# Amazon Verified Permissions L2 CDK Construct
This repo contains the implementation of an L2 CDK Construct for Amazon Verified Permissions
# Project Stability
This construct is still versioned with alpha/v0 major version and we could introduce breaking changes even without a major version bump. Our goal is to keep the API stable & backwards compatible as much as possible but we currently cannot guarantee that. Once we'll publish v1.0.0 the breaking changes will be introduced via major version bumps.
# Getting Started
## Policy Store
Define a Policy Store with defaults (No description, No schema & Validation Settings Mode set to OFF):
```python
test = PolicyStore(scope, "PolicyStore")
```
Define a Policy Store without Schema definition (Validation Settings Mode must be set to OFF):
```python
validation_settings_off = {
"mode": ValidationSettingsMode.OFF
}
test = PolicyStore(scope, "PolicyStore",
validation_settings=validation_settings_off
)
```
Define a Policy Store with Description and Schema definition (a STRICT Validation Settings Mode is strongly suggested for Policy Stores with schemas):
```python
validation_settings_strict = {
"mode": ValidationSettingsMode.STRICT
}
cedar_json_schema = {
"PhotoApp": {
"entity_types": {
"User": {},
"Photo": {}
},
"actions": {
"view_photo": {
"applies_to": {
"principal_types": ["User"],
"resource_types": ["Photo"]
}
}
}
}
}
cedar_schema = {
"cedar_json": JSON.stringify(cedar_json_schema)
}
policy_store = PolicyStore(scope, "PolicyStore",
schema=cedar_schema,
validation_settings=validation_settings_strict,
description="PolicyStore description"
)
```
Define a Policy Store with Schema definition from file:
```python
validation_settings_strict = {
"mode": ValidationSettingsMode.STRICT
}
cedar_schema = {
"cedar_json": Statement.from_file("assets/policy-store-schema.json")
}
policy_store = PolicyStore(scope, "PolicyStore",
schema=cedar_schema,
validation_settings=validation_settings_strict
)
```
## Identity Source
Define Identity Source with required properties:
```python
user_pool = UserPool(scope, "UserPool") # Creating a new Cognito UserPool
validation_settings_strict = {
"mode": ValidationSettingsMode.STRICT
}
cedar_json_schema = {
"PhotoApp": {
"entity_types": {
"User": {},
"Photo": {}
},
"actions": {
"view_photo": {
"applies_to": {
"principal_types": ["User"],
"resource_types": ["Photo"]
}
}
}
}
}
cedar_schema = {
"cedar_json": JSON.stringify(cedar_json_schema)
}
policy_store = PolicyStore(scope, "PolicyStore",
schema=cedar_schema,
validation_settings=validation_settings_strict
)
IdentitySource(scope, "IdentitySource",
configuration=IdentitySourceConfiguration(
cognito_user_pool_configuration=CognitoUserPoolConfiguration(
user_pool=user_pool
)
),
policy_store=policy_store
)
```
Define Identity Source with all the properties:
```python
validation_settings_strict = {
"mode": ValidationSettingsMode.STRICT
}
cedar_json_schema = {
"PhotoApp": {
"entity_types": {
"User": {},
"Photo": {}
},
"actions": {
"view_photo": {
"applies_to": {
"principal_types": ["User"],
"resource_types": ["Photo"]
}
}
}
}
}
cedar_schema = {
"cedar_json": JSON.stringify(cedar_json_schema)
}
policy_store = PolicyStore(scope, "PolicyStore",
schema=cedar_schema,
validation_settings=validation_settings_strict
)
user_pool = UserPool(scope, "UserPool") # Creating a new Cognito UserPool
IdentitySource(scope, "IdentitySource",
configuration=IdentitySourceConfiguration(
cognito_user_pool_configuration=CognitoUserPoolConfiguration(
client_ids=["&ExampleCogClientId;"],
user_pool=user_pool
)
),
policy_store=policy_store,
principal_entity_type="PETEXAMPLEabcdefg111111"
)
```
## Policy
Define a Policy and add it to a specific Policy Store:
```python
statement = """permit(
principal,
action in [MyFirstApp::Action::"Read"],
resource
) when {
true
};"""
description = "Test policy assigned to the test store"
validation_settings_off = {
"mode": ValidationSettingsMode.OFF
}
policy_store = PolicyStore(scope, "PolicyStore",
validation_settings=validation_settings_off
)
# Create a policy and add it to the policy store
policy = Policy(scope, "MyTestPolicy",
definition=PolicyDefinitionProperty(
static=StaticPolicyDefinitionProperty(
statement=statement,
description=description
)
),
policy_store=policy_store
)
```
Define a policy with a template linked definition:
```python
validation_settings_off = {
"mode": ValidationSettingsMode.OFF
}
policy_store = PolicyStore(scope, "PolicyStore",
validation_settings=validation_settings_off
)
policy_template_statement = """
permit (
principal == ?principal,
action in [TinyTodo::Action::"ReadList", TinyTodo::Action::"ListTasks"],
resource == ?resource
);"""
template = PolicyTemplate(scope, "PolicyTemplate",
statement=policy_template_statement,
policy_store=policy_store
)
policy = Policy(scope, "MyTestPolicy",
definition=PolicyDefinitionProperty(
template_linked=TemplateLinkedPolicyDefinitionProperty(
policy_template=template,
principal=EntityIdentifierProperty(
entity_id="exampleId",
entity_type="exampleType"
),
resource=EntityIdentifierProperty(
entity_id="exampleId",
entity_type="exampleType"
)
)
),
policy_store=policy_store
)
```
Define a Policy with a statement from file:
```python
description = "Test policy assigned to the test store"
validation_settings_off = {
"mode": ValidationSettingsMode.OFF
}
policy_store = PolicyStore(scope, "PolicyStore",
validation_settings=validation_settings_off
)
# Create a policy and add it to the policy store
policy = Policy(scope, "MyTestPolicy",
definition=PolicyDefinitionProperty(
static=StaticPolicyDefinitionProperty(
statement=Statement.from_file("assets/policy-statement.cedar"),
description=description
)
),
policy_store=policy_store
)
```
## Policy Template
Define a Policy Template referring to a Cedar Statement in local file:
```python
validation_settings_off = {
"mode": ValidationSettingsMode.OFF
}
policy_store = PolicyStore(scope, "PolicyStore",
validation_settings=validation_settings_off
)
PolicyTemplate(scope, "PolicyTemplate",
description="Allows sharing photos in full access mode",
policy_store=policy_store,
statement=Statement.from_file("assets/template-statement.cedar")
)
```
# Notes
* This project is following the AWS CDK Official Design Guidelines (see https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) and the AWS CDK New Constructs Creation Guide (see here https://github.com/aws/aws-cdk/blob/main/docs/NEW_CONSTRUCTS_GUIDE.md).
* Feedback is a gift: if you find something wrong or you've ideas to improve please open an issue or a pull request
Raw data
{
"_id": null,
"home_page": "https://github.com/cdklabs/cdk-verified-permissions.git",
"name": "cdklabs.cdk-verified-permissions",
"maintainer": null,
"docs_url": null,
"requires_python": "~=3.8",
"maintainer_email": null,
"keywords": null,
"author": "Amazon Web Services<aws-cdk-dev@amazon.com>",
"author_email": null,
"download_url": "https://files.pythonhosted.org/packages/a0/31/5dbd20d12a28df571c3655f94d8a86b65cfc12fc372f4206eb0653b586ca/cdklabs.cdk-verified-permissions-0.0.1a7.tar.gz",
"platform": null,
"description": "# Amazon Verified Permissions L2 CDK Construct\n\nThis repo contains the implementation of an L2 CDK Construct for Amazon Verified Permissions\n\n# Project Stability\n\nThis construct is still versioned with alpha/v0 major version and we could introduce breaking changes even without a major version bump. Our goal is to keep the API stable & backwards compatible as much as possible but we currently cannot guarantee that. Once we'll publish v1.0.0 the breaking changes will be introduced via major version bumps.\n\n# Getting Started\n\n## Policy Store\n\nDefine a Policy Store with defaults (No description, No schema & Validation Settings Mode set to OFF):\n\n```python\ntest = PolicyStore(scope, \"PolicyStore\")\n```\n\nDefine a Policy Store without Schema definition (Validation Settings Mode must be set to OFF):\n\n```python\nvalidation_settings_off = {\n \"mode\": ValidationSettingsMode.OFF\n}\ntest = PolicyStore(scope, \"PolicyStore\",\n validation_settings=validation_settings_off\n)\n```\n\nDefine a Policy Store with Description and Schema definition (a STRICT Validation Settings Mode is strongly suggested for Policy Stores with schemas):\n\n```python\nvalidation_settings_strict = {\n \"mode\": ValidationSettingsMode.STRICT\n}\ncedar_json_schema = {\n \"PhotoApp\": {\n \"entity_types\": {\n \"User\": {},\n \"Photo\": {}\n },\n \"actions\": {\n \"view_photo\": {\n \"applies_to\": {\n \"principal_types\": [\"User\"],\n \"resource_types\": [\"Photo\"]\n }\n }\n }\n }\n}\ncedar_schema = {\n \"cedar_json\": JSON.stringify(cedar_json_schema)\n}\npolicy_store = PolicyStore(scope, \"PolicyStore\",\n schema=cedar_schema,\n validation_settings=validation_settings_strict,\n description=\"PolicyStore description\"\n)\n```\n\nDefine a Policy Store with Schema definition from file:\n\n```python\nvalidation_settings_strict = {\n \"mode\": ValidationSettingsMode.STRICT\n}\ncedar_schema = {\n \"cedar_json\": Statement.from_file(\"assets/policy-store-schema.json\")\n}\npolicy_store = PolicyStore(scope, \"PolicyStore\",\n schema=cedar_schema,\n validation_settings=validation_settings_strict\n)\n```\n\n## Identity Source\n\nDefine Identity Source with required properties:\n\n```python\nuser_pool = UserPool(scope, \"UserPool\") # Creating a new Cognito UserPool\nvalidation_settings_strict = {\n \"mode\": ValidationSettingsMode.STRICT\n}\ncedar_json_schema = {\n \"PhotoApp\": {\n \"entity_types\": {\n \"User\": {},\n \"Photo\": {}\n },\n \"actions\": {\n \"view_photo\": {\n \"applies_to\": {\n \"principal_types\": [\"User\"],\n \"resource_types\": [\"Photo\"]\n }\n }\n }\n }\n}\ncedar_schema = {\n \"cedar_json\": JSON.stringify(cedar_json_schema)\n}\npolicy_store = PolicyStore(scope, \"PolicyStore\",\n schema=cedar_schema,\n validation_settings=validation_settings_strict\n)\nIdentitySource(scope, \"IdentitySource\",\n configuration=IdentitySourceConfiguration(\n cognito_user_pool_configuration=CognitoUserPoolConfiguration(\n user_pool=user_pool\n )\n ),\n policy_store=policy_store\n)\n```\n\nDefine Identity Source with all the properties:\n\n```python\nvalidation_settings_strict = {\n \"mode\": ValidationSettingsMode.STRICT\n}\ncedar_json_schema = {\n \"PhotoApp\": {\n \"entity_types\": {\n \"User\": {},\n \"Photo\": {}\n },\n \"actions\": {\n \"view_photo\": {\n \"applies_to\": {\n \"principal_types\": [\"User\"],\n \"resource_types\": [\"Photo\"]\n }\n }\n }\n }\n}\ncedar_schema = {\n \"cedar_json\": JSON.stringify(cedar_json_schema)\n}\npolicy_store = PolicyStore(scope, \"PolicyStore\",\n schema=cedar_schema,\n validation_settings=validation_settings_strict\n)\nuser_pool = UserPool(scope, \"UserPool\") # Creating a new Cognito UserPool\nIdentitySource(scope, \"IdentitySource\",\n configuration=IdentitySourceConfiguration(\n cognito_user_pool_configuration=CognitoUserPoolConfiguration(\n client_ids=[\"&ExampleCogClientId;\"],\n user_pool=user_pool\n )\n ),\n policy_store=policy_store,\n principal_entity_type=\"PETEXAMPLEabcdefg111111\"\n)\n```\n\n## Policy\n\nDefine a Policy and add it to a specific Policy Store:\n\n```python\nstatement = \"\"\"permit(\n principal,\n action in [MyFirstApp::Action::\"Read\"],\n resource\n) when {\n true\n};\"\"\"\n\ndescription = \"Test policy assigned to the test store\"\nvalidation_settings_off = {\n \"mode\": ValidationSettingsMode.OFF\n}\npolicy_store = PolicyStore(scope, \"PolicyStore\",\n validation_settings=validation_settings_off\n)\n\n# Create a policy and add it to the policy store\npolicy = Policy(scope, \"MyTestPolicy\",\n definition=PolicyDefinitionProperty(\n static=StaticPolicyDefinitionProperty(\n statement=statement,\n description=description\n )\n ),\n policy_store=policy_store\n)\n```\n\nDefine a policy with a template linked definition:\n\n```python\nvalidation_settings_off = {\n \"mode\": ValidationSettingsMode.OFF\n}\npolicy_store = PolicyStore(scope, \"PolicyStore\",\n validation_settings=validation_settings_off\n)\npolicy_template_statement = \"\"\"\npermit (\n principal == ?principal,\n action in [TinyTodo::Action::\"ReadList\", TinyTodo::Action::\"ListTasks\"],\n resource == ?resource\n);\"\"\"\ntemplate = PolicyTemplate(scope, \"PolicyTemplate\",\n statement=policy_template_statement,\n policy_store=policy_store\n)\n\npolicy = Policy(scope, \"MyTestPolicy\",\n definition=PolicyDefinitionProperty(\n template_linked=TemplateLinkedPolicyDefinitionProperty(\n policy_template=template,\n principal=EntityIdentifierProperty(\n entity_id=\"exampleId\",\n entity_type=\"exampleType\"\n ),\n resource=EntityIdentifierProperty(\n entity_id=\"exampleId\",\n entity_type=\"exampleType\"\n )\n )\n ),\n policy_store=policy_store\n)\n```\n\nDefine a Policy with a statement from file:\n\n```python\ndescription = \"Test policy assigned to the test store\"\nvalidation_settings_off = {\n \"mode\": ValidationSettingsMode.OFF\n}\npolicy_store = PolicyStore(scope, \"PolicyStore\",\n validation_settings=validation_settings_off\n)\n\n# Create a policy and add it to the policy store\npolicy = Policy(scope, \"MyTestPolicy\",\n definition=PolicyDefinitionProperty(\n static=StaticPolicyDefinitionProperty(\n statement=Statement.from_file(\"assets/policy-statement.cedar\"),\n description=description\n )\n ),\n policy_store=policy_store\n)\n```\n\n## Policy Template\n\nDefine a Policy Template referring to a Cedar Statement in local file:\n\n```python\nvalidation_settings_off = {\n \"mode\": ValidationSettingsMode.OFF\n}\npolicy_store = PolicyStore(scope, \"PolicyStore\",\n validation_settings=validation_settings_off\n)\nPolicyTemplate(scope, \"PolicyTemplate\",\n description=\"Allows sharing photos in full access mode\",\n policy_store=policy_store,\n statement=Statement.from_file(\"assets/template-statement.cedar\")\n)\n```\n\n# Notes\n\n* This project is following the AWS CDK Official Design Guidelines (see https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) and the AWS CDK New Constructs Creation Guide (see here https://github.com/aws/aws-cdk/blob/main/docs/NEW_CONSTRUCTS_GUIDE.md).\n* Feedback is a gift: if you find something wrong or you've ideas to improve please open an issue or a pull request\n",
"bugtrack_url": null,
"license": "Apache-2.0",
"summary": "L2 AWS CDK Constructs for Amazon Verified Permissions",
"version": "0.0.1a7",
"project_urls": {
"Homepage": "https://github.com/cdklabs/cdk-verified-permissions.git",
"Source": "https://github.com/cdklabs/cdk-verified-permissions.git"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "ebf731098dfdc521149bce4d5f13ca33efe4a157bab8995351ee6ed39de72b23",
"md5": "0c060caa44f9df0d55ee2e0cf9ec76db",
"sha256": "4e61d4d64f18472faf89b2e23223460edd20558698ca877844abf16a8cb33240"
},
"downloads": -1,
"filename": "cdklabs.cdk_verified_permissions-0.0.1a7-py3-none-any.whl",
"has_sig": false,
"md5_digest": "0c060caa44f9df0d55ee2e0cf9ec76db",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "~=3.8",
"size": 78493,
"upload_time": "2024-04-29T10:43:14",
"upload_time_iso_8601": "2024-04-29T10:43:14.668331Z",
"url": "https://files.pythonhosted.org/packages/eb/f7/31098dfdc521149bce4d5f13ca33efe4a157bab8995351ee6ed39de72b23/cdklabs.cdk_verified_permissions-0.0.1a7-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "a0315dbd20d12a28df571c3655f94d8a86b65cfc12fc372f4206eb0653b586ca",
"md5": "63bf76cfd0362da01e57752df2654869",
"sha256": "88e7b691d07610d0765037b49dd1c3c1772814e0b8d3730109185f1deb8c89bc"
},
"downloads": -1,
"filename": "cdklabs.cdk-verified-permissions-0.0.1a7.tar.gz",
"has_sig": false,
"md5_digest": "63bf76cfd0362da01e57752df2654869",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "~=3.8",
"size": 79789,
"upload_time": "2024-04-29T10:43:16",
"upload_time_iso_8601": "2024-04-29T10:43:16.607665Z",
"url": "https://files.pythonhosted.org/packages/a0/31/5dbd20d12a28df571c3655f94d8a86b65cfc12fc372f4206eb0653b586ca/cdklabs.cdk-verified-permissions-0.0.1a7.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-04-29 10:43:16",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "cdklabs",
"github_project": "cdk-verified-permissions",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "cdklabs.cdk-verified-permissions"
}