Expand description
Amazon Verified Permissions is a permissions management service from Amazon Web Services. You can use Verified Permissions to manage permissions for your application, and authorize user access based on those permissions. Using Verified Permissions, application developers can grant access based on information about the users, resources, and requested actions. You can also evaluate additional information like group membership, attributes of the resources, and session context, such as time of request and IP addresses. Verified Permissions manages these permissions by letting you create and store authorization policies for your applications, such as consumer-facing web sites and enterprise business systems.
Verified Permissions uses Cedar as the policy language to express your permission requirements. Cedar supports both role-based access control (RBAC) and attribute-based access control (ABAC) authorization models.
For more information about configuring, administering, and using Amazon Verified Permissions in your applications, see the Amazon Verified Permissions User Guide.
For more information about the Cedar policy language, see the Cedar Policy Language Guide.
When you write Cedar policies that reference principals, resources and actions, you can define the unique identifiers used for each of those elements. We strongly recommend that you follow these best practices:
- Use values like universally unique identifiers (UUIDs) for all principal and resource identifiers. For example, if user jane leaves the company, and you later let someone else use the name jane, then that new user automatically gets access to everything granted by policies that still reference User::“jane”. Cedar can’t distinguish between the new user and the old. This applies to both principal and resource identifiers. Always use identifiers that are guaranteed unique and never reused to ensure that you don’t unintentionally grant access because of the presence of an old identifier in a policy. Where you use a UUID for an entity, we recommend that you follow it with the // comment specifier and the ‘friendly’ name of your entity. This helps to make your policies easier to understand. For example: principal == User::“a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111”, // alice
- Do not include personally identifying, confidential, or sensitive information as part of the unique identifier for your principals or resources. These identifiers are included in log entries shared in CloudTrail trails.
Several operations return structures that appear similar, but have different purposes. As new functionality is added to the product, the structure used in a parameter of one operation might need to change in a way that wouldn’t make sense for the same parameter in a different operation. To help you understand the purpose of each, the following naming convention is used for the structures:
- Parameter type structures that end in Detail are used in Get operations.
- Parameter type structures that end in Item are used in List operations.
- Parameter type structures that use neither suffix are used in the mutating (create and update) operations.
§Getting Started
Examples are available for many services and operations, check out the examples folder in GitHub.
The SDK provides one crate per AWS service. You must add Tokio
as a dependency within your Rust project to execute asynchronous code. To add aws-sdk-verifiedpermissions to
your project, add the following to your Cargo.toml file:
[dependencies]
aws-config = { version = "1.1.7", features = ["behavior-version-latest"] }
aws-sdk-verifiedpermissions = "1.55.0"
tokio = { version = "1", features = ["full"] }Then in code, a client can be created with the following:
use aws_sdk_verifiedpermissions as verifiedpermissions;
#[::tokio::main]
async fn main() -> Result<(), verifiedpermissions::Error> {
let config = aws_config::load_from_env().await;
let client = aws_sdk_verifiedpermissions::Client::new(&config);
// ... make some calls with the client
Ok(())
}See the client documentation for information on what calls can be made, and the inputs and outputs for each of those calls.
§Using the SDK
Until the SDK is released, we will be adding information about using the SDK to the Developer Guide. Feel free to suggest additional sections for the guide by opening an issue and describing what you are trying to do.
§Getting Help
- GitHub discussions - For ideas, RFCs & general questions
- GitHub issues - For bug reports & feature requests
- Generated Docs (latest version)
- Usage examples
§Crate Organization
The entry point for most customers will be Client, which exposes one method for each API
offered by Amazon Verified Permissions. The return value of each of these methods is a “fluent builder”,
where the different inputs for that API are added by builder-style function call chaining,
followed by calling send() to get a Future that will result in
either a successful output or a SdkError.
Some of these API inputs may be structs or enums to provide more complex structured information.
These structs and enums live in types. There are some simpler types for
representing data such as date times or binary blobs that live in primitives.
All types required to configure a client via the Config struct live
in config.
The operation module has a submodule for every API, and in each submodule
is the input, output, and error type for that API, as well as builders to construct each of those.
There is a top-level Error type that encompasses all the errors that the
client can return. Any other error type can be converted to this Error type via the
From trait.
The other modules within this crate are not required for normal usage.
Modules§
- Client for calling Amazon Verified Permissions.
- Configuration for Amazon Verified Permissions.
- Common errors and error handling utilities.
- Information about this crate.
- All operations that this crate can perform.
- Primitives such as
BloborDateTimeused by other types. - Data structures used by operation inputs/outputs.
Structs§
- Client for Amazon Verified Permissions
- Configuration for a aws_sdk_verifiedpermissions service client.
Enums§
- All possible error types for this service.