test_authorization

IoT.Client.test_authorization(**kwargs)

Tests if a specified principal is authorized to perform an IoT action on a specified resource. Use this to test and debug the authorization behavior of devices that connect to the IoT device gateway.

Requires permission to access the TestAuthorization action.

See also: AWS API Documentation

Request Syntax

response = client.test_authorization(
    principal='string',
    cognitoIdentityPoolId='string',
    authInfos=[
        {
            'actionType': 'PUBLISH'|'SUBSCRIBE'|'RECEIVE'|'CONNECT',
            'resources': [
                'string',
            ]
        },
    ],
    clientId='string',
    policyNamesToAdd=[
        'string',
    ],
    policyNamesToSkip=[
        'string',
    ]
)
Parameters
  • principal (string) -- The principal. Valid principals are CertificateArn (arn:aws:iot:region :accountId :cert/certificateId ), thingGroupArn (arn:aws:iot:region :accountId :thinggroup/groupName ) and CognitoId (region :id ).
  • cognitoIdentityPoolId (string) -- The Cognito identity pool ID.
  • authInfos (list) --

    [REQUIRED]

    A list of authorization info objects. Simulating authorization will create a response for each authInfo object in the list.

    • (dict) --

      A collection of authorization information.

      • actionType (string) --

        The type of action for which the principal is being authorized.

      • resources (list) -- [REQUIRED]

        The resources for which the principal is being authorized to perform the specified action.

        • (string) --
  • clientId (string) -- The MQTT client ID.
  • policyNamesToAdd (list) --

    When testing custom authorization, the policies specified here are treated as if they are attached to the principal being authorized.

    • (string) --
  • policyNamesToSkip (list) --

    When testing custom authorization, the policies specified here are treated as if they are not attached to the principal being authorized.

    • (string) --
Return type

dict

Returns

Response Syntax

{
    'authResults': [
        {
            'authInfo': {
                'actionType': 'PUBLISH'|'SUBSCRIBE'|'RECEIVE'|'CONNECT',
                'resources': [
                    'string',
                ]
            },
            'allowed': {
                'policies': [
                    {
                        'policyName': 'string',
                        'policyArn': 'string'
                    },
                ]
            },
            'denied': {
                'implicitDeny': {
                    'policies': [
                        {
                            'policyName': 'string',
                            'policyArn': 'string'
                        },
                    ]
                },
                'explicitDeny': {
                    'policies': [
                        {
                            'policyName': 'string',
                            'policyArn': 'string'
                        },
                    ]
                }
            },
            'authDecision': 'ALLOWED'|'EXPLICIT_DENY'|'IMPLICIT_DENY',
            'missingContextValues': [
                'string',
            ]
        },
    ]
}

Response Structure

  • (dict) --

    • authResults (list) --

      The authentication results.

      • (dict) --

        The authorizer result.

        • authInfo (dict) --

          Authorization information.

          • actionType (string) --

            The type of action for which the principal is being authorized.

          • resources (list) --

            The resources for which the principal is being authorized to perform the specified action.

            • (string) --
        • allowed (dict) --

          The policies and statements that allowed the specified action.

          • policies (list) --

            A list of policies that allowed the authentication.

            • (dict) --

              Describes an IoT policy.

              • policyName (string) --

                The policy name.

              • policyArn (string) --

                The policy ARN.

        • denied (dict) --

          The policies and statements that denied the specified action.

          • implicitDeny (dict) --

            Information that implicitly denies the authorization. When a policy doesn't explicitly deny or allow an action on a resource it is considered an implicit deny.

            • policies (list) --

              Policies that don't contain a matching allow or deny statement for the specified action on the specified resource.

              • (dict) --

                Describes an IoT policy.

                • policyName (string) --

                  The policy name.

                • policyArn (string) --

                  The policy ARN.

          • explicitDeny (dict) --

            Information that explicitly denies the authorization.

            • policies (list) --

              The policies that denied the authorization.

              • (dict) --

                Describes an IoT policy.

                • policyName (string) --

                  The policy name.

                • policyArn (string) --

                  The policy ARN.

        • authDecision (string) --

          The final authorization decision of this scenario. Multiple statements are taken into account when determining the authorization decision. An explicit deny statement can override multiple allow statements.

        • missingContextValues (list) --

          Contains any missing context values found while evaluating policy.

          • (string) --

Exceptions

  • IoT.Client.exceptions.ResourceNotFoundException
  • IoT.Client.exceptions.InvalidRequestException
  • IoT.Client.exceptions.ThrottlingException
  • IoT.Client.exceptions.UnauthorizedException
  • IoT.Client.exceptions.ServiceUnavailableException
  • IoT.Client.exceptions.InternalFailureException
  • IoT.Client.exceptions.LimitExceededException