Learn R Programming

paws.security.identity (version 0.7.0)

verifiedpermissions: Amazon Verified Permissions

Description

Amazon Verified Permissions is a permissions management service from Amazon Web Services. You can use Verified Permissions to manage permissions for your application, and authorize user access based on those permissions. Using Verified Permissions, application developers can grant access based on information about the users, resources, and requested actions. You can also evaluate additional information like group membership, attributes of the resources, and session context, such as time of request and IP addresses. Verified Permissions manages these permissions by letting you create and store authorization policies for your applications, such as consumer-facing web sites and enterprise business systems.

Verified Permissions uses Cedar as the policy language to express your permission requirements. Cedar supports both role-based access control (RBAC) and attribute-based access control (ABAC) authorization models.

For more information about configuring, administering, and using Amazon Verified Permissions in your applications, see the Amazon Verified Permissions User Guide.

For more information about the Cedar policy language, see the Cedar Policy Language Guide.

When you write Cedar policies that reference principals, resources and actions, you can define the unique identifiers used for each of those elements. We strongly recommend that you follow these best practices:

  • Use values like universally unique identifiers (UUIDs) for all principal and resource identifiers.

    For example, if user jane leaves the company, and you later let someone else use the name jane, then that new user automatically gets access to everything granted by policies that still reference User::"jane". Cedar can’t distinguish between the new user and the old. This applies to both principal and resource identifiers. Always use identifiers that are guaranteed unique and never reused to ensure that you don’t unintentionally grant access because of the presence of an old identifier in a policy.

    Where you use a UUID for an entity, we recommend that you follow it with the // comment specifier and the ‘friendly’ name of your entity. This helps to make your policies easier to understand. For example: principal == User::"a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111", // alice

  • Do not include personally identifying, confidential, or sensitive information as part of the unique identifier for your principals or resources. These identifiers are included in log entries shared in CloudTrail trails.

Several operations return structures that appear similar, but have different purposes. As new functionality is added to the product, the structure used in a parameter of one operation might need to change in a way that wouldn't make sense for the same parameter in a different operation. To help you understand the purpose of each, the following naming convention is used for the structures:

  • Parameter type structures that end in Detail are used in Get operations.

  • Parameter type structures that end in Item are used in List operations.

  • Parameter type structures that use neither suffix are used in the mutating (create and update) operations.

Usage

verifiedpermissions(
  config = list(),
  credentials = list(),
  endpoint = NULL,
  region = NULL
)

Value

A client for the service. You can call the service's operations using syntax like svc$operation(...), where svc is the name you've assigned to the client. The available operations are listed in the Operations section.

Arguments

config

Optional configuration of credentials, endpoint, and/or region.

  • credentials:

    • creds:

      • access_key_id: AWS access key ID

      • secret_access_key: AWS secret access key

      • session_token: AWS temporary session token

    • profile: The name of a profile to use. If not given, then the default profile is used.

    • anonymous: Set anonymous credentials.

  • endpoint: The complete URL to use for the constructed client.

  • region: The AWS Region used in instantiating the client.

  • close_connection: Immediately close all HTTP connections.

  • timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.

  • s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e. http://s3.amazonaws.com/BUCKET/KEY.

  • sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

credentials

Optional credentials shorthand for the config parameter

  • creds:

    • access_key_id: AWS access key ID

    • secret_access_key: AWS secret access key

    • session_token: AWS temporary session token

  • profile: The name of a profile to use. If not given, then the default profile is used.

  • anonymous: Set anonymous credentials.

endpoint

Optional shorthand for complete URL to use for the constructed client.

region

Optional shorthand for AWS Region used in instantiating the client.

Service syntax

svc <- verifiedpermissions(
  config = list(
    credentials = list(
      creds = list(
        access_key_id = "string",
        secret_access_key = "string",
        session_token = "string"
      ),
      profile = "string",
      anonymous = "logical"
    ),
    endpoint = "string",
    region = "string",
    close_connection = "logical",
    timeout = "numeric",
    s3_force_path_style = "logical",
    sts_regional_endpoint = "string"
  ),
  credentials = list(
    creds = list(
      access_key_id = "string",
      secret_access_key = "string",
      session_token = "string"
    ),
    profile = "string",
    anonymous = "logical"
  ),
  endpoint = "string",
  region = "string"
)

Operations

batch_is_authorizedMakes a series of decisions about multiple authorization requests for one principal or resource
batch_is_authorized_with_tokenMakes a series of decisions about multiple authorization requests for one token
create_identity_sourceAdds an identity source to a policy store–an Amazon Cognito user pool or OpenID Connect (OIDC) identity provider (IdP)
create_policyCreates a Cedar policy and saves it in the specified policy store
create_policy_storeCreates a policy store
create_policy_templateCreates a policy template
delete_identity_sourceDeletes an identity source that references an identity provider (IdP) such as Amazon Cognito
delete_policyDeletes the specified policy from the policy store
delete_policy_storeDeletes the specified policy store
delete_policy_templateDeletes the specified policy template from the policy store
get_identity_sourceRetrieves the details about the specified identity source
get_policyRetrieves information about the specified policy
get_policy_storeRetrieves details about a policy store
get_policy_templateRetrieve the details for the specified policy template in the specified policy store
get_schemaRetrieve the details for the specified schema in the specified policy store
is_authorizedMakes an authorization decision about a service request described in the parameters
is_authorized_with_tokenMakes an authorization decision about a service request described in the parameters
list_identity_sourcesReturns a paginated list of all of the identity sources defined in the specified policy store
list_policiesReturns a paginated list of all policies stored in the specified policy store
list_policy_storesReturns a paginated list of all policy stores in the calling Amazon Web Services account
list_policy_templatesReturns a paginated list of all policy templates in the specified policy store
put_schemaCreates or updates the policy schema in the specified policy store
update_identity_sourceUpdates the specified identity source to use a new identity provider (IdP), or to change the mapping of identities from the IdP to a different principal entity type
update_policyModifies a Cedar static policy in the specified policy store
update_policy_storeModifies the validation setting for a policy store
update_policy_templateUpdates the specified policy template

Examples

Run this code
if (FALSE) {
svc <- verifiedpermissions()
svc$batch_is_authorized(
  Foo = 123
)
}

Run the code above in your browser using DataLab