VerifiedPermissions / Client / create_policy
create_policy#
- VerifiedPermissions.Client.create_policy(**kwargs)#
Creates a Cedar policy and saves it in the specified policy store. You can create either a static policy or a policy linked to a policy template.
To create a static policy, provide the Cedar policy text in the
StaticPolicy
section of thePolicyDefinition
.To create a policy that is dynamically linked to a policy template, specify the policy template ID and the principal and resource to associate with this policy in the
templateLinked
section of thePolicyDefinition
. If the policy template is ever updated, any policies linked to the policy template automatically use the updated template.
Note
Creating a policy causes it to be validated against the schema in the policy store. If the policy doesn’t pass validation, the operation fails and the policy isn’t stored.
Note
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.
See also: AWS API Documentation
Request Syntax
response = client.create_policy( clientToken='string', policyStoreId='string', definition={ 'static': { 'description': 'string', 'statement': 'string' }, 'templateLinked': { 'policyTemplateId': 'string', 'principal': { 'entityType': 'string', 'entityId': 'string' }, 'resource': { 'entityType': 'string', 'entityId': 'string' } } } )
- Parameters:
clientToken (string) –
Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..
If you don’t provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same
ClientToken
, but with different parameters, the retry fails with anConflictException
error.Verified Permissions recognizes a
ClientToken
for eight hours. After eight hours, the next request with the same parameters performs the operation again regardless of the value ofClientToken
.This field is autopopulated if not provided.
policyStoreId (string) –
[REQUIRED]
Specifies the
PolicyStoreId
of the policy store you want to store the policy in.definition (dict) –
[REQUIRED]
A structure that specifies the policy type and content to use for the new policy. You must include either a static or a templateLinked element. The policy content must be written in the Cedar policy language.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set:
static
,templateLinked
.static (dict) –
A structure that describes a static policy. An static policy doesn’t use a template or allow placeholders for entities.
description (string) –
The description of the static policy.
statement (string) – [REQUIRED]
The policy content of the static policy, written in the Cedar policy language.
templateLinked (dict) –
A structure that describes a policy that was instantiated from a template. The template can specify placeholders for
principal
andresource
. When you use CreatePolicy to create a policy from a template, you specify the exact principal and resource to use for the instantiated policy.policyTemplateId (string) – [REQUIRED]
The unique identifier of the policy template used to create this policy.
principal (dict) –
The principal associated with this template-linked policy. Verified Permissions substitutes this principal for the
?principal
placeholder in the policy template when it evaluates an authorization request.entityType (string) – [REQUIRED]
The type of an entity.
Example:
"entityType":"typeName"
entityId (string) – [REQUIRED]
The identifier of an entity.
"entityId":"identifier"
resource (dict) –
The resource associated with this template-linked policy. Verified Permissions substitutes this resource for the
?resource
placeholder in the policy template when it evaluates an authorization request.entityType (string) – [REQUIRED]
The type of an entity.
Example:
"entityType":"typeName"
entityId (string) – [REQUIRED]
The identifier of an entity.
"entityId":"identifier"
- Return type:
dict
- Returns:
Response Syntax
{ 'policyStoreId': 'string', 'policyId': 'string', 'policyType': 'STATIC'|'TEMPLATE_LINKED', 'principal': { 'entityType': 'string', 'entityId': 'string' }, 'resource': { 'entityType': 'string', 'entityId': 'string' }, 'actions': [ { 'actionType': 'string', 'actionId': 'string' }, ], 'createdDate': datetime(2015, 1, 1), 'lastUpdatedDate': datetime(2015, 1, 1), 'effect': 'Permit'|'Forbid' }
Response Structure
(dict) –
policyStoreId (string) –
The ID of the policy store that contains the new policy.
policyId (string) –
The unique ID of the new policy.
policyType (string) –
The policy type of the new policy.
principal (dict) –
The principal specified in the new policy’s scope. This response element isn’t present when
principal
isn’t specified in the policy content.entityType (string) –
The type of an entity.
Example:
"entityType":"typeName"
entityId (string) –
The identifier of an entity.
"entityId":"identifier"
resource (dict) –
The resource specified in the new policy’s scope. This response element isn’t present when the
resource
isn’t specified in the policy content.entityType (string) –
The type of an entity.
Example:
"entityType":"typeName"
entityId (string) –
The identifier of an entity.
"entityId":"identifier"
actions (list) –
The action that a policy permits or forbids. For example,
{"actions": [{"actionId": "ViewPhoto", "actionType": "PhotoFlash::Action"}, {"entityID": "SharePhoto", "entityType": "PhotoFlash::Action"}]}
.(dict) –
Contains information about an action for a request for which an authorization decision is made.
This data type is used as a request parameter to the IsAuthorized, BatchIsAuthorized, and IsAuthorizedWithToken operations.
Example:
{ "actionId": "<action name>", "actionType": "Action" }
actionType (string) –
The type of an action.
actionId (string) –
The ID of an action.
createdDate (datetime) –
The date and time the policy was originally created.
lastUpdatedDate (datetime) –
The date and time the policy was last updated.
effect (string) –
The effect of the decision that a policy returns to an authorization request. For example,
"effect": "Permit"
.
Exceptions
VerifiedPermissions.Client.exceptions.ValidationException
VerifiedPermissions.Client.exceptions.ServiceQuotaExceededException
VerifiedPermissions.Client.exceptions.ConflictException
VerifiedPermissions.Client.exceptions.AccessDeniedException
VerifiedPermissions.Client.exceptions.ResourceNotFoundException
VerifiedPermissions.Client.exceptions.ThrottlingException
VerifiedPermissions.Client.exceptions.InternalServerException