IoT / Client / test_authorization

test_authorization#

IoT.Client.test_authorization(**kwargs)#

Tests if a specified principal is authorized to perform an IoT action on a specified resource. Use this to test and debug the authorization behavior of devices that connect to the IoT device gateway.

Requires permission to access the TestAuthorization action.

See also: AWS API Documentation

Request Syntax

response = client.test_authorization(
    principal='string',
    cognitoIdentityPoolId='string',
    authInfos=[
        {
            'actionType': 'PUBLISH'|'SUBSCRIBE'|'RECEIVE'|'CONNECT',
            'resources': [
                'string',
            ]
        },
    ],
    clientId='string',
    policyNamesToAdd=[
        'string',
    ],
    policyNamesToSkip=[
        'string',
    ]
)
Parameters:

  • principal (string) – The principal. Valid principals are CertificateArn (arn:aws:iot:region:accountId:cert/certificateId), thingGroupArn (arn:aws:iot:region:accountId:thinggroup/groupName) and CognitoId (region:id).

  • cognitoIdentityPoolId (string) – The Cognito identity pool ID.

  • authInfos (list) –

    [REQUIRED]

    A list of authorization info objects. Simulating authorization will create a response for each authInfo object in the list.

    • (dict) –

      A collection of authorization information.

      • actionType (string) –

        The type of action for which the principal is being authorized.

      • resources (list) – [REQUIRED]

        The resources for which the principal is being authorized to perform the specified action.

        • (string) –

  • clientId (string) – The MQTT client ID.

  • policyNamesToAdd (list) –

    When testing custom authorization, the policies specified here are treated as if they are attached to the principal being authorized.

    • (string) –

  • policyNamesToSkip (list) –

    When testing custom authorization, the policies specified here are treated as if they are not attached to the principal being authorized.

    • (string) –

Return type:

dict

Returns:

Response Syntax

{
    'authResults': [
        {
            'authInfo': {
                'actionType': 'PUBLISH'|'SUBSCRIBE'|'RECEIVE'|'CONNECT',
                'resources': [
                    'string',
                ]
            },
            'allowed': {
                'policies': [
                    {
                        'policyName': 'string',
                        'policyArn': 'string'
                    },
                ]
            },
            'denied': {
                'implicitDeny': {
                    'policies': [
                        {
                            'policyName': 'string',
                            'policyArn': 'string'
                        },
                    ]
                },
                'explicitDeny': {
                    'policies': [
                        {
                            'policyName': 'string',
                            'policyArn': 'string'
                        },
                    ]
                }
            },
            'authDecision': 'ALLOWED'|'EXPLICIT_DENY'|'IMPLICIT_DENY',
            'missingContextValues': [
                'string',
            ]
        },
    ]
}

Response Structure

  • (dict) –

    • authResults (list) –

      The authentication results.

      • (dict) –

        The authorizer result.

        • authInfo (dict) –

          Authorization information.

          • actionType (string) –

            The type of action for which the principal is being authorized.

          • resources (list) –

            The resources for which the principal is being authorized to perform the specified action.

            • (string) –

        • allowed (dict) –

          The policies and statements that allowed the specified action.

          • policies (list) –

            A list of policies that allowed the authentication.

            • (dict) –

              Describes an IoT policy.

              • policyName (string) –

                The policy name.

              • policyArn (string) –

                The policy ARN.

        • denied (dict) –

          The policies and statements that denied the specified action.

          • implicitDeny (dict) –

            Information that implicitly denies the authorization. When a policy doesn’t explicitly deny or allow an action on a resource it is considered an implicit deny.

            • policies (list) –

              Policies that don’t contain a matching allow or deny statement for the specified action on the specified resource.

              • (dict) –

                Describes an IoT policy.

                • policyName (string) –

                  The policy name.

                • policyArn (string) –

                  The policy ARN.

          • explicitDeny (dict) –

            Information that explicitly denies the authorization.

            • policies (list) –

              The policies that denied the authorization.

              • (dict) –

                Describes an IoT policy.

                • policyName (string) –

                  The policy name.

                • policyArn (string) –

                  The policy ARN.

        • authDecision (string) –

          The final authorization decision of this scenario. Multiple statements are taken into account when determining the authorization decision. An explicit deny statement can override multiple allow statements.

        • missingContextValues (list) –

          Contains any missing context values found while evaluating policy.

          • (string) –

Exceptions

  • IoT.Client.exceptions.ResourceNotFoundException

  • IoT.Client.exceptions.InvalidRequestException

  • IoT.Client.exceptions.ThrottlingException

  • IoT.Client.exceptions.UnauthorizedException

  • IoT.Client.exceptions.ServiceUnavailableException

  • IoT.Client.exceptions.InternalFailureException

  • IoT.Client.exceptions.LimitExceededException