Skip to content

Latest commit

 

History

History
3246 lines (1953 loc) · 121 KB

API.md

File metadata and controls

3246 lines (1953 loc) · 121 KB

API Reference

Constructs

IdentitySource

Initializers 

import { IdentitySource } from '@cdklabs/cdk-verified-permissions'

new IdentitySource(scope: Construct, id: string, props: IdentitySourceProps)
Name Type Description
scope constructs.Construct No description.
id string No description.
props IdentitySourceProps No description.
scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: string
propsRequired

Methods

Name Description
toString Returns a string representation of this construct.
applyRemovalPolicy Apply the given removal policy to this resource.
addAudience Add an audience to the list.
addClientId Add a clientId to the list The method can be called only when the Identity Source is configured with one of these configs: - Cognito auth provider - OIDC auth provider and ID Token Selection mode.
addUserPoolClient Add a User Pool Client The method can be called only when the Identity Source is configured with Cognito auth provider.
toString 
public toString(): string

Returns a string representation of this construct.

applyRemovalPolicy 
public applyRemovalPolicy(policy: RemovalPolicy): void

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

policyRequired
  • Type: aws-cdk-lib.RemovalPolicy
addAudience 
public addAudience(audience: string): void

Add an audience to the list.

The method can be called only when the Identity Source is configured with OIDC auth provider and Access Token Selection mode

audienceRequired
  • Type: string

the audience to be added.

addClientId 
public addClientId(clientId: string): void

Add a clientId to the list The method can be called only when the Identity Source is configured with one of these configs: - Cognito auth provider - OIDC auth provider and ID Token Selection mode.

clientIdRequired
  • Type: string

The clientId to be added.

addUserPoolClient 
public addUserPoolClient(userPoolClient: IUserPoolClient): void

Add a User Pool Client The method can be called only when the Identity Source is configured with Cognito auth provider.

userPoolClientRequired
  • Type: aws-cdk-lib.aws_cognito.IUserPoolClient

The User Pool Client Construct.

Static Functions

Name Description
isConstruct Checks if x is a construct.
isOwnedResource Returns true if the construct was created by CDK, and false otherwise.
isResource Check whether the given construct is a Resource.
fromIdentitySourceAttributes Creates Identity Source from its attributes.
fromIdentitySourceId Create an Identity Source from its identifier.
isConstruct 
import { IdentitySource } from '@cdklabs/cdk-verified-permissions'

IdentitySource.isConstruct(x: any)

Checks if x is a construct.

xRequired
  • Type: any

Any object.

isOwnedResource 
import { IdentitySource } from '@cdklabs/cdk-verified-permissions'

IdentitySource.isOwnedResource(construct: IConstruct)

Returns true if the construct was created by CDK, and false otherwise.

constructRequired
  • Type: constructs.IConstruct
isResource 
import { IdentitySource } from '@cdklabs/cdk-verified-permissions'

IdentitySource.isResource(construct: IConstruct)

Check whether the given construct is a Resource.

constructRequired
  • Type: constructs.IConstruct
fromIdentitySourceAttributes 
import { IdentitySource } from '@cdklabs/cdk-verified-permissions'

IdentitySource.fromIdentitySourceAttributes(scope: Construct, id: string, attrs: IdentitySourceAttributes)

Creates Identity Source from its attributes.

scopeRequired
  • Type: constructs.Construct

The parent creating construct (usually this).

idRequired
  • Type: string

The construct's name.

attrsRequired

An IdentitySourceAttributes object.

fromIdentitySourceId 
import { IdentitySource } from '@cdklabs/cdk-verified-permissions'

IdentitySource.fromIdentitySourceId(scope: Construct, id: string, identitySourceId: string)

Create an Identity Source from its identifier.

scopeRequired
  • Type: constructs.Construct

The parent creating construct (usually this).

idRequired
  • Type: string

The construct's name.

identitySourceIdRequired
  • Type: string

The Identity Source identifier.

Properties

Name Type Description
node constructs.Node The tree node.
env aws-cdk-lib.ResourceEnvironment The environment this resource belongs to.
stack aws-cdk-lib.Stack The stack in which this resource is defined.
audiencesOIDC string[] No description.
clientIds string[] No description.
identitySourceId string Identity Source identifier.
issuer string No description.
policyStore IPolicyStore No description.
cognitoGroupEntityType string No description.
groupConfigGroupClaimOIDC string No description.
groupConfigGroupEntityTypeOIDC string No description.
principalIdClaimOIDC string No description.
userPoolArn string No description.
nodeRequired 
public readonly node: Node;
  • Type: constructs.Node

The tree node.

envRequired 
public readonly env: ResourceEnvironment;
  • Type: aws-cdk-lib.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

stackRequired 
public readonly stack: Stack;
  • Type: aws-cdk-lib.Stack

The stack in which this resource is defined.

audiencesOIDCRequired 
public readonly audiencesOIDC: string[];
  • Type: string[]
clientIdsRequired 
public readonly clientIds: string[];
  • Type: string[]
identitySourceIdRequired 
public readonly identitySourceId: string;
  • Type: string

Identity Source identifier.

issuerRequired 
public readonly issuer: string;
  • Type: string
policyStoreRequired 
public readonly policyStore: IPolicyStore;
cognitoGroupEntityTypeOptional 
public readonly cognitoGroupEntityType: string;
  • Type: string
groupConfigGroupClaimOIDCOptional 
public readonly groupConfigGroupClaimOIDC: string;
  • Type: string
groupConfigGroupEntityTypeOIDCOptional 
public readonly groupConfigGroupEntityTypeOIDC: string;
  • Type: string
principalIdClaimOIDCOptional 
public readonly principalIdClaimOIDC: string;
  • Type: string
userPoolArnOptional 
public readonly userPoolArn: string;
  • Type: string

Policy

Initializers 

import { Policy } from '@cdklabs/cdk-verified-permissions'

new Policy(scope: Construct, id: string, props: PolicyProps)
Name Type Description
scope constructs.Construct No description.
id string No description.
props PolicyProps No description.
scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: string
propsRequired

Methods

Name Description
toString Returns a string representation of this construct.
applyRemovalPolicy Apply the given removal policy to this resource.
toString 
public toString(): string

Returns a string representation of this construct.

applyRemovalPolicy 
public applyRemovalPolicy(policy: RemovalPolicy): void

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

policyRequired
  • Type: aws-cdk-lib.RemovalPolicy

Static Functions

Name Description
isConstruct Checks if x is a construct.
isOwnedResource Returns true if the construct was created by CDK, and false otherwise.
isResource Check whether the given construct is a Resource.
fromFile Create a policy based on a file containing a cedar policy.
fromPolicyAttributes Import a Policy construct from attributes.
fromPolicyId Import a policy into the CDK using its id.
isConstruct 
import { Policy } from '@cdklabs/cdk-verified-permissions'

Policy.isConstruct(x: any)

Checks if x is a construct.

xRequired
  • Type: any

Any object.

isOwnedResource 
import { Policy } from '@cdklabs/cdk-verified-permissions'

Policy.isOwnedResource(construct: IConstruct)

Returns true if the construct was created by CDK, and false otherwise.

constructRequired
  • Type: constructs.IConstruct
isResource 
import { Policy } from '@cdklabs/cdk-verified-permissions'

Policy.isResource(construct: IConstruct)

Check whether the given construct is a Resource.

constructRequired
  • Type: constructs.IConstruct
fromFile 
import { Policy } from '@cdklabs/cdk-verified-permissions'

Policy.fromFile(scope: Construct, id: string, props: StaticPolicyFromFileProps)

Create a policy based on a file containing a cedar policy.

Best practice would be for the file name to end in .cedar but this is not required. Policy is parsed for valid syntax but not validated against schema. In order to validate against schema, use PolicyStore.addPoliciesFromPath()

scopeRequired
  • Type: constructs.Construct

The parent creating construct (usually this).

idRequired
  • Type: string

The construct id.

propsRequired

A StaticPolicyFromFileProps object.

fromPolicyAttributes 
import { Policy } from '@cdklabs/cdk-verified-permissions'

Policy.fromPolicyAttributes(scope: Construct, id: string, attrs: PolicyAttributes)

Import a Policy construct from attributes.

scopeRequired
  • Type: constructs.Construct

The parent creating construct (usually this).

idRequired
  • Type: string

The construct id.

attrsRequired

A PolicyAttributes object.

fromPolicyId 
import { Policy } from '@cdklabs/cdk-verified-permissions'

Policy.fromPolicyId(scope: Construct, id: string, policyId: string)

Import a policy into the CDK using its id.

scopeRequired
  • Type: constructs.Construct

The parent creating construct (usually this).

idRequired
  • Type: string

The construct id.

policyIdRequired
  • Type: string

The policy id.

Properties

Name Type Description
node constructs.Node The tree node.
env aws-cdk-lib.ResourceEnvironment The environment this resource belongs to.
stack aws-cdk-lib.Stack The stack in which this resource is defined.
definition PolicyDefinitionProperty No description.
policyId string The unique ID of the new or updated policy.
policyStoreId string No description.
policyType PolicyType The type of the policy.
nodeRequired 
public readonly node: Node;
  • Type: constructs.Node

The tree node.

envRequired 
public readonly env: ResourceEnvironment;
  • Type: aws-cdk-lib.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

stackRequired 
public readonly stack: Stack;
  • Type: aws-cdk-lib.Stack

The stack in which this resource is defined.

definitionRequired 
public readonly definition: PolicyDefinitionProperty;
policyIdRequired 
public readonly policyId: string;
  • Type: string

The unique ID of the new or updated policy.

policyStoreIdRequired 
public readonly policyStoreId: string;
  • Type: string
policyTypeRequired 
public readonly policyType: PolicyType;

The type of the policy.

This is one of the following values: Static or TemplateLinked.

PolicyStore

Initializers 

import { PolicyStore } from '@cdklabs/cdk-verified-permissions'

new PolicyStore(scope: Construct, id: string, props?: PolicyStoreProps)
Name Type Description
scope constructs.Construct No description.
id string No description.
props PolicyStoreProps No description.
scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: string
propsOptional

Methods

Name Description
toString Returns a string representation of this construct.
applyRemovalPolicy Apply the given removal policy to this resource.
addPolicies Add multiple policies to the policy store.
addPoliciesFromPath Takes in an absolute path to a directory containing .cedar files and adds the contents of each .cedar file as policies to this policy store. Parses the policies with cedar-wasm and, if the policy store has a schema, performs semantic validation of the policies as well.
grant Adds an IAM policy statement associated with this policy store to an IAM principal's policy.
grantAuth Permits an IAM principal all auth operations on the policy store: IsAuthorized, IsAuthorizedWithToken.
grantRead Permits an IAM principal all read operations on the policy store: GetIdentitySource, GetPolicy, GetPolicyStore, GetPolicyTemplate, GetSchema, ListIdentitySources, ListPolicies, ListPolicyTemplates.
grantWrite Permits an IAM principal all write & read operations on the policy store: CreateIdentitySource, CreatePolicy,CreatePolicyTemplate, DeleteIdentitySource, DeletePolicy, DeletePolicyTemplate, PutSchema, UpdateIdentitySource, UpdatePolicy, UpdatePolicyTemplate.
toString 
public toString(): string

Returns a string representation of this construct.

applyRemovalPolicy 
public applyRemovalPolicy(policy: RemovalPolicy): void

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

policyRequired
  • Type: aws-cdk-lib.RemovalPolicy
addPolicies 
public addPolicies(policyDefinitions: AddPolicyOptions[]): Policy[]

Add multiple policies to the policy store.

policyDefinitionsRequired

An array of policy options for the policy stores policies.

addPoliciesFromPath 
public addPoliciesFromPath(absolutePath: string): Policy[]

Takes in an absolute path to a directory containing .cedar files and adds the contents of each .cedar file as policies to this policy store. Parses the policies with cedar-wasm and, if the policy store has a schema, performs semantic validation of the policies as well.

absolutePathRequired
  • Type: string

a string representing an absolute path to the directory containing your policies.

grant 
public grant(grantee: IGrantable, actions: ...string[]): Grant

Adds an IAM policy statement associated with this policy store to an IAM principal's policy.

granteeRequired
  • Type: aws-cdk-lib.aws_iam.IGrantable
actionsRequired
  • Type: ...string[]
grantAuth 
public grantAuth(grantee: IGrantable): Grant

Permits an IAM principal all auth operations on the policy store: IsAuthorized, IsAuthorizedWithToken.

granteeRequired
  • Type: aws-cdk-lib.aws_iam.IGrantable
grantRead 
public grantRead(grantee: IGrantable): Grant

Permits an IAM principal all read operations on the policy store: GetIdentitySource, GetPolicy, GetPolicyStore, GetPolicyTemplate, GetSchema, ListIdentitySources, ListPolicies, ListPolicyTemplates.

granteeRequired
  • Type: aws-cdk-lib.aws_iam.IGrantable
grantWrite 
public grantWrite(grantee: IGrantable): Grant

Permits an IAM principal all write & read operations on the policy store: CreateIdentitySource, CreatePolicy,CreatePolicyTemplate, DeleteIdentitySource, DeletePolicy, DeletePolicyTemplate, PutSchema, UpdateIdentitySource, UpdatePolicy, UpdatePolicyTemplate.

granteeRequired
  • Type: aws-cdk-lib.aws_iam.IGrantable

Static Functions

Name Description
isConstruct Checks if x is a construct.
isOwnedResource Returns true if the construct was created by CDK, and false otherwise.
isResource Check whether the given construct is a Resource.
fromPolicyStoreArn Create a PolicyStore construct that represents an external PolicyStore via policy store arn.
fromPolicyStoreAttributes Creates a PolicyStore construct that represents an external Policy Store.
fromPolicyStoreId Create a PolicyStore construct that represents an external policy store via policy store id.
schemaFromOpenApiSpec This method generates a schema based on an swagger file.
schemaFromRestApi This method generates a schema based on an AWS CDK RestApi construct.
isConstruct 
import { PolicyStore } from '@cdklabs/cdk-verified-permissions'

PolicyStore.isConstruct(x: any)

Checks if x is a construct.

xRequired
  • Type: any

Any object.

isOwnedResource 
import { PolicyStore } from '@cdklabs/cdk-verified-permissions'

PolicyStore.isOwnedResource(construct: IConstruct)

Returns true if the construct was created by CDK, and false otherwise.

constructRequired
  • Type: constructs.IConstruct
isResource 
import { PolicyStore } from '@cdklabs/cdk-verified-permissions'

PolicyStore.isResource(construct: IConstruct)

Check whether the given construct is a Resource.

constructRequired
  • Type: constructs.IConstruct
fromPolicyStoreArn 
import { PolicyStore } from '@cdklabs/cdk-verified-permissions'

PolicyStore.fromPolicyStoreArn(scope: Construct, id: string, policyStoreArn: string)

Create a PolicyStore construct that represents an external PolicyStore via policy store arn.

scopeRequired
  • Type: constructs.Construct

The parent creating construct (usually this).

idRequired
  • Type: string

The construct's name.

policyStoreArnRequired
  • Type: string

The PolicyStore's ARN.

fromPolicyStoreAttributes 
import { PolicyStore } from '@cdklabs/cdk-verified-permissions'

PolicyStore.fromPolicyStoreAttributes(scope: Construct, id: string, attrs: PolicyStoreAttributes)

Creates a PolicyStore construct that represents an external Policy Store.

scopeRequired
  • Type: constructs.Construct

The parent creating construct (usually this).

idRequired
  • Type: string

The construct's name.

attrsRequired

A PolicyStoreAttributes object.

fromPolicyStoreId 
import { PolicyStore } from '@cdklabs/cdk-verified-permissions'

PolicyStore.fromPolicyStoreId(scope: Construct, id: string, policyStoreId: string)

Create a PolicyStore construct that represents an external policy store via policy store id.

scopeRequired
  • Type: constructs.Construct

The parent creating construct (usually this).

idRequired
  • Type: string

The construct's name.

policyStoreIdRequired
  • Type: string

The PolicyStore's id.

schemaFromOpenApiSpec 
import { PolicyStore } from '@cdklabs/cdk-verified-permissions'

PolicyStore.schemaFromOpenApiSpec(swaggerFilePath: string, groupEntityTypeName?: string)

This method generates a schema based on an swagger file.

It makes the same assumptions and decisions made in the Amazon Verified Permissions console. This feature is built for swagger files generated from an Amazon API Gateway export. It's possible that some swagger files generated by other tools will not work. In that case, please file an issue.

swaggerFilePathRequired
  • Type: string

absolute path to a swagger file in the local directory structure, in json format.

groupEntityTypeNameOptional
  • Type: string

optional parameter to specify the group entity type name.

If passed, the schema's User type will have a parent of this type.

schemaFromRestApi 
import { PolicyStore } from '@cdklabs/cdk-verified-permissions'

PolicyStore.schemaFromRestApi(restApi: RestApi, groupEntityTypeName?: string)

This method generates a schema based on an AWS CDK RestApi construct.

It makes the same assumptions and decisions made in the Amazon Verified Permissions console.

restApiRequired
  • Type: aws-cdk-lib.aws_apigateway.RestApi

The RestApi construct instance from which to generate the schema.

groupEntityTypeNameOptional
  • Type: string

Specifies a group entity type name.

If passed, the schema's User type will have a parent of this type.

Properties

Name Type Description
node constructs.Node The tree node.
env aws-cdk-lib.ResourceEnvironment The environment this resource belongs to.
stack aws-cdk-lib.Stack The stack in which this resource is defined.
policyStoreArn string ARN of the Policy Store.
policyStoreId string ID of the Policy Store.
policyStoreName string Name of the Policy Store.
validationSettings ValidationSettings Validation Settings of the Policy Store.
description string Description of the Policy Store.
schema Schema Schema definition of the Policy Store.
nodeRequired 
public readonly node: Node;
  • Type: constructs.Node

The tree node.

envRequired 
public readonly env: ResourceEnvironment;
  • Type: aws-cdk-lib.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

stackRequired 
public readonly stack: Stack;
  • Type: aws-cdk-lib.Stack

The stack in which this resource is defined.

policyStoreArnRequired 
public readonly policyStoreArn: string;
  • Type: string

ARN of the Policy Store.

policyStoreIdRequired 
public readonly policyStoreId: string;
  • Type: string

ID of the Policy Store.

policyStoreNameRequired 
public readonly policyStoreName: string;
  • Type: string

Name of the Policy Store.

validationSettingsRequired 
public readonly validationSettings: ValidationSettings;

Validation Settings of the Policy Store.

descriptionOptional 
public readonly description: string;
  • Type: string

Description of the Policy Store.

schemaOptional 
public readonly schema: Schema;

Schema definition of the Policy Store.

PolicyTemplate

Initializers 

import { PolicyTemplate } from '@cdklabs/cdk-verified-permissions'

new PolicyTemplate(scope: Construct, id: string, props: PolicyTemplateProps)
Name Type Description
scope constructs.Construct No description.
id string No description.
props PolicyTemplateProps No description.
scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: string
propsRequired

Methods

Name Description
toString Returns a string representation of this construct.
applyRemovalPolicy Apply the given removal policy to this resource.
toString 
public toString(): string

Returns a string representation of this construct.

applyRemovalPolicy 
public applyRemovalPolicy(policy: RemovalPolicy): void

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

policyRequired
  • Type: aws-cdk-lib.RemovalPolicy

Static Functions

Name Description
isConstruct Checks if x is a construct.
isOwnedResource Returns true if the construct was created by CDK, and false otherwise.
isResource Check whether the given construct is a Resource.
fromFile No description.
fromPolicyTemplateAttributes Creates a PolicyTemplate construct that represents an external Policy Template.
fromPolicyTemplateId Create a PolicyTemplate construct that represents an external policy template via policy template id.
isConstruct 
import { PolicyTemplate } from '@cdklabs/cdk-verified-permissions'

PolicyTemplate.isConstruct(x: any)

Checks if x is a construct.

xRequired
  • Type: any

Any object.

isOwnedResource 
import { PolicyTemplate } from '@cdklabs/cdk-verified-permissions'

PolicyTemplate.isOwnedResource(construct: IConstruct)

Returns true if the construct was created by CDK, and false otherwise.

constructRequired
  • Type: constructs.IConstruct
isResource 
import { PolicyTemplate } from '@cdklabs/cdk-verified-permissions'

PolicyTemplate.isResource(construct: IConstruct)

Check whether the given construct is a Resource.

constructRequired
  • Type: constructs.IConstruct
fromFile 
import { PolicyTemplate } from '@cdklabs/cdk-verified-permissions'

PolicyTemplate.fromFile(scope: Construct, id: string, props: TemplateFromFileProps)
scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: string
propsRequired
fromPolicyTemplateAttributes 
import { PolicyTemplate } from '@cdklabs/cdk-verified-permissions'

PolicyTemplate.fromPolicyTemplateAttributes(scope: Construct, id: string, attrs: PolicyTemplateAttributes)

Creates a PolicyTemplate construct that represents an external Policy Template.

scopeRequired
  • Type: constructs.Construct

The parent creating construct (usually this).

idRequired
  • Type: string

The construct's name.

attrsRequired

A PolicyTemplateAttributes object.

fromPolicyTemplateId 
import { PolicyTemplate } from '@cdklabs/cdk-verified-permissions'

PolicyTemplate.fromPolicyTemplateId(scope: Construct, id: string, policyTemplateId: string)

Create a PolicyTemplate construct that represents an external policy template via policy template id.

scopeRequired
  • Type: constructs.Construct

The parent creating construct (usually this).

idRequired
  • Type: string

The construct's name.

policyTemplateIdRequired
  • Type: string

The PolicyTemplate's id.

Properties

Name Type Description
node constructs.Node The tree node.
env aws-cdk-lib.ResourceEnvironment The environment this resource belongs to.
stack aws-cdk-lib.Stack The stack in which this resource is defined.
policyStore IPolicyStore The Policy store that contains the template.
policyTemplateId string The ID of the policy template.
statement string The statement of the policy template.
description string Description of the policy template.
nodeRequired 
public readonly node: Node;
  • Type: constructs.Node

The tree node.

envRequired 
public readonly env: ResourceEnvironment;
  • Type: aws-cdk-lib.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

stackRequired 
public readonly stack: Stack;
  • Type: aws-cdk-lib.Stack

The stack in which this resource is defined.

policyStoreRequired 
public readonly policyStore: IPolicyStore;

The Policy store that contains the template.

policyTemplateIdRequired 
public readonly policyTemplateId: string;
  • Type: string

The ID of the policy template.

statementRequired 
public readonly statement: string;
  • Type: string

The statement of the policy template.

descriptionOptional 
public readonly description: string;
  • Type: string

Description of the policy template.

Structs

AddPolicyOptions

Initializer 

import { AddPolicyOptions } from '@cdklabs/cdk-verified-permissions'

const addPolicyOptions: AddPolicyOptions = { ... }

Properties

Name Type Description
policyConfiguration PolicyDefinitionProperty The configuration of the Policy.
policyId string The id of the Policy.
policyConfigurationRequired 
public readonly policyConfiguration: PolicyDefinitionProperty;

The configuration of the Policy.

policyIdRequired 
public readonly policyId: string;
  • Type: string

The id of the Policy.

CognitoGroupConfiguration

Initializer 

import { CognitoGroupConfiguration } from '@cdklabs/cdk-verified-permissions'

const cognitoGroupConfiguration: CognitoGroupConfiguration = { ... }

Properties

Name Type Description
groupEntityType string The name of the schema entity type that's mapped to the user pool group.
groupEntityTypeRequired 
public readonly groupEntityType: string;
  • Type: string

The name of the schema entity type that's mapped to the user pool group.

CognitoUserPoolConfiguration

Initializer 

import { CognitoUserPoolConfiguration } from '@cdklabs/cdk-verified-permissions'

const cognitoUserPoolConfiguration: CognitoUserPoolConfiguration = { ... }

Properties

Name Type Description
userPool aws-cdk-lib.aws_cognito.IUserPool Cognito User Pool.
clientIds string[] Client identifiers.
groupConfiguration CognitoGroupConfiguration Cognito Group Configuration.
userPoolRequired 
public readonly userPool: IUserPool;
  • Type: aws-cdk-lib.aws_cognito.IUserPool
  • Default: no Cognito User Pool

Cognito User Pool.

clientIdsOptional 
public readonly clientIds: string[];
  • Type: string[]
  • Default: empty list.

Client identifiers.

groupConfigurationOptional 
public readonly groupConfiguration: CognitoGroupConfiguration;

Cognito Group Configuration.

EntityIdentifierProperty

Initializer 

import { EntityIdentifierProperty } from '@cdklabs/cdk-verified-permissions'

const entityIdentifierProperty: EntityIdentifierProperty = { ... }

Properties

Name Type Description
entityId string The identifier of an entity.
entityType string The type of an entity.
entityIdRequired 
public readonly entityId: string;
  • Type: string

The identifier of an entity.

entityTypeRequired 
public readonly entityType: string;
  • Type: string

The type of an entity.

IdentitySourceAttributes

Initializer 

import { IdentitySourceAttributes } from '@cdklabs/cdk-verified-permissions'

const identitySourceAttributes: IdentitySourceAttributes = { ... }

Properties

Name Type Description
identitySourceId string No description.
identitySourceIdRequired 
public readonly identitySourceId: string;
  • Type: string

IdentitySourceConfiguration

Initializer 

import { IdentitySourceConfiguration } from '@cdklabs/cdk-verified-permissions'

const identitySourceConfiguration: IdentitySourceConfiguration = { ... }

Properties

Name Type Description
cognitoUserPoolConfiguration CognitoUserPoolConfiguration Cognito User Pool Configuration.
openIdConnectConfiguration OpenIdConnectConfiguration OpenID Connect Idp configuration.
cognitoUserPoolConfigurationOptional 
public readonly cognitoUserPoolConfiguration: CognitoUserPoolConfiguration;

Cognito User Pool Configuration.

openIdConnectConfigurationOptional 
public readonly openIdConnectConfiguration: OpenIdConnectConfiguration;

OpenID Connect Idp configuration.

IdentitySourceProps

Initializer 

import { IdentitySourceProps } from '@cdklabs/cdk-verified-permissions'

const identitySourceProps: IdentitySourceProps = { ... }

Properties

Name Type Description
configuration IdentitySourceConfiguration Identity Source configuration.
policyStore IPolicyStore Policy Store in which you want to store this identity source.
principalEntityType string Principal entity type.
configurationRequired 
public readonly configuration: IdentitySourceConfiguration;

Identity Source configuration.

policyStoreRequired 
public readonly policyStore: IPolicyStore;

Policy Store in which you want to store this identity source.

principalEntityTypeOptional 
public readonly principalEntityType: string;
  • Type: string
  • Default: No principal entity type for the identity source.

Principal entity type.

OpenIdConnectAccessTokenConfiguration

Initializer 

import { OpenIdConnectAccessTokenConfiguration } from '@cdklabs/cdk-verified-permissions'

const openIdConnectAccessTokenConfiguration: OpenIdConnectAccessTokenConfiguration = { ... }

Properties

Name Type Description
audiences string[] The access token aud claim values that you want to accept in your policy store.
principalIdClaim string The claim that determines the principal in OIDC access tokens.
audiencesOptional 
public readonly audiences: string[];
  • Type: string[]
  • Default: no audiences

The access token aud claim values that you want to accept in your policy store.

principalIdClaimOptional 
public readonly principalIdClaim: string;
  • Type: string
  • Default: no principal claim

The claim that determines the principal in OIDC access tokens.

OpenIdConnectConfiguration

Initializer 

import { OpenIdConnectConfiguration } from '@cdklabs/cdk-verified-permissions'

const openIdConnectConfiguration: OpenIdConnectConfiguration = { ... }

Properties

Name Type Description
issuer string The issuer URL of an OIDC identity provider.
accessTokenOnly OpenIdConnectAccessTokenConfiguration The configuration for processing access tokens from your OIDC identity provider Exactly one between accessTokenOnly and identityTokenOnly must be defined.
entityIdPrefix string A descriptive string that you want to prefix to user entities from your OIDC identity provider.
groupConfiguration OpenIdConnectGroupConfiguration The claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you want to map it to.
identityTokenOnly OpenIdConnectIdentityTokenConfiguration The configuration for processing identity (ID) tokens from your OIDC identity provider Exactly one between accessTokenOnly and identityTokenOnly must be defined.
issuerRequired 
public readonly issuer: string;
  • Type: string

The issuer URL of an OIDC identity provider.

This URL must have an OIDC discovery endpoint at the path .well-known/openid-configuration

accessTokenOnlyOptional 
public readonly accessTokenOnly: OpenIdConnectAccessTokenConfiguration;

The configuration for processing access tokens from your OIDC identity provider Exactly one between accessTokenOnly and identityTokenOnly must be defined.

entityIdPrefixOptional 
public readonly entityIdPrefix: string;
  • Type: string
  • Default: no Entity ID Prefix

A descriptive string that you want to prefix to user entities from your OIDC identity provider.

groupConfigurationOptional 
public readonly groupConfiguration: OpenIdConnectGroupConfiguration;

The claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you want to map it to.

identityTokenOnlyOptional 
public readonly identityTokenOnly: OpenIdConnectIdentityTokenConfiguration;

The configuration for processing identity (ID) tokens from your OIDC identity provider Exactly one between accessTokenOnly and identityTokenOnly must be defined.

OpenIdConnectGroupConfiguration

Initializer 

import { OpenIdConnectGroupConfiguration } from '@cdklabs/cdk-verified-permissions'

const openIdConnectGroupConfiguration: OpenIdConnectGroupConfiguration = { ... }

Properties

Name Type Description
groupClaim string The token claim that you want Verified Permissions to interpret as group membership.
groupEntityType string The policy store entity type that you want to map your users' group claim to.
groupClaimRequired 
public readonly groupClaim: string;
  • Type: string

The token claim that you want Verified Permissions to interpret as group membership.

groupEntityTypeRequired 
public readonly groupEntityType: string;
  • Type: string

The policy store entity type that you want to map your users' group claim to.

OpenIdConnectIdentityTokenConfiguration

Initializer 

import { OpenIdConnectIdentityTokenConfiguration } from '@cdklabs/cdk-verified-permissions'

const openIdConnectIdentityTokenConfiguration: OpenIdConnectIdentityTokenConfiguration = { ... }

Properties

Name Type Description
clientIds string[] The ID token audience, or client ID, claim values that you want to accept in your policy store from an OIDC identity provider.
principalIdClaim string The claim that determines the principal in OIDC access tokens.
clientIdsOptional 
public readonly clientIds: string[];
  • Type: string[]
  • Default: no client IDs

The ID token audience, or client ID, claim values that you want to accept in your policy store from an OIDC identity provider.

principalIdClaimOptional 
public readonly principalIdClaim: string;
  • Type: string
  • Default: no principal claim

The claim that determines the principal in OIDC access tokens.

PolicyAttributes

Initializer 

import { PolicyAttributes } from '@cdklabs/cdk-verified-permissions'

const policyAttributes: PolicyAttributes = { ... }

Properties

Name Type Description
policyId string The unique ID of the new or updated policy.
policyType PolicyType The type of the policy.
policyIdRequired 
public readonly policyId: string;
  • Type: string

The unique ID of the new or updated policy.

policyTypeOptional 
public readonly policyType: PolicyType;

The type of the policy.

This is one of the following values: Static or TemplateLinked

PolicyDefinitionProperty

Initializer 

import { PolicyDefinitionProperty } from '@cdklabs/cdk-verified-permissions'

const policyDefinitionProperty: PolicyDefinitionProperty = { ... }

Properties

Name Type Description
static StaticPolicyDefinitionProperty A structure that describes a static policy.
templateLinked TemplateLinkedPolicyDefinitionProperty A structure that describes a policy that was instantiated from a template.
staticOptional 
public readonly static: StaticPolicyDefinitionProperty;
  • Type: StaticPolicyDefinitionProperty
  • Default: Static must be set for policies created from a static definition. Otherwise, use template linked definitions.

A structure that describes a static policy.

templateLinkedOptional 
public readonly templateLinked: TemplateLinkedPolicyDefinitionProperty;

A structure that describes a policy that was instantiated from a template.

PolicyProps

Initializer 

import { PolicyProps } from '@cdklabs/cdk-verified-permissions'

const policyProps: PolicyProps = { ... }

Properties

Name Type Description
definition PolicyDefinitionProperty Specifies the policy type and content to use for the new or updated policy.
policyStore IPolicyStore The policy store that contains the policy.
definitionRequired 
public readonly definition: PolicyDefinitionProperty;

Specifies the policy type and content to use for the new or updated policy.

The definition structure must include either a Static or a TemplateLinked element.

policyStoreRequired 
public readonly policyStore: IPolicyStore;

The policy store that contains the policy.

PolicyStoreAttributes

Initializer 

import { PolicyStoreAttributes } from '@cdklabs/cdk-verified-permissions'

const policyStoreAttributes: PolicyStoreAttributes = { ... }

Properties

Name Type Description
policyStoreArn string The ARN of the Amazon Verified Permissions Policy Store.
policyStoreId string The id of the Amazon Verified Permissions PolicyStore.
policyStoreArnOptional 
public readonly policyStoreArn: string;
  • Type: string
  • Default: no PolicyStore arn

The ARN of the Amazon Verified Permissions Policy Store.

One of this, or policyStoreId, is required.

policyStoreIdOptional 
public readonly policyStoreId: string;
  • Type: string
  • Default: no PolicyStore id

The id of the Amazon Verified Permissions PolicyStore.

One of this, or policyStoreArn, is required.

PolicyStoreProps

Initializer 

import { PolicyStoreProps } from '@cdklabs/cdk-verified-permissions'

const policyStoreProps: PolicyStoreProps = { ... }

Properties

Name Type Description
validationSettings ValidationSettings The policy store's validation settings.
description string The policy store's description.
schema Schema This attribute is not required from an API point of view.
validationSettingsRequired 
public readonly validationSettings: ValidationSettings;
  • Type: ValidationSettings
  • Default: If not provided, the Policy store will be created with ValidationSettingsMode = "OFF"

The policy store's validation settings.

descriptionOptional 
public readonly description: string;
  • Type: string
  • Default: No description.

The policy store's description.

schemaOptional 
public readonly schema: Schema;
  • Type: Schema
  • Default: No schema.

This attribute is not required from an API point of view.

It represents the schema (in Cedar) to be applied to the PolicyStore.

PolicyTemplateAttributes

Initializer 

import { PolicyTemplateAttributes } from '@cdklabs/cdk-verified-permissions'

const policyTemplateAttributes: PolicyTemplateAttributes = { ... }

Properties

Name Type Description
policyTemplateId string The id of the Amazon Verified Permissions PolicyTemplate.
policyTemplateIdRequired 
public readonly policyTemplateId: string;
  • Type: string

The id of the Amazon Verified Permissions PolicyTemplate.

PolicyTemplateProps

Initializer 

import { PolicyTemplateProps } from '@cdklabs/cdk-verified-permissions'

const policyTemplateProps: PolicyTemplateProps = { ... }

Properties

Name Type Description
policyStore IPolicyStore The policy store that contains the template.
statement string Specifies the content that you want to use for the new policy template, written in the Cedar policy language.
description string The description to attach to the new or updated policy template.
policyStoreRequired 
public readonly policyStore: IPolicyStore;
  • Type: IPolicyStore
  • Default: The policy store to attach the new or updated policy template.

The policy store that contains the template.

statementRequired 
public readonly statement: string;
  • Type: string
  • Default: The statement to attach to the new or updated policy template.

Specifies the content that you want to use for the new policy template, written in the Cedar policy language.

descriptionOptional 
public readonly description: string;
  • Type: string
  • Default: No description.

The description to attach to the new or updated policy template.

Schema

Initializer 

import { Schema } from '@cdklabs/cdk-verified-permissions'

const schema: Schema = { ... }

Properties

Name Type Description
cedarJson string No description.
cedarJsonRequired 
public readonly cedarJson: string;
  • Type: string

StaticPolicyDefinitionProperty

Initializer 

import { StaticPolicyDefinitionProperty } from '@cdklabs/cdk-verified-permissions'

const staticPolicyDefinitionProperty: StaticPolicyDefinitionProperty = { ... }

Properties

Name Type Description
statement string The policy content of the static policy, written in the Cedar policy language.
description string The description of the static policy.
statementRequired 
public readonly statement: string;
  • Type: string

The policy content of the static policy, written in the Cedar policy language.

You can specify a description of the policy directly inside the policy statement, using the Cedar annotation '@cdkDescription'

descriptionOptional 
public readonly description: string;
  • Type: string
  • Default: Empty description.

The description of the static policy.

If this is set, it has always precedence over description defined in policy statement through '@cdkDescription' annotation

StaticPolicyFromFileProps

Initializer 

import { StaticPolicyFromFileProps } from '@cdklabs/cdk-verified-permissions'

const staticPolicyFromFileProps: StaticPolicyFromFileProps = { ... }

Properties

Name Type Description
path string The path to the file to be read which contains a single cedar statement representing a policy.
policyStore IPolicyStore The policy store that the policy will be created under.
description string The description of the static policy.
pathRequired 
public readonly path: string;
  • Type: string

The path to the file to be read which contains a single cedar statement representing a policy.

policyStoreRequired 
public readonly policyStore: IPolicyStore;

The policy store that the policy will be created under.

descriptionOptional 
public readonly description: string;
  • Type: string

The description of the static policy.

TemplateFromFileProps

Initializer 

import { TemplateFromFileProps } from '@cdklabs/cdk-verified-permissions'

const templateFromFileProps: TemplateFromFileProps = { ... }

Properties

Name Type Description
path string The path to the file to be read which contains a single cedar statement representing a policy template.
policyStore IPolicyStore The policy store that the policy template will be created under.
description string The description of the plicy template.
pathRequired 
public readonly path: string;
  • Type: string

The path to the file to be read which contains a single cedar statement representing a policy template.

policyStoreRequired 
public readonly policyStore: IPolicyStore;

The policy store that the policy template will be created under.

descriptionOptional 
public readonly description: string;
  • Type: string

The description of the plicy template.

TemplateLinkedPolicyDefinitionProperty

Initializer 

import { TemplateLinkedPolicyDefinitionProperty } from '@cdklabs/cdk-verified-permissions'

const templateLinkedPolicyDefinitionProperty: TemplateLinkedPolicyDefinitionProperty = { ... }

Properties

Name Type Description
policyTemplate IPolicyTemplate The unique identifier of the policy template used to create this policy.
principal EntityIdentifierProperty The principal associated with this template-linked policy.
resource EntityIdentifierProperty The resource associated with this template-linked policy.
policyTemplateRequired 
public readonly policyTemplate: IPolicyTemplate;

The unique identifier of the policy template used to create this policy.

principalOptional 
public readonly principal: EntityIdentifierProperty;

The principal associated with this template-linked policy.

resourceOptional 
public readonly resource: EntityIdentifierProperty;

The resource associated with this template-linked policy.

ValidationSettings

Initializer 

import { ValidationSettings } from '@cdklabs/cdk-verified-permissions'

const validationSettings: ValidationSettings = { ... }

Properties

Name Type Description
mode ValidationSettingsMode No description.
modeRequired 
public readonly mode: ValidationSettingsMode;

Protocols

IIdentitySource

Properties

Name Type Description
node constructs.Node The tree node.
env aws-cdk-lib.ResourceEnvironment The environment this resource belongs to.
stack aws-cdk-lib.Stack The stack in which this resource is defined.
identitySourceId string Identity Source identifier.
nodeRequired 
public readonly node: Node;
  • Type: constructs.Node

The tree node.

envRequired 
public readonly env: ResourceEnvironment;
  • Type: aws-cdk-lib.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

stackRequired 
public readonly stack: Stack;
  • Type: aws-cdk-lib.Stack

The stack in which this resource is defined.

identitySourceIdRequired 
public readonly identitySourceId: string;
  • Type: string

Identity Source identifier.

IPolicy

Properties

Name Type Description
node constructs.Node The tree node.
env aws-cdk-lib.ResourceEnvironment The environment this resource belongs to.
stack aws-cdk-lib.Stack The stack in which this resource is defined.
policyId string The unique ID of the new or updated policy.
policyType PolicyType The type of the policy.
nodeRequired 
public readonly node: Node;
  • Type: constructs.Node

The tree node.

envRequired 
public readonly env: ResourceEnvironment;
  • Type: aws-cdk-lib.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

stackRequired 
public readonly stack: Stack;
  • Type: aws-cdk-lib.Stack

The stack in which this resource is defined.

policyIdRequired 
public readonly policyId: string;
  • Type: string

The unique ID of the new or updated policy.

policyTypeRequired 
public readonly policyType: PolicyType;

The type of the policy.

This is one of the following values: Static or TemplateLinked.

IPolicyStore

Methods

Name Description
grant Adds an IAM policy statement associated with this policy store to an IAM principal's policy.
grantAuth Permits an IAM principal all auth operations on the policy store: IsAuthorized, IsAuthorizedWithToken.
grantRead Permits an IAM principal all read operations on the policy store: GetIdentitySource, GetPolicy, GetPolicyStore, GetPolicyTemplate, GetSchema, ListIdentitySources, ListPolicies, ListPolicyTemplates.
grantWrite Permits an IAM principal all write & read operations on the policy store: CreateIdentitySource, CreatePolicy,CreatePolicyTemplate, DeleteIdentitySource, DeletePolicy, DeletePolicyTemplate, PutSchema, UpdateIdentitySource, UpdatePolicy, UpdatePolicyTemplate.
grant 
public grant(grantee: IGrantable, actions: ...string[]): Grant

Adds an IAM policy statement associated with this policy store to an IAM principal's policy.

granteeRequired
  • Type: aws-cdk-lib.aws_iam.IGrantable

The principal (no-op if undefined).

actionsRequired
  • Type: ...string[]

The set of actions to allow (i.e. "verifiedpermissions:IsAuthorized", "verifiedpermissions:ListPolicies", ...).

grantAuth 
public grantAuth(grantee: IGrantable): Grant

Permits an IAM principal all auth operations on the policy store: IsAuthorized, IsAuthorizedWithToken.

granteeRequired
  • Type: aws-cdk-lib.aws_iam.IGrantable
grantRead 
public grantRead(grantee: IGrantable): Grant

Permits an IAM principal all read operations on the policy store: GetIdentitySource, GetPolicy, GetPolicyStore, GetPolicyTemplate, GetSchema, ListIdentitySources, ListPolicies, ListPolicyTemplates.

granteeRequired
  • Type: aws-cdk-lib.aws_iam.IGrantable
grantWrite 
public grantWrite(grantee: IGrantable): Grant

Permits an IAM principal all write & read operations on the policy store: CreateIdentitySource, CreatePolicy,CreatePolicyTemplate, DeleteIdentitySource, DeletePolicy, DeletePolicyTemplate, PutSchema, UpdateIdentitySource, UpdatePolicy, UpdatePolicyTemplate.

granteeRequired
  • Type: aws-cdk-lib.aws_iam.IGrantable

Properties

Name Type Description
node constructs.Node The tree node.
env aws-cdk-lib.ResourceEnvironment The environment this resource belongs to.
stack aws-cdk-lib.Stack The stack in which this resource is defined.
policyStoreArn string ARN of the Policy Store.
policyStoreId string ID of the Policy Store.
nodeRequired 
public readonly node: Node;
  • Type: constructs.Node

The tree node.

envRequired 
public readonly env: ResourceEnvironment;
  • Type: aws-cdk-lib.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

stackRequired 
public readonly stack: Stack;
  • Type: aws-cdk-lib.Stack

The stack in which this resource is defined.

policyStoreArnRequired 
public readonly policyStoreArn: string;
  • Type: string

ARN of the Policy Store.

policyStoreIdRequired 
public readonly policyStoreId: string;
  • Type: string

ID of the Policy Store.

IPolicyTemplate

Properties

Name Type Description
node constructs.Node The tree node.
env aws-cdk-lib.ResourceEnvironment The environment this resource belongs to.
stack aws-cdk-lib.Stack The stack in which this resource is defined.
policyTemplateId string The ID of the policy template.
nodeRequired 
public readonly node: Node;
  • Type: constructs.Node

The tree node.

envRequired 
public readonly env: ResourceEnvironment;
  • Type: aws-cdk-lib.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

stackRequired 
public readonly stack: Stack;
  • Type: aws-cdk-lib.Stack

The stack in which this resource is defined.

policyTemplateIdRequired 
public readonly policyTemplateId: string;
  • Type: string

The ID of the policy template.

Enums

PolicyType

PolicyType options.

Members

Name Description
STATIC No description.
TEMPLATELINKED No description.
STATIC
TEMPLATELINKED

ValidationSettingsMode

Validation Settings mode, according to the Cloudformation PolicyStore resource.

Members

Name Description
OFF No description.
STRICT No description.
OFF
STRICT