Creating Verified Permissions policy stores

To create a policy store using the Guided setup configuration method

The guided setup wizard leads you through the process of creating the first iteration of your policy store. You will create a schema for your first resource type, describe the actions that are applicable for that resource type, and the principal type for which you are granting permissions. You will then create your first policy. Once you've completed this wizard, you will be able to add to your policy store, extend the schema to describe other resource and principal types, and create additional policies and templates.

1. In the Verified Permissions console, select Create new policy store.

2. In the Starting options section, choose Guided setup.

3. Enter a Policy store description. This text can be whatever suits your organization as a friendly reference to the function of the current policy store, for example Weather updates.

4. In the Details section, type a Namespace for your schema.

5. Choose Next.

6. On the Resource type window, type a name for your resource type.

7. (Optional) Choose Add an attribute to add resource attributes. Type the Attribute name and choose an Attribute type for each attribute of the resource. Choose whether each attribute is Required. Verified Permissions uses the specified attribute values when verifying policies against the schema. To remove an attribute that has been added for the resource type, choose Remove next to the attribute.

8. In the Actions field, type the actions to be authorized for the specified resource type. To add additional actions for the resource type, choose Add an action. To remove an action that has been added for the resource type, choose Remove next to the action.

9. In the Name of the principal type field, type the name for a type of principal that will be using the specified actions for your resource type.

10. Choose Next.

11. On the Principal type window, choose the identity source for your principal type.

    • Choose Custom if the principal's ID and attributes will be provided directly by your Verified Permissions application. Choose Add an attribute to add principal attributes. Type the Attribute name and choose an Attribute type for each attribute of the prinicpal. Verified Permissions uses the specified attribute values when verifying policies against the schema. To remove an attribute that has been added for the prinicpal type, choose Remove next to the attribute.

    • Choose Cognito User Pool if the principal's ID and attributes will be provided from an ID or access token generated by Amazon Cognito. Choose Connect user pool. Select the AWS Region and type User pool ID of the Amazon Cognito user pool to connect to. Choose Connect. For more information, see Authorization with Amazon Verified Permissions in the Amazon Cognito Developer Guide.

12. Choose Next.

13. In the Policy details section, type an optional Policy description for your first Cedar policy.

14. In the Principals scope field, choose the principals that will be granted permissions from the policy.

    • Choose Specific principal to apply the policy to a specific principal. Choose the principal in the Principal that will be permitted to take actions field and type an entity identifier for the principal.

    • Choose All principals to apply the policy to all principals in your policy store.

15. In the Resources scope field, choose which resources that the specified principals will be authorized to act on.

    • Choose Specific resource to apply the policy to a specific resource. Choose the resource in the Resource this policy should apply to field and type an entity identifier for the resource.

    • Choose All resources to apply the policy to all resources in your policy store.

16. In the Actions scope field, choose which actions that the specified principals will be authorized to perform.

    • Choose Specific set of actions to apply the policy to specific actions. Select the check boxes next to the actions in the Action(s) this policy should apply to field.

    • Choose All actions to apply the policy to all actions in your policy store.

17. Review the policy in the Policy preview section. Choose Create policy store.

To create a policy store using the Set up with API Gateway and an identity source configuration method

The API Gateway option secures APIs with Verified Permissions policies that are designed to make authorization decisions from users’ groups, or roles. This option builds a policy store for testing authorization with identity-source groups and an API with a Lambda authorizer.

The users and their groups in an IdP become either your principals (ID tokens) or your context (access tokens). The methods and paths in an API Gateway API become the actions that your policies authorize. Your application becomes the resource. As a result of this workflow, Verified Permissions creates a policy store, a Lambda function, and an API Lambda authorizer. You must assign the Lambda authorizer to your API after you finish this workflow.

1. In the Verified Permissions console, select Create new policy store.

2. In the Starting options section, choose Set up with API Gateway and an identity source and select Next.

3. In the Import resources and actions step, under API, choose an API that will function as the model to your policy store resources and actions.

   1. Choose a Deployment stage from the stages configured in your API and select Import API. For more information about API stages, see Setting up a stage for a REST API in the Amazon API Gateway Developer Guide.

   2. Preview your Map of imported resources and actions.

   3. To update resources or actions, modify your API paths or methods and select Import API.

   4. When you are satisfied with your choices, choose Next.

4. In Identity source, choose an Identity provider type. You can choose an Amazon Cognito user pool or an OpenID Connect (OIDC) IdP type.

5. If you chose Amazon Cognito:

   1. Choose a user pool in the same AWS Region and AWS account as your policy store.

   2. Choose the Token type to pass to API that you want to submit for authorization. Either token types contains user groups, the foundation of this API-linked authorization model.

   3. Under App client validation, you can limit the scope of a policy store to a subset of the Amazon Cognito app clients in a multi-tenant user pool. To require that user authenticate with one or more specified app clients in your user pool, select Only accept tokens with expected app client IDs. To accept any user who authenticates with the user pool, select Don't validate app client IDs.

   4. Choose Next.

6. If you chose OIDC provider:

   1. In Issuer URL, enter the URL of your OIDC issuer. This is the service endpoint that provides the authorization server, signing keys, and other information about your provider, for example https://auth.example.com. Your issuer URL must host an OIDC discovery document at /.well-known/openid-configuration.

   2. In Token type, choose the type of OIDC JWT that you want your application to submit for authorization. For more information, see Mapping identity provider tokens to schema.

   3. In Token claims, choose how you want to set up user attributes in your policy store. These attributes define the claims that your policies can reference.

      1. Choose a Claim source.

         1. To provide a sample token, choose Extract from JWT payload and paste the payload of a JWT of your chosen Token type. JWTs contain a header, a payload, and a signature. Your sample JWT must be decoded and payload-only. To parse the payload, select Extract.

         2. To enter your own set of attributes, choose Enter claims manually.

      2. Enter or confirm each Token claim name and Claim value type that you want to add to the attributes of the user principal or action context in your schema.

   4. In User and group claims, choose a User claim for the identity source. This is a claim, typically sub, from your ID or access token that holds the unique identifier for the entity to be evaluated. Identities from the connected OIDC IdP will be mapped to the user type in your policy store.

   5. In User and group claims, choose a Group claim for the identity source. This is a claim, typically groups, from your ID or access token that contains a list of the user's groups. Your policy store will authorize requests based on the group membership.

   6. In Audience validation or Client IDs, enter the client IDs or audience URLs that you want your policy store to accept in authorization requests, if any. For access tokens, enter an audience claim value like https://myapp.example.com. For ID tokens, enter a client ID like 1example23456789.

   7. Choose Next.

7. If you chose Amazon Cognito, Verified Permissions queries your user pool for groups. For OIDC providers, enter group names manually. The Assign actions to groups step creates policies for your policy store that permit group members to perform actions.

   1. Choose or add the groups that you want to include in your policies.

   2. Assign actions to each of the groups that you selected.

   3. Choose Next.

8. In Deploy app integration, review the steps that Verified Permissions will take to create your policy store and Lambda authorizer.

9. When you're ready to create the new resources, choose Create and deploy.

10. Keep the Policy store status step open in your browser to monitor the progress of resource creation by Verified Permissions.

11. After some time, typically about an hour, or when the Deploy Lambda authorizer step shows Success, configure your authorizer.

    Verified Permissions will have created a Lambda function and a Lambda authorizer in your API. Choose Open API to navigate to your API.

    To learn how to assign a Lambda authorizer, see Use API Gateway Lambda authorizers in the Amazon API Gateway Developer Guide.

    1. Navigate to Authorizers for your API and note the name of the authorizer that Verified Permissions created.

    2. Navigate to Resources and select a top-level method in your API.

    3. Select Edit under Method request settings.

    4. Set the Authorizer to be the authorizer name you noted earlier.

    5. Expand HTTP request headers, enter a Name or AUTHORIZATION, and select Required.

    6. Deploy the API stage.

    7. Save your changes.

12. Test your authorizer with a user pool token of the Token type that you selected in the Choose identity source step. For more information about user pool sign-in and retrieving tokens, see User pool authentication flow in the Amazon Cognito Developer Guide.

13. Test authentication again with a user pool token in the AUTHORIZATION header of a request to your API.

14. Examine your new policy store. Add and refine policies.

To create a policy store using the Sample policy store configuration method

1. In the Starting options section, choose Sample policy store.

2. In the Sample project section, choose the type of sample Verified Permissions application to use.

   • PhotoFlash is a sample customer-facing web application that enables users to share individual photos and albums with friends. Users can set fine-grained permissions on who is allowed to view, comment on, and re-share their photos. Account owners can also create groups of friends and organize photos into albums.

   • DigitalPetStore is a sample application where anyone can register and become a customer. Customers can add pets for sale, search pets, and place orders. Customers who have added a pet are recorded as the pet owner. Pet owners can update the pet's details, upload a pet image, or delete the pet listing. Customers who have placed an order are recorded as the order owner. Order owners can get details on the order or cancel it. Pet store managers have administrative access.

     Note

     The DigitalPetStore sample policy store does not include policy templates. The PhotoFlash and TinyTodo sample policy stores include policy templates.

   • TinyTodo is a sample application that enables users to create taks and task lists. List owners can manage and share their lists and specify who can view or edit their lists.

3. A namespace for the schema of your sample policy store is automatically generated based on the sample project you chose.

4. Choose Create policy store.

   Your policy store is created with policies and a schema for the sample policy store you chose. For more information on template-linked policies you can create for the sample policy stores, see Amazon Verified Permissions example template-linked policies.

To create a policy store using the Empty policy store configuration method

1. In the Starting options section, choose Empty policy store.

2. Choose Create policy store.