Amazon Verified Permissions example policies
Some of the policy examples included here are basic Cedar policy examples and some are
Verified Permissions-specific. The basic ones link to the Cedar policy language Reference Guide and are included there.
For more information about Cedar policy syntax, see Basic policy construction in
Cedar
Policy examples
Uses bracket notation to reference token attributes
This following example shows how you might create a policy that uses bracket notation to reference token attributes.
For more information about using token attributes in policies in Verified Permissions, see Mapping identity provider tokens to schema
permit ( principal in MyCorp::UserGroup::"us-west-2_EXAMPLE|MyUserGroup", action, resource ) when { principal["cognito:username"] == "alice" && principal["custom:employmentStoreCode"] == "petstore-dallas" && principal has email && principal.email == "alice@example.com" && context["ip-address"] like "192.0.2.*" };
Uses dot notation to reference attributes
This following example shows how you might create a policy that uses dot notation to reference attributes.
For more information about using token attributes in policies in Verified Permissions, see Mapping identity provider tokens to schema
permit(principal, action, resource) when { principal.cognito.username == "alice" && principal.custom.employmentStoreCode == "petstore-dallas" && principal.tenant == "x11app-tenant-1" && principal has email && principal.email == "alice@example.com" };
Reflects Amazon Cognito ID token attributes
This following example shows how you might create a policy references ID token attributes from Amazon Cognito.
For more information about using token attributes in policies in Verified Permissions, see Mapping identity provider tokens to schema
permit ( principal in MyCorp::UserGroup::"us-west-2_EXAMPLE|MyUserGroup", action, resource ) when { principal["cognito:username"] == "alice" && principal["custom:employmentStoreCode"] == "petstore-dallas" && principal.tenant == "x11app-tenant-1" && principal has email && principal.email == "alice@example.com" };
Reflects OIDC ID token attributes
This following example shows how you might create a policy references ID token attributes from an OIDC provider.
For more information about using token attributes in policies in Verified Permissions, see Mapping identity provider tokens to schema
permit ( principal in MyCorp::UserGroup::"MyOIDCProvider|MyUserGroup", action, resource ) when { principal.email_verified == true && principal.email == "alice@example.com" && principal.phone_number_verified == true && principal.phone_number like "+1206*" };
Reflects Amazon Cognito access token attributes
This following example shows how you might create a policy references access token attributes from Amazon Cognito.
For more information about using token attributes in policies in Verified Permissions, see Mapping identity provider tokens to schema
permit(principal, action in [MyApplication::Action::"Read", MyApplication::Action::"GetStoreInventory"], resource) when { context.token.client_id == "52n97d5afhfiu1c4di1k5m8f60" && context.token.scope.contains("MyAPI/mydata.write") };
Reflects OIDC access token attributes
This following example shows how you might create a policy references access token attributes from an OIDC provider.
For more information about using token attributes in policies in Verified Permissions, see Mapping identity provider tokens to schema
permit( principal, action in [MyApplication::Action::"Read", MyApplication::Action::"GetStoreInventory"], resource ) when { context.token.client_id == "52n97d5afhfiu1c4di1k5m8f60" && context.token.scope.contains("MyAPI-read") };