Amazon Verified Permissions example policies - Amazon Verified Permissions

Amazon Verified Permissions example policies

Some of the policy examples included here are basic Cedar policy examples and some are Verified Permissions-specific. The basic ones link to the Cedar policy language Reference Guide and are included there. For more information about Cedar policy syntax, see Basic policy construction in Cedar in the Cedar policy language Reference Guide.

Policy examples

Uses bracket notation to reference token attributes

This following example shows how you might create a policy that uses bracket notation to reference token attributes.

For more information about using token attributes in policies in Verified Permissions, see Mapping identity provider tokens to schema

permit ( principal in MyCorp::UserGroup::"us-west-2_EXAMPLE|MyUserGroup", action, resource ) when { principal["cognito:username"] == "alice" && principal["custom:employmentStoreCode"] == "petstore-dallas" && principal has email && principal.email == "alice@example.com" && context["ip-address"] like "192.0.2.*" };

Uses dot notation to reference attributes

This following example shows how you might create a policy that uses dot notation to reference attributes.

For more information about using token attributes in policies in Verified Permissions, see Mapping identity provider tokens to schema

permit(principal, action, resource) when { principal.cognito.username == "alice" && principal.custom.employmentStoreCode == "petstore-dallas" && principal.tenant == "x11app-tenant-1" && principal has email && principal.email == "alice@example.com" };

Reflects Amazon Cognito ID token attributes

This following example shows how you might create a policy references ID token attributes from Amazon Cognito.

For more information about using token attributes in policies in Verified Permissions, see Mapping identity provider tokens to schema

permit ( principal in MyCorp::UserGroup::"us-west-2_EXAMPLE|MyUserGroup", action, resource ) when { principal["cognito:username"] == "alice" && principal["custom:employmentStoreCode"] == "petstore-dallas" && principal.tenant == "x11app-tenant-1" && principal has email && principal.email == "alice@example.com" };

Reflects OIDC ID token attributes

This following example shows how you might create a policy references ID token attributes from an OIDC provider.

For more information about using token attributes in policies in Verified Permissions, see Mapping identity provider tokens to schema

permit ( principal in MyCorp::UserGroup::"MyOIDCProvider|MyUserGroup", action, resource ) when { principal.email_verified == true && principal.email == "alice@example.com" && principal.phone_number_verified == true && principal.phone_number like "+1206*" };

Reflects Amazon Cognito access token attributes

This following example shows how you might create a policy references access token attributes from Amazon Cognito.

For more information about using token attributes in policies in Verified Permissions, see Mapping identity provider tokens to schema

permit(principal, action in [MyApplication::Action::"Read", MyApplication::Action::"GetStoreInventory"], resource) when { context.token.client_id == "52n97d5afhfiu1c4di1k5m8f60" && context.token.scope.contains("MyAPI/mydata.write") };

Reflects OIDC access token attributes

This following example shows how you might create a policy references access token attributes from an OIDC provider.

For more information about using token attributes in policies in Verified Permissions, see Mapping identity provider tokens to schema

permit( principal, action in [MyApplication::Action::"Read", MyApplication::Action::"GetStoreInventory"], resource ) when { context.token.client_id == "52n97d5afhfiu1c4di1k5m8f60" && context.token.scope.contains("MyAPI-read") };