L2 AWS CDK Constructs for Amazon Verified Permissions
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
Amazon Verified Permissions L2 CDK Construct
This repo contains the implementation of an L2 CDK Construct for Amazon Verified Permissions
Project Stability
This construct is still versioned with alpha/v0 major version and we could introduce breaking changes even without a major version bump. Our goal is to keep the API stable & backwards compatible as much as possible but we currently cannot guarantee that. Once we'll publish v1.0.0 the breaking changes will be introduced via major version bumps.
Getting Started
Policy Store
Define a Policy Store with defaults (No description, No schema & Validation Settings Mode set to OFF):
test = PolicyStore(scope, "PolicyStore")
Define a Policy Store without Schema definition (Validation Settings Mode must be set to OFF):
validation_settings_off = {
"mode": ValidationSettingsMode.OFF
}
test = PolicyStore(scope, "PolicyStore",
validation_settings=validation_settings_off
)
Define a Policy Store with Description and Schema definition (a STRICT Validation Settings Mode is strongly suggested for Policy Stores with schemas):
validation_settings_strict = {
"mode": ValidationSettingsMode.STRICT
}
cedar_json_schema = {
"PhotoApp": {
"entity_types": {
"User": {},
"Photo": {}
},
"actions": {
"view_photo": {
"applies_to": {
"principal_types": ["User"],
"resource_types": ["Photo"]
}
}
}
}
}
cedar_schema = {
"cedar_json": JSON.stringify(cedar_json_schema)
}
policy_store = PolicyStore(scope, "PolicyStore",
schema=cedar_schema,
validation_settings=validation_settings_strict,
description="PolicyStore description"
)
Define a Policy Store with Validation Settings to OFF and Deletion Protection enabled:
validation_settings_off = {
"mode": ValidationSettingsMode.OFF
}
test = PolicyStore(scope, "PolicyStore",
validation_settings=validation_settings_off,
deletion_protection=DeletionProtectionMode.ENABLED
)
Schemas
If you want to have type safety when defining a schema, you can accomplish this only in typescript. Simply use the Schema type exported by the @cedar-policy/cedar-wasm.
You can also generate simple schemas using the static functions schemaFromOpenApiSpec or schemaFromRestApi in the PolicyStore construct. This functionality replicates what you can find in the AWS Verified Permissions console.
Generate a schema from an OpenAPI spec:
validation_settings_strict = {
"mode": ValidationSettingsMode.STRICT
}
cedar_json_schema = PolicyStore.schema_from_open_api_spec("path/to/swaggerfile.json", "UserGroup")
cedar_schema = {
"cedar_json": JSON.stringify(cedar_json_schema)
}
policy_store = PolicyStore(scope, "PolicyStore",
schema=cedar_schema,
validation_settings=validation_settings_strict,
description="Policy store with schema generated from API Gateway"
)
Generate a schema from a RestApi construct:
validation_settings_strict = {
"mode": ValidationSettingsMode.STRICT
}
cedar_json_schema = PolicyStore.schema_from_rest_api(
RestApi(scope, "RestApi"), "UserGroup")
cedar_schema = {
"cedar_json": JSON.stringify(cedar_json_schema)
}
policy_store = PolicyStore(scope, "PolicyStore",
schema=cedar_schema,
validation_settings=validation_settings_strict,
description="Policy store with schema generated from RestApi construct"
)
Identity Source
Define Identity Source with Cognito Configuration and required properties:
from cdklabs.cdk_verified_permissions import IdentitySourceConfiguration, CognitoUserPoolConfiguration
user_pool = UserPool(scope, "UserPool") # Creating a new Cognito UserPool
validation_settings_strict = {
"mode": ValidationSettingsMode.STRICT
}
cedar_json_schema = {
"PhotoApp": {
"entity_types": {
"User": {},
"Photo": {}
},
"actions": {
"view_photo": {
"applies_to": {
"principal_types": ["User"],
"resource_types": ["Photo"]
}
}
}
}
}
cedar_schema = {
"cedar_json": JSON.stringify(cedar_json_schema)
}
policy_store = PolicyStore(scope, "PolicyStore",
schema=cedar_schema,
validation_settings=validation_settings_strict
)
IdentitySource(scope, "IdentitySource",
configuration=IdentitySourceConfiguration(
cognito_user_pool_configuration=CognitoUserPoolConfiguration(
user_pool=user_pool
)
),
policy_store=policy_store
)
Define Identity Source with Cognito Configuration and all properties:
from cdklabs.cdk_verified_permissions import IdentitySourceConfiguration, CognitoUserPoolConfiguration, CognitoGroupConfiguration
validation_settings_strict = {
"mode": ValidationSettingsMode.STRICT
}
cedar_json_schema = {
"PhotoApp": {
"entity_types": {
"User": {},
"Photo": {}
},
"actions": {
"view_photo": {
"applies_to": {
"principal_types": ["User"],
"resource_types": ["Photo"]
}
}
}
}
}
cedar_schema = {
"cedar_json": JSON.stringify(cedar_json_schema)
}
policy_store = PolicyStore(scope, "PolicyStore",
schema=cedar_schema,
validation_settings=validation_settings_strict
)
cognito_group_entity_type = "test"
user_pool = UserPool(scope, "UserPool") # Creating a new Cognito UserPool
IdentitySource(scope, "IdentitySource",
configuration=IdentitySourceConfiguration(
cognito_user_pool_configuration=CognitoUserPoolConfiguration(
client_ids=["&ExampleCogClientId;"],
user_pool=user_pool,
group_configuration=CognitoGroupConfiguration(
group_entity_type=cognito_group_entity_type
)
)
),
policy_store=policy_store,
principal_entity_type="PETEXAMPLEabcdefg111111"
)
Define Identity Source with OIDC Configuration and Access Token selection config:
from cdklabs.cdk_verified_permissions import IdentitySourceConfiguration, OpenIdConnectConfiguration, OpenIdConnectGroupConfiguration, OpenIdConnectAccessTokenConfiguration
validation_settings_strict = {
"mode": ValidationSettingsMode.STRICT
}
cedar_json_schema = {
"PhotoApp": {
"entity_types": {
"User": {},
"Photo": {}
},
"actions": {
"view_photo": {
"applies_to": {
"principal_types": ["User"],
"resource_types": ["Photo"]
}
}
}
}
}
cedar_schema = {
"cedar_json": JSON.stringify(cedar_json_schema)
}
policy_store = PolicyStore(scope, "PolicyStore",
schema=cedar_schema,
validation_settings=validation_settings_strict
)
issuer = "https://iamanidp.com"
principal_id_claim = "sub"
entity_id_prefix = "prefix"
group_claim = "group"
group_entity_type = "GroupType"
IdentitySource(scope, "IdentitySource",
configuration=IdentitySourceConfiguration(
open_id_connect_configuration=OpenIdConnectConfiguration(
issuer=issuer,
entity_id_prefix=entity_id_prefix,
group_configuration=OpenIdConnectGroupConfiguration(
group_claim=group_claim,
group_entity_type=group_entity_type
),
access_token_only=OpenIdConnectAccessTokenConfiguration(
audiences=["testAudience"],
principal_id_claim=principal_id_claim
)
)
),
policy_store=policy_store,
principal_entity_type="TestType"
)
Define Identity Source with OIDC Configuration and Identity Token selection config:
from cdklabs.cdk_verified_permissions import IdentitySourceConfiguration, OpenIdConnectConfiguration, OpenIdConnectGroupConfiguration, OpenIdConnectIdentityTokenConfiguration
validation_settings_strict = {
"mode": ValidationSettingsMode.STRICT
}
cedar_json_schema = {
"PhotoApp": {
"entity_types": {
"User": {},
"Photo": {}
},
"actions": {
"view_photo": {
"applies_to": {
"principal_types": ["User"],
"resource_types": ["Photo"]
}
}
}
}
}
cedar_schema = {
"cedar_json": JSON.stringify(cedar_json_schema)
}
policy_store = PolicyStore(scope, "PolicyStore",
schema=cedar_schema,
validation_settings=validation_settings_strict
)
issuer = "https://iamanidp.com"
entity_id_prefix = "prefix"
group_claim = "group"
group_entity_type = "UserGroup"
principal_id_claim = "sub"
IdentitySource(scope, "IdentitySource",
configuration=IdentitySourceConfiguration(
open_id_connect_configuration=OpenIdConnectConfiguration(
issuer=issuer,
entity_id_prefix=entity_id_prefix,
group_configuration=OpenIdConnectGroupConfiguration(
group_claim=group_claim,
group_entity_type=group_entity_type
),
identity_token_only=OpenIdConnectIdentityTokenConfiguration(
client_ids=[],
principal_id_claim=principal_id_claim
)
)
),
policy_store=policy_store
)
Policy
Load all the .cedar files in a given folder and define Policy objects for each of them. All policies will be associated with the same policy store.
PLEASE NOTE: this method internally uses the Policy.fromFile so the same rules applies.
validation_settings_strict = {
"mode": ValidationSettingsMode.STRICT
}
policy_store = PolicyStore(scope, "PolicyStore",
validation_settings=validation_settings_strict
)
policy_store.add_policies_from_path("/path/to/my-policies")
Define a Policy and add it to a specific Policy Store:
from cdklabs.cdk_verified_permissions import PolicyDefinitionProperty, StaticPolicyDefinitionProperty
statement = """permit(
principal,
action in [MyFirstApp::Action::"Read"],
resource
) when {
true
};"""
description = "Test policy assigned to the test store"
validation_settings_off = {
"mode": ValidationSettingsMode.OFF
}
policy_store = PolicyStore(scope, "PolicyStore",
validation_settings=validation_settings_off
)
# Create a policy and add it to the policy store
policy = Policy(scope, "MyTestPolicy",
definition=PolicyDefinitionProperty(
static=StaticPolicyDefinitionProperty(
statement=statement,
description=description
)
),
policy_store=policy_store
)
Define a policy with a template linked definition:
from cdklabs.cdk_verified_permissions import PolicyDefinitionProperty, TemplateLinkedPolicyDefinitionProperty, EntityIdentifierProperty, EntityIdentifierProperty
validation_settings_off = {
"mode": ValidationSettingsMode.OFF
}
policy_store = PolicyStore(scope, "PolicyStore",
validation_settings=validation_settings_off
)
policy_template_statement = """
permit (
principal == ?principal,
action in [TinyTodo::Action::"ReadList", TinyTodo::Action::"ListTasks"],
resource == ?resource
);"""
template = PolicyTemplate(scope, "PolicyTemplate",
statement=policy_template_statement,
policy_store=policy_store
)
policy = Policy(scope, "MyTestPolicy",
definition=PolicyDefinitionProperty(
template_linked=TemplateLinkedPolicyDefinitionProperty(
policy_template=template,
principal=EntityIdentifierProperty(
entity_id="exampleId",
entity_type="exampleType"
),
resource=EntityIdentifierProperty(
entity_id="exampleId",
entity_type="exampleType"
)
)
),
policy_store=policy_store
)
Define a Policy with a statement from file: PLEASE NOTE:
- The
Policy.fromFilestatic method supports multiple Cedar policies per file. Every Policy must follow the standard Cedar rules. This means that every Policy must be terminated with a;char. - You can specify the id of the Policy directly inside the Policy file through Cedar Annotations, using the annotation
@cdkId. The id defined in the annotation will have priority with respect to the one passed in thePolicy.fromFilemethod. In case no annotation is defined, the id passed in thePolicy.fromFilemethod will be used. Since thePolicy.fromFilemethod supports multiple Cedar policies per file, it is strongly suggested to define policy ids through the annotation, in order to avoid having many Policy Constructs with the same id (which will result in a CDK runtime error). - You can specify the description of the policy directly inside the Policy file, using the annotation
@cdkDescription. The description defined in the annotation will have priority with respect to the one passed in the properties object of thePolicy.fromFilemethod.
description = "Test policy assigned to the test store"
validation_settings_off = {
"mode": ValidationSettingsMode.OFF
}
policy_store = PolicyStore(scope, "PolicyStore",
validation_settings=validation_settings_off
)
# Create a policy and add it to the policy store
policy_from_file_props = {
"policy_store": policy_store,
"path": "/path/to/policy-statement.cedar",
"description": "the policy description"
}
policy = Policy.from_file(scope, "MyTestPolicy", policy_from_file_props)
Policy Template
Define a Policy Template referring to a Cedar Statement in local file:
validation_settings_off = {
"mode": ValidationSettingsMode.OFF
}
policy_store = PolicyStore(scope, "PolicyStore",
validation_settings=validation_settings_off
)
template_from_file_props = {
"policy_store": policy_store,
"path": "/path/to/template-statement.cedar",
"description": "Allows sharing photos in full access mode"
}
template = PolicyTemplate.from_file(scope, "PolicyTemplate", template_from_file_props)
Notes
- This project is following the AWS CDK Official Design Guidelines (see https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) and the AWS CDK New Constructs Creation Guide (see here https://github.com/aws/aws-cdk/blob/main/docs/NEW_CONSTRUCTS_GUIDE.md).
- Feedback is a gift: if you find something wrong or you've ideas to improve please open an issue or a pull request
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cdklabs_cdk_verified_permissions-0.3.3.tar.gz.
File metadata
- Download URL: cdklabs_cdk_verified_permissions-0.3.3.tar.gz
- Upload date:
- Size: 4.5 MB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.14.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bccd5493f9cd701e481b84aa0256ca631c54706610cdd588dc90a2f97ba97b99
|
|
| MD5 |
80381259f3021340d80934d983357d99
|
|
| BLAKE2b-256 |
99a089ec5cc8e8ef9139412c7f2216b24dcb443f112430951faa9a61d168fb0a
|
Provenance
The following attestation bundles were made for cdklabs_cdk_verified_permissions-0.3.3.tar.gz:
Publisher:
release.yml on cdklabs/cdk-verified-permissions
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
cdklabs_cdk_verified_permissions-0.3.3.tar.gz -
Subject digest:
bccd5493f9cd701e481b84aa0256ca631c54706610cdd588dc90a2f97ba97b99 - Sigstore transparency entry: 908732906
- Sigstore integration time:
-
Permalink:
cdklabs/cdk-verified-permissions@65b587632dbd3780ef0191b49e6670fcfb668c04 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/cdklabs
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@65b587632dbd3780ef0191b49e6670fcfb668c04 -
Trigger Event:
push
-
Statement type:
File details
Details for the file cdklabs_cdk_verified_permissions-0.3.3-py3-none-any.whl.
File metadata
- Download URL: cdklabs_cdk_verified_permissions-0.3.3-py3-none-any.whl
- Upload date:
- Size: 4.5 MB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.14.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
02904847ba67703124519a205af98543a44c0764dc121810a532c3bb186eb096
|
|
| MD5 |
cb025bbc2b4267008369d74d8e975570
|
|
| BLAKE2b-256 |
ac996bb9385e07cb2af2f996fbc925819f402fb982ba5cf5fd29974560d35941
|
Provenance
The following attestation bundles were made for cdklabs_cdk_verified_permissions-0.3.3-py3-none-any.whl:
Publisher:
release.yml on cdklabs/cdk-verified-permissions
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
cdklabs_cdk_verified_permissions-0.3.3-py3-none-any.whl -
Subject digest:
02904847ba67703124519a205af98543a44c0764dc121810a532c3bb186eb096 - Sigstore transparency entry: 908732881
- Sigstore integration time:
-
Permalink:
cdklabs/cdk-verified-permissions@65b587632dbd3780ef0191b49e6670fcfb668c04 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/cdklabs
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@65b587632dbd3780ef0191b49e6670fcfb668c04 -
Trigger Event:
push
-
Statement type:
