IoT / Client / test_authorization

test_authorization

IoT.Client.test_authorization(**kwargs)

Tests if a specified principal is authorized to perform an IoT action on a specified resource. Use this to test and debug the authorization behavior of devices that connect to the IoT device gateway.

Requires permission to access the TestAuthorization action.

See also: AWS API Documentation

Request Syntax

response = client.test_authorization(
    principal='string',
    cognitoIdentityPoolId='string',
    authInfos=[
        {
            'actionType': 'PUBLISH'|'SUBSCRIBE'|'RECEIVE'|'CONNECT',
            'resources': [
                'string',
            ]
        },
    ],
    clientId='string',
    policyNamesToAdd=[
        'string',
    ],
    policyNamesToSkip=[
        'string',
    ]
)

Parameters:

• principal (string) – The principal. Valid principals are CertificateArn (arn:aws:iot:region:accountId:cert/certificateId), thingGroupArn (arn:aws:iot:region:accountId:thinggroup/groupName) and CognitoId (region:id).

• cognitoIdentityPoolId (string) – The Cognito identity pool ID.

• authInfos (list) –

  [REQUIRED]

  A list of authorization info objects. Simulating authorization will create a response for each authInfo object in the list.

  • (dict) –

    A collection of authorization information.

    • actionType (string) –

      The type of action for which the principal is being authorized.

    • resources (list) – [REQUIRED]

      The resources for which the principal is being authorized to perform the specified action.

      • (string) –

• clientId (string) – The MQTT client ID.

• policyNamesToAdd (list) –

  When testing custom authorization, the policies specified here are treated as if they are attached to the principal being authorized.

  • (string) –

• policyNamesToSkip (list) –

  When testing custom authorization, the policies specified here are treated as if they are not attached to the principal being authorized.

  • (string) –

Return type:

dict

Returns:

Response Syntax

{
    'authResults': [
        {
            'authInfo': {
                'actionType': 'PUBLISH'|'SUBSCRIBE'|'RECEIVE'|'CONNECT',
                'resources': [
                    'string',
                ]
            },
            'allowed': {
                'policies': [
                    {
                        'policyName': 'string',
                        'policyArn': 'string'
                    },
                ]
            },
            'denied': {
                'implicitDeny': {
                    'policies': [
                        {
                            'policyName': 'string',
                            'policyArn': 'string'
                        },
                    ]
                },
                'explicitDeny': {
                    'policies': [
                        {
                            'policyName': 'string',
                            'policyArn': 'string'
                        },
                    ]
                }
            },
            'authDecision': 'ALLOWED'|'EXPLICIT_DENY'|'IMPLICIT_DENY',
            'missingContextValues': [
                'string',
            ]
        },
    ]
}

Response Structure

• (dict) –

  • authResults (list) –

    The authentication results.

    • (dict) –

      The authorizer result.

      • authInfo (dict) –

        Authorization information.

        • actionType (string) –

          The type of action for which the principal is being authorized.

        • resources (list) –

          The resources for which the principal is being authorized to perform the specified action.

          • (string) –

      • allowed (dict) –

        The policies and statements that allowed the specified action.

        • policies (list) –

          A list of policies that allowed the authentication.

          • (dict) –

            Describes an IoT policy.

            • policyName (string) –

              The policy name.

            • policyArn (string) –

              The policy ARN.

      • denied (dict) –

        The policies and statements that denied the specified action.

        • implicitDeny (dict) –

          Information that implicitly denies the authorization. When a policy doesn’t explicitly deny or allow an action on a resource it is considered an implicit deny.

          • policies (list) –

            Policies that don’t contain a matching allow or deny statement for the specified action on the specified resource.

            • (dict) –

              Describes an IoT policy.

              • policyName (string) –

                The policy name.

              • policyArn (string) –

                The policy ARN.

        • explicitDeny (dict) –

          Information that explicitly denies the authorization.

          • policies (list) –

            The policies that denied the authorization.

            • (dict) –

              Describes an IoT policy.

              • policyName (string) –

                The policy name.

              • policyArn (string) –

                The policy ARN.

      • authDecision (string) –

        The final authorization decision of this scenario. Multiple statements are taken into account when determining the authorization decision. An explicit deny statement can override multiple allow statements.

      • missingContextValues (list) –

        Contains any missing context values found while evaluating policy.

        • (string) –

Exceptions

• IoT.Client.exceptions.ResourceNotFoundException

• IoT.Client.exceptions.InvalidRequestException

• IoT.Client.exceptions.ThrottlingException

• IoT.Client.exceptions.UnauthorizedException

• IoT.Client.exceptions.ServiceUnavailableException

• IoT.Client.exceptions.InternalFailureException

• IoT.Client.exceptions.LimitExceededException