId': 'string'
},
'resource': {
'entityType': 'string',
'entityId': 'string'
},
'actions': [
{
'actionType': 'string',
'actionId': 'string'
},
],
'definition': {
'static': {
'description': 'string',
'statement': 'string'
},
'templateLinked': {
'policyTemplateId': 'string',
'principal': {
'entityType': 'string',
'entityId': 'string'
},
'resource': {
'entityType': 'string',
'entityId': 'string'
}
}
},
'createdDate': datetime(2015, 1, 1),
'lastUpdatedDate': datetime(2015, 1, 1),
'effect': 'Permit'|'Forbid',
'name': 'string'
}
Response Structure
(dict) --
policyStoreId (string) --
The ID of the policy store that contains the policy that you want information about.
policyId (string) --
The unique ID of the policy that you want information about.
policyType (string) --
The type of the policy.
principal (dict) --
The principal specified in the policy's scope. This element isn't included in the response when Principal isn't present in the policy content.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
resource (dict) --
The resource specified in the policy's scope. This element isn't included in the response when Resource isn't present in the policy content.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
actions (list) --
The action that a policy permits or forbids. For example, {"actions": [{"actionId": "ViewPhoto", "actionType": "PhotoFlash::Action"}, {"entityID": "SharePhoto", "entityType": "PhotoFlash::Action"}]}.
(dict) --
Contains information about an action for a request for which an authorization decision is made.
This data type is used as a request parameter to the IsAuthorized, BatchIsAuthorized, and IsAuthorizedWithToken operations.
Example: { "actionId": "<action name>", "actionType": "Action" }
actionType (string) --
The type of an action.
actionId (string) --
The ID of an action.
definition (dict) --
The definition of the requested policy.
static (dict) --
Information about a static policy that wasn't created with a policy template.
description (string) --
A description of the static policy.
statement (string) --
The content of the static policy written in the Cedar policy language.
templateLinked (dict) --
Information about a template-linked policy that was created by instantiating a policy template.
policyTemplateId (string) --
The unique identifier of the policy template used to create this policy.
principal (dict) --
The principal associated with this template-linked policy. Verified Permissions substitutes this principal for the ?principal placeholder in the policy template when it evaluates an authorization request.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
resource (dict) --
The resource associated with this template-linked policy. Verified Permissions substitutes this resource for the ?resource placeholder in the policy template when it evaluates an authorization request.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
createdDate (datetime) --
The date and time that the policy was originally created.
lastUpdatedDate (datetime) --
The date and time that the policy was last updated.
effect (string) --
The effect of the decision that a policy returns to an authorization request. For example, "effect": "Permit".
name (string) --
The name of the policy, if one was assigned when the policy was created or last updated.
{'name': 'string'}
Retrieve the details for the specified policy template in the specified policy store.
See also: AWS API Documentation
Request Syntax
client.get_policy_template(
policyStoreId='string',
policyTemplateId='string'
)
string
[REQUIRED]
Specifies the ID of the policy store that contains the policy template that you want information about.
To specify a policy store, use its ID or alias name. When using an alias name, prefix it with policy-store-alias/. For example:
ID: PSEXAMPLEabcdefg111111
Alias name: policy-store-alias/example-policy-store
To view aliases, use ListPolicyStoreAliases.
string
[REQUIRED]
Specifies the ID of the policy template that you want information about.
You can use the policy template name in place of the policy template ID. When using a name, prefix it with name/. For example:
ID: PTEXAMPLEabcdefg111111
Name: name/example-policy-template
dict
Response Syntax
{
'policyStoreId': 'string',
'policyTemplateId': 'string',
'description': 'string',
'statement': 'string',
'createdDate': datetime(2015, 1, 1),
'lastUpdatedDate': datetime(2015, 1, 1),
'name': 'string'
}
Response Structure
(dict) --
policyStoreId (string) --
The ID of the policy store that contains the policy template.
policyTemplateId (string) --
The ID of the policy template.
description (string) --
The description of the policy template.
statement (string) --
The content of the body of the policy template written in the Cedar policy language.
createdDate (datetime) --
The date and time that the policy template was originally created.
lastUpdatedDate (datetime) --
The date and time that the policy template was most recently updated.
name (string) --
The name of the policy template, if one was assigned when the policy template was created or last updated.
{'policies': {'name': 'string'}}
Returns a paginated list of all policies stored in the specified policy store.
See also: AWS API Documentation
Request Syntax
client.list_policies(
policyStoreId='string',
nextToken='string',
maxResults=123,
filter={
'principal': {
'unspecified': True|False,
'identifier': {
'entityType': 'string',
'entityId': 'string'
}
},
'resource': {
'unspecified': True|False,
'identifier': {
'entityType': 'string',
'entityId': 'string'
}
},
'policyType': 'STATIC'|'TEMPLATE_LINKED',
'policyTemplateId': 'string'
}
)
string
[REQUIRED]
Specifies the ID of the policy store you want to list policies from.
To specify a policy store, use its ID or alias name. When using an alias name, prefix it with policy-store-alias/. For example:
ID: PSEXAMPLEabcdefg111111
Alias name: policy-store-alias/example-policy-store
To view aliases, use ListPolicyStoreAliases.
string
Specifies that you want to receive the next page of results. Valid only if you received a NextToken response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's NextToken response to request the next page of results.
integer
Specifies the total number of results that you want included in each response. If additional items exist beyond the number you specify, the NextToken response element is returned with a value (not null). Include the specified value as the NextToken request parameter in the next call to the operation to get the next set of results. Note that the service might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.
If you do not specify this parameter, the operation defaults to 10 policies per response. You can specify a maximum of 50 policies per response.
dict
Specifies a filter that limits the response to only policies that match the specified criteria. For example, you list only the policies that reference a specified principal.
principal (dict) --
Filters the output to only policies that reference the specified principal.
unspecified (boolean) --
Used to indicate that a principal or resource is not specified. This can be used to search for policies that are not associated with a specific principal or resource.
identifier (dict) --
The identifier of the entity. It can consist of either an EntityType and EntityId, a principal, or a resource.
entityType (string) -- [REQUIRED]
The type of an entity.
Example: "entityType":"typeName"
entityId (string) -- [REQUIRED]
The identifier of an entity.
"entityId":"identifier"
resource (dict) --
Filters the output to only policies that reference the specified resource.
unspecified (boolean) --
Used to indicate that a principal or resource is not specified. This can be used to search for policies that are not associated with a specific principal or resource.
identifier (dict) --
The identifier of the entity. It can consist of either an EntityType and EntityId, a principal, or a resource.
entityType (string) -- [REQUIRED]
The type of an entity.
Example: "entityType":"typeName"
entityId (string) -- [REQUIRED]
The identifier of an entity.
"entityId":"identifier"
policyType (string) --
Filters the output to only policies of the specified type.
policyTemplateId (string) --
Filters the output to only template-linked policies that were instantiated from the specified policy template.
dict
Response Syntax
{
'nextToken': 'string',
'policies': [
{
'policyStoreId': 'string',
'policyId': 'string',
'policyType': 'STATIC'|'TEMPLATE_LINKED',
'principal': {
'entityType': 'string',
'entityId': 'string'
},
'resource': {
'entityType': 'string',
'entityId': 'string'
},
'actions': [
{
'actionType': 'string',
'actionId': 'string'
},
],
'definition': {
'static': {
'description': 'string'
},
'templateLinked': {
'policyTemplateId': 'string',
'principal': {
'entityType': 'string',
'entityId': 'string'
},
'resource': {
'entityType': 'string',
'entityId': 'string'
}
}
},
'createdDate': datetime(2015, 1, 1),
'lastUpdatedDate': datetime(2015, 1, 1),
'effect': 'Permit'|'Forbid',
'name': 'string'
},
]
}
Response Structure
(dict) --
nextToken (string) --
If present, this value indicates that more output is available than is included in the current response. Use this value in the NextToken request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the NextToken response element comes back as null. This indicates that this is the last page of results.
policies (list) --
Lists all policies that are available in the specified policy store.
(dict) --
Contains information about a policy.
This data type is used as a response parameter for the ListPolicies operation.
policyStoreId (string) --
The identifier of the policy store where the policy you want information about is stored.
policyId (string) --
The identifier of the policy you want information about.
policyType (string) --
The type of the policy. This is one of the following values:
STATIC
TEMPLATE_LINKED
principal (dict) --
The principal associated with the policy.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
resource (dict) --
The resource associated with the policy.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
actions (list) --
The action that a policy permits or forbids. For example, {"actions": [{"actionId": "ViewPhoto", "actionType": "PhotoFlash::Action"}, {"entityID": "SharePhoto", "entityType": "PhotoFlash::Action"}]}.
(dict) --
Contains information about an action for a request for which an authorization decision is made.
This data type is used as a request parameter to the IsAuthorized, BatchIsAuthorized, and IsAuthorizedWithToken operations.
Example: { "actionId": "<action name>", "actionType": "Action" }
actionType (string) --
The type of an action.
actionId (string) --
The ID of an action.
definition (dict) --
The policy definition of an item in the list of policies returned.
static (dict) --
Information about a static policy that wasn't created with a policy template.
description (string) --
A description of the static policy.
templateLinked (dict) --
Information about a template-linked policy that was created by instantiating a policy template.
policyTemplateId (string) --
The unique identifier of the policy template used to create this policy.
principal (dict) --
The principal associated with this template-linked policy. Verified Permissions substitutes this principal for the ?principal placeholder in the policy template when it evaluates an authorization request.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
resource (dict) --
The resource associated with this template-linked policy. Verified Permissions substitutes this resource for the ?resource placeholder in the policy template when it evaluates an authorization request.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
createdDate (datetime) --
The date and time the policy was created.
lastUpdatedDate (datetime) --
The date and time the policy was most recently updated.
effect (string) --
The effect of the decision that a policy returns to an authorization request. For example, "effect": "Permit".
name (string) --
The name of the policy, if one was assigned when the policy was created or last updated.
{'policyTemplates': {'name': 'string'}}
Returns a paginated list of all policy templates in the specified policy store.
See also: AWS API Documentation
Request Syntax
client.list_policy_templates(
policyStoreId='string',
nextToken='string',
maxResults=123
)
string
[REQUIRED]
Specifies the ID of the policy store that contains the policy templates you want to list.
To specify a policy store, use its ID or alias name. When using an alias name, prefix it with policy-store-alias/. For example:
ID: PSEXAMPLEabcdefg111111
Alias name: policy-store-alias/example-policy-store
To view aliases, use ListPolicyStoreAliases.
string
Specifies that you want to receive the next page of results. Valid only if you received a NextToken response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's NextToken response to request the next page of results.
integer
Specifies the total number of results that you want included in each response. If additional items exist beyond the number you specify, the NextToken response element is returned with a value (not null). Include the specified value as the NextToken request parameter in the next call to the operation to get the next set of results. Note that the service might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.
If you do not specify this parameter, the operation defaults to 10 policy templates per response. You can specify a maximum of 50 policy templates per response.
dict
Response Syntax
{
'nextToken': 'string',
'policyTemplates': [
{
'policyStoreId': 'string',
'policyTemplateId': 'string',
'description': 'string',
'createdDate': datetime(2015, 1, 1),
'lastUpdatedDate': datetime(2015, 1, 1),
'name': 'string'
},
]
}
Response Structure
(dict) --
nextToken (string) --
If present, this value indicates that more output is available than is included in the current response. Use this value in the NextToken request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the NextToken response element comes back as null. This indicates that this is the last page of results.
policyTemplates (list) --
The list of the policy templates in the specified policy store.
(dict) --
Contains details about a policy template
This data type is used as a response parameter for the ListPolicyTemplates operation.
policyStoreId (string) --
The unique identifier of the policy store that contains the template.
policyTemplateId (string) --
The unique identifier of the policy template.
description (string) --
The description attached to the policy template.
createdDate (datetime) --
The date and time that the policy template was created.
lastUpdatedDate (datetime) --
The date and time that the policy template was most recently updated.
name (string) --
The name of the policy template, if one was assigned when the policy template was created or last updated.
{'name': 'string'}
Modifies a Cedar static policy in the specified policy store. You can change only certain elements of the UpdatePolicyDefinition parameter. You can directly update only static policies. To change a template-linked policy, you must update the template instead, using UpdatePolicyTemplate.
See also: AWS API Documentation
Request Syntax
client.update_policy(
policyStoreId='string',
policyId='string',
definition={
'static': {
'description': 'string',
'statement': 'string'
}
},
name='string'
)
string
[REQUIRED]
Specifies the ID of the policy store that contains the policy that you want to update.
To specify a policy store, use its ID or alias name. When using an alias name, prefix it with policy-store-alias/. For example:
ID: PSEXAMPLEabcdefg111111
Alias name: policy-store-alias/example-policy-store
To view aliases, use ListPolicyStoreAliases.
string
[REQUIRED]
Specifies the ID of the policy that you want to update. To find this value, you can use ListPolicies.
You can use the policy name in place of the policy ID. When using a name, prefix it with name/. For example:
ID: SPEXAMPLEabcdefg111111
Name: name/example-policy
dict
Specifies the updated policy content that you want to replace on the specified policy. The content must be valid Cedar policy language text.
If you don't specify this parameter, the existing policy definition remains unchanged.
You can change only the following elements from the policy definition:
The action referenced by the policy.
Any conditional clauses, such as when or unless clauses.
You can't change the following elements:
Changing from static to templateLinked.
Changing the effect of the policy from permit or forbid.
The principal referenced by the policy.
The resource referenced by the policy.
static (dict) --
Contains details about the updates to be applied to a static policy.
description (string) --
Specifies the description to be added to or replaced on the static policy.
statement (string) -- [REQUIRED]
Specifies the Cedar policy language text to be added to or replaced on the static policy.
string
Specifies a name for the policy that is unique among all policies within the policy store. You can use the name in place of the policy ID in API operations that reference the policy. The name must be prefixed with name/.
If you specify a name that is already associated with another policy in the policy store, you receive a ConflictException error.
dict
Response Syntax
{
'policyStoreId': 'string',
'policyId': 'string',
'policyType': 'STATIC'|'TEMPLATE_LINKED',
'principal': {
'entityType': 'string',
'entityId': 'string'
},
'resource': {
'entityType': 'string',
'entityId': 'string'
},
'actions': [
{
'actionType': 'string',
'actionId': 'string'
},
],
'createdDate': datetime(2015, 1, 1),
'lastUpdatedDate': datetime(2015, 1, 1),
'effect': 'Permit'|'Forbid'
}
Response Structure
(dict) --
policyStoreId (string) --
The ID of the policy store that contains the policy that was updated.
policyId (string) --
The ID of the policy that was updated.
policyType (string) --
The type of the policy that was updated.
principal (dict) --
The principal specified in the policy's scope. This element isn't included in the response when Principal isn't present in the policy content.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
resource (dict) --
The resource specified in the policy's scope. This element isn't included in the response when Resource isn't present in the policy content.
entityType (string) --
The type of an entity.
Example: "entityType":"typeName"
entityId (string) --
The identifier of an entity.
"entityId":"identifier"
actions (list) --
The action that a policy permits or forbids. For example, {"actions": [{"actionId": "ViewPhoto", "actionType": "PhotoFlash::Action"}, {"entityID": "SharePhoto", "entityType": "PhotoFlash::Action"}]}.
(dict) --
Contains information about an action for a request for which an authorization decision is made.
This data type is used as a request parameter to the IsAuthorized, BatchIsAuthorized, and IsAuthorizedWithToken operations.
Example: { "actionId": "<action name>", "actionType": "Action" }
actionType (string) --
The type of an action.
actionId (string) --
The ID of an action.
createdDate (datetime) --
The date and time that the policy was originally created.
lastUpdatedDate (datetime) --
The date and time that the policy was most recently updated.
effect (string) --
The effect of the decision that a policy returns to an authorization request. For example, "effect": "Permit".
{'name': 'string'}
Updates the specified policy template. You can update only the description and the some elements of the policyBody.
See also: AWS API Documentation
Request Syntax
client.update_policy_template(
policyStoreId='string',
policyTemplateId='string',
description='string',
statement='string',
name='string'
)
string
[REQUIRED]
Specifies the ID of the policy store that contains the policy template that you want to update.
To specify a policy store, use its ID or alias name. When using an alias name, prefix it with policy-store-alias/. For example:
ID: PSEXAMPLEabcdefg111111
Alias name: policy-store-alias/example-policy-store
To view aliases, use ListPolicyStoreAliases.
string
[REQUIRED]
Specifies the ID of the policy template that you want to update.
You can use the policy template name in place of the policy template ID. When using a name, prefix it with name/. For example:
ID: PTEXAMPLEabcdefg111111
Name: name/example-policy-template
string
Specifies a new description to apply to the policy template.
string
[REQUIRED]
Specifies new statement content written in Cedar policy language to replace the current body of the policy template.
You can change only the following elements of the policy body:
The action referenced by the policy template.
Any conditional clauses, such as when or unless clauses.
You can't change the following elements:
The effect ( permit or forbid) of the policy template.
The principal referenced by the policy template.
The resource referenced by the policy template.
string
Specifies a name for the policy template that is unique among all policy templates within the policy store. You can use the name in place of the policy template ID in API operations that reference the policy template. The name must be prefixed with name/.
If you specify a name that is already associated with another policy template in the policy store, you receive a ConflictException error.
dict
Response Syntax
{
'policyStoreId': 'string',
'policyTemplateId': 'string',
'createdDate': datetime(2015, 1, 1),
'lastUpdatedDate': datetime(2015, 1, 1)
}
Response Structure
(dict) --
policyStoreId (string) --
The ID of the policy store that contains the updated policy template.
policyTemplateId (string) --
The ID of the updated policy template.
createdDate (datetime) --
The date and time that the policy template was originally created.
lastUpdatedDate (datetime) --
The date and time that the policy template was most recently updated.