- Navigation GuideYou are on a Command (operation) page with structural examples. Use the navigation breadcrumb if you would like to return to the Client landing page.
CreatePolicyCommand
Creates a Cedar policy and saves it in the specified policy store. You can create either a static policy or a policy linked to a policy template.
-
To create a static policy, provide the Cedar policy text in the
StaticPolicy
section of thePolicyDefinition
. -
To create a policy that is dynamically linked to a policy template, specify the policy template ID and the principal and resource to associate with this policy in the
templateLinked
section of thePolicyDefinition
. If the policy template is ever updated, any policies linked to the policy template automatically use the updated template.
Creating a policy causes it to be validated against the schema in the policy store. If the policy doesn't pass validation, the operation fails and the policy isn't stored.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.
Example Syntax
Use a bare-bones client and the command you need to make an API call.
import { VerifiedPermissionsClient, CreatePolicyCommand } from "@aws-sdk/client-verifiedpermissions"; // ES Modules import
// const { VerifiedPermissionsClient, CreatePolicyCommand } = require("@aws-sdk/client-verifiedpermissions"); // CommonJS import
const client = new VerifiedPermissionsClient(config);
const input = { // CreatePolicyInput
clientToken: "STRING_VALUE",
policyStoreId: "STRING_VALUE", // required
definition: { // PolicyDefinition Union: only one key present
static: { // StaticPolicyDefinition
description: "STRING_VALUE",
statement: "STRING_VALUE", // required
},
templateLinked: { // TemplateLinkedPolicyDefinition
policyTemplateId: "STRING_VALUE", // required
principal: { // EntityIdentifier
entityType: "STRING_VALUE", // required
entityId: "STRING_VALUE", // required
},
resource: {
entityType: "STRING_VALUE", // required
entityId: "STRING_VALUE", // required
},
},
},
};
const command = new CreatePolicyCommand(input);
const response = await client.send(command);
// { // CreatePolicyOutput
// policyStoreId: "STRING_VALUE", // required
// policyId: "STRING_VALUE", // required
// policyType: "STATIC" || "TEMPLATE_LINKED", // required
// principal: { // EntityIdentifier
// entityType: "STRING_VALUE", // required
// entityId: "STRING_VALUE", // required
// },
// resource: {
// entityType: "STRING_VALUE", // required
// entityId: "STRING_VALUE", // required
// },
// actions: [ // ActionIdentifierList
// { // ActionIdentifier
// actionType: "STRING_VALUE", // required
// actionId: "STRING_VALUE", // required
// },
// ],
// createdDate: new Date("TIMESTAMP"), // required
// lastUpdatedDate: new Date("TIMESTAMP"), // required
// effect: "Permit" || "Forbid",
// };
Example Usage
CreatePolicyCommand Input
Parameter | Type | Description |
---|
Parameter | Type | Description |
---|---|---|
definition Required | PolicyDefinition | undefined | A structure that specifies the policy type and content to use for the new policy. You must include either a static or a templateLinked element. The policy content must be written in the Cedar policy language. |
policyStoreId Required | string | undefined | Specifies the |
clientToken | string | undefined | Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value. . If you don't provide this value, then Amazon Web Services generates a random one for you. If you retry the operation with the same Verified Permissions recognizes a |
CreatePolicyCommand Output
Parameter | Type | Description |
---|
Parameter | Type | Description |
---|---|---|
$metadata Required | ResponseMetadata | Metadata pertaining to this request. |
createdDate Required | Date | undefined | The date and time the policy was originally created. |
lastUpdatedDate Required | Date | undefined | The date and time the policy was last updated. |
policyId Required | string | undefined | The unique ID of the new policy. |
policyStoreId Required | string | undefined | The ID of the policy store that contains the new policy. |
policyType Required | PolicyType | undefined | The policy type of the new policy. |
actions | ActionIdentifier[] | undefined | The action that a policy permits or forbids. For example, |
effect | PolicyEffect | undefined | The effect of the decision that a policy returns to an authorization request. For example, |
principal | EntityIdentifier | undefined | The principal specified in the new policy's scope. This response element isn't present when |
resource | EntityIdentifier | undefined | The resource specified in the new policy's scope. This response element isn't present when the |
Throws
Name | Fault | Details |
---|
Name | Fault | Details |
---|---|---|
ConflictException | client | The request failed because another request to modify a resource occurred at the same. |
ResourceNotFoundException | client | The request failed because it references a resource that doesn't exist. |
ServiceQuotaExceededException | client | The request failed because it would cause a service quota to be exceeded. |
AccessDeniedException | client | You don't have sufficient access to perform this action. |
InternalServerException | server | The request failed because of an internal error. Try your request again later |
ThrottlingException | client | The request failed because it exceeded a throttling quota. |
ValidationException | client | The request failed because one or more input parameters don't satisfy their constraint requirements. The output is provided as a list of fields and a reason for each field that isn't valid. The possible reasons include the following:
|
VerifiedPermissionsServiceException | Base exception class for all service exceptions from VerifiedPermissions service. |