Using the Amazon Verified Permissions test bench
Use the Verified Permissions test bench to test and troubleshoot Verified Permissions policies by running authorization requests against them. The
test bench uses the parameters that you specify to determine whether the Cedar policies in
your policy store would authorize the request. You can toggle between Visual
mode and JSON mode while testing authorization requests.
For more information about how Cedar policies are structured and evaluated, see Basic policy construction in
Cedar in the Cedar policy language Reference Guide.
When you make an authorization request using Verified Permissions, you can provide the list of
principals and resources as part of the request in the Additional
entities section. However, you can't include the details about the
actions. They must be specified in the schema or inferred from the request. You can't
put an action in the Additional entities section.
For a visual overview and demonstration of the test bench, see Amazon Verified Permissions - Policy Creation and
Testing (Primer Series #3) on the AWS YouTube channel.
- Visual mode
-
You must have a schema defined in your policy store to use the Visual
mode of the test bench.
To test policies in Visual mode
Open the Verified Permissions console. Choose your policy store.
-
In the navigation pane on the left, choose Test
bench.
-
Choose Visual mode.
-
In the Principal section, choose the
Principal taking action from the principal
types in your schema. Type an identifier for the principal in the text
box.
-
(Optional) Choose Add a parent to add parent
entities for the specified principal. To remove a parent that has been
added to the principal, choose Remove next to the
name of the parent.
-
Specify the Attribute value for each attribute of
the specified principal. The test bench uses the specified attribute
values in the simulated authorization request.
-
In the Resource section, choose the
Resource that principal is acting on. Type an
identifier for the resource in the text box.
-
(Optional) Choose Add a parent to add parent
entities for the specified resource. To remove a parent that has been
added to the resource, choose Remove next to the
name of the parent.
-
Specify the Attribute value for each attribute of
the specified resource. The test bench uses the specified attribute
values in the simulated authorization request.
-
In the Action section, choose the
Action that principal is taking from the list
of valid actions for the specified principal and resource.
-
Specify the Attribute value for each attribute of
the specified action. The test bench uses the specified attribute values
in the simulated authorization request.
-
(Optional) In the Additional entities section,
choose Add entity to add entities to be evaluated
for the authorization decision.
-
Choose the Entity Identifier from the dropdown
list and type the entity identifier.
-
(Optional) Choose Add a parent to add parent
entities for the specified entity. To remove a parent that has been
added to the entity, choose Remove next to the name
of the parent.
-
Specify the Attribute value for each attribute of
the specified entity. The test bench uses the specified attribute values
in the simulated authorization request.
-
Choose Confirm to add the entity to the test
bench.
-
Choose Run authorization request to simulate the
authorization request for the Cedar policies in your policy store. The test
bench displays the decision to allow or deny the request along with
information about the policies satisfied or the errors encountered
during evaluation.
- JSON mode
-
To test policies in JSON mode
Open the Verified Permissions console. Choose your policy store.
-
In the navigation pane on the left, choose Test
bench.
-
Choose JSON mode.
-
In the Request details section, if you have a
schema defined, choose the Principal taking action
from the principal types in your schema. Type an identifier for the
principal in the text box.
If you do not have a schema defined, type the principal in the
Principal taking action text box.
-
If you have a schema defined, choose the Resource
from the resource types in your schema. Type an identifier for the
resource in the text box.
If you do not have a schema defined, type the resource in the
Resource text box.
-
If you have a schema defined, choose the Action
from the list of valid actions for the specified principal and
resource.
If you do not have a schema defined, type the action in the
Action text box.
-
Enter the context of the request to simulate in the
Context field. The request context is
additional information that can be used for authorization
decisions.
-
In the Entities field, enter the hierarchy of the
entities and their attributes to be evaluated for the authorization
decision.
-
Choose Run authorization request to simulate the
authorization request for the Cedar policies in your policy store. The test
bench displays the decision to allow or deny the request along with
information about the policies satisfied or the errors encountered
during evaluation.