1. Packages
  2. AWS Cloud Control
  3. API Docs
  4. verifiedpermissions
  5. PolicyStore

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.27.0 published on Monday, Apr 14, 2025 by Pulumi

aws-native.verifiedpermissions.PolicyStore

Explore with Pulumi AI

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.27.0 published on Monday, Apr 14, 2025 by Pulumi

Represents a policy store that you can place schema, policies, and policy templates in to validate authorization requests

Example Usage

Example

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AwsNative = Pulumi.AwsNative;

return await Deployment.RunAsync(() => 
{
    var myPolicyStore = new AwsNative.VerifiedPermissions.PolicyStore("myPolicyStore", new()
    {
        Schema = new AwsNative.VerifiedPermissions.Inputs.PolicyStoreSchemaDefinitionArgs
        {
            CedarJson = "{\"PhotoApp\":{\"commonTypes\":{\"PersonType\":{\"type\":\"Record\",\"attributes\":{\"age\":{\"type\":\"Long\"},\"name\":{\"type\":\"String\"}}},\"ContextType\":{\"type\":\"Record\",\"attributes\":{\"ip\":{\"type\":\"Extension\",\"name\":\"ipaddr\",\"required\":false},\"authenticated\":{\"type\":\"Boolean\",\"required\":true}}}},\"entityTypes\":{\"User\":{\"shape\":{\"type\":\"Record\",\"attributes\":{\"userId\":{\"type\":\"String\"},\"personInformation\":{\"type\":\"PersonType\"}}},\"memberOfTypes\":[\"UserGroup\"]},\"UserGroup\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}},\"Photo\":{\"shape\":{\"type\":\"Record\",\"attributes\":{\"account\":{\"type\":\"Entity\",\"name\":\"Account\",\"required\":true},\"private\":{\"type\":\"Boolean\",\"required\":true}}},\"memberOfTypes\":[\"Album\",\"Account\"]},\"Album\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}},\"Account\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}}},\"actions\":{\"viewPhoto\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}},\"createPhoto\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}},\"listPhotos\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}}}}}",
        },
        ValidationSettings = new AwsNative.VerifiedPermissions.Inputs.PolicyStoreValidationSettingsArgs
        {
            Mode = AwsNative.VerifiedPermissions.PolicyStoreValidationMode.Strict,
        },
    });

});
Copy
package main

import (
	"github.com/pulumi/pulumi-aws-native/sdk/go/aws/verifiedpermissions"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := verifiedpermissions.NewPolicyStore(ctx, "myPolicyStore", &verifiedpermissions.PolicyStoreArgs{
			Schema: &verifiedpermissions.PolicyStoreSchemaDefinitionArgs{
				CedarJson: pulumi.String("{\"PhotoApp\":{\"commonTypes\":{\"PersonType\":{\"type\":\"Record\",\"attributes\":{\"age\":{\"type\":\"Long\"},\"name\":{\"type\":\"String\"}}},\"ContextType\":{\"type\":\"Record\",\"attributes\":{\"ip\":{\"type\":\"Extension\",\"name\":\"ipaddr\",\"required\":false},\"authenticated\":{\"type\":\"Boolean\",\"required\":true}}}},\"entityTypes\":{\"User\":{\"shape\":{\"type\":\"Record\",\"attributes\":{\"userId\":{\"type\":\"String\"},\"personInformation\":{\"type\":\"PersonType\"}}},\"memberOfTypes\":[\"UserGroup\"]},\"UserGroup\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}},\"Photo\":{\"shape\":{\"type\":\"Record\",\"attributes\":{\"account\":{\"type\":\"Entity\",\"name\":\"Account\",\"required\":true},\"private\":{\"type\":\"Boolean\",\"required\":true}}},\"memberOfTypes\":[\"Album\",\"Account\"]},\"Album\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}},\"Account\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}}},\"actions\":{\"viewPhoto\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}},\"createPhoto\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}},\"listPhotos\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}}}}}"),
			},
			ValidationSettings: &verifiedpermissions.PolicyStoreValidationSettingsArgs{
				Mode: verifiedpermissions.PolicyStoreValidationModeStrict,
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy

Coming soon!

import * as pulumi from "@pulumi/pulumi";
import * as aws_native from "@pulumi/aws-native";

const myPolicyStore = new aws_native.verifiedpermissions.PolicyStore("myPolicyStore", {
    schema: {
        cedarJson: "{\"PhotoApp\":{\"commonTypes\":{\"PersonType\":{\"type\":\"Record\",\"attributes\":{\"age\":{\"type\":\"Long\"},\"name\":{\"type\":\"String\"}}},\"ContextType\":{\"type\":\"Record\",\"attributes\":{\"ip\":{\"type\":\"Extension\",\"name\":\"ipaddr\",\"required\":false},\"authenticated\":{\"type\":\"Boolean\",\"required\":true}}}},\"entityTypes\":{\"User\":{\"shape\":{\"type\":\"Record\",\"attributes\":{\"userId\":{\"type\":\"String\"},\"personInformation\":{\"type\":\"PersonType\"}}},\"memberOfTypes\":[\"UserGroup\"]},\"UserGroup\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}},\"Photo\":{\"shape\":{\"type\":\"Record\",\"attributes\":{\"account\":{\"type\":\"Entity\",\"name\":\"Account\",\"required\":true},\"private\":{\"type\":\"Boolean\",\"required\":true}}},\"memberOfTypes\":[\"Album\",\"Account\"]},\"Album\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}},\"Account\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}}},\"actions\":{\"viewPhoto\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}},\"createPhoto\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}},\"listPhotos\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}}}}}",
    },
    validationSettings: {
        mode: aws_native.verifiedpermissions.PolicyStoreValidationMode.Strict,
    },
});
Copy
import pulumi
import pulumi_aws_native as aws_native

my_policy_store = aws_native.verifiedpermissions.PolicyStore("myPolicyStore",
    schema={
        "cedar_json": "{\"PhotoApp\":{\"commonTypes\":{\"PersonType\":{\"type\":\"Record\",\"attributes\":{\"age\":{\"type\":\"Long\"},\"name\":{\"type\":\"String\"}}},\"ContextType\":{\"type\":\"Record\",\"attributes\":{\"ip\":{\"type\":\"Extension\",\"name\":\"ipaddr\",\"required\":false},\"authenticated\":{\"type\":\"Boolean\",\"required\":true}}}},\"entityTypes\":{\"User\":{\"shape\":{\"type\":\"Record\",\"attributes\":{\"userId\":{\"type\":\"String\"},\"personInformation\":{\"type\":\"PersonType\"}}},\"memberOfTypes\":[\"UserGroup\"]},\"UserGroup\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}},\"Photo\":{\"shape\":{\"type\":\"Record\",\"attributes\":{\"account\":{\"type\":\"Entity\",\"name\":\"Account\",\"required\":true},\"private\":{\"type\":\"Boolean\",\"required\":true}}},\"memberOfTypes\":[\"Album\",\"Account\"]},\"Album\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}},\"Account\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}}},\"actions\":{\"viewPhoto\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}},\"createPhoto\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}},\"listPhotos\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}}}}}",
    },
    validation_settings={
        "mode": aws_native.verifiedpermissions.PolicyStoreValidationMode.STRICT,
    })
Copy

Coming soon!

Create PolicyStore Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new PolicyStore(name: string, args: PolicyStoreArgs, opts?: CustomResourceOptions);
@overload
def PolicyStore(resource_name: str,
                args: PolicyStoreArgs,
                opts: Optional[ResourceOptions] = None)

@overload
def PolicyStore(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                validation_settings: Optional[PolicyStoreValidationSettingsArgs] = None,
                description: Optional[str] = None,
                schema: Optional[PolicyStoreSchemaDefinitionArgs] = None)
func NewPolicyStore(ctx *Context, name string, args PolicyStoreArgs, opts ...ResourceOption) (*PolicyStore, error)
public PolicyStore(string name, PolicyStoreArgs args, CustomResourceOptions? opts = null)
public PolicyStore(String name, PolicyStoreArgs args)
public PolicyStore(String name, PolicyStoreArgs args, CustomResourceOptions options)
type: aws-native:verifiedpermissions:PolicyStore
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. PolicyStoreArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. PolicyStoreArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. PolicyStoreArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. PolicyStoreArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. PolicyStoreArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

PolicyStore Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The PolicyStore resource accepts the following input properties:

ValidationSettings This property is required. Pulumi.AwsNative.VerifiedPermissions.Inputs.PolicyStoreValidationSettings

Specifies the validation setting for this policy store.

Currently, the only valid and required value is Mode .

We recommend that you turn on STRICT mode only after you define a schema. If a schema doesn't exist, then STRICT mode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the UpdatePolicyStore . Then, when you have a schema defined, use UpdatePolicyStore again to turn validation back on.

Description string
Descriptive text that you can provide to help with identification of the current policy store.
Schema Pulumi.AwsNative.VerifiedPermissions.Inputs.PolicyStoreSchemaDefinition
Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.
ValidationSettings This property is required. PolicyStoreValidationSettingsArgs

Specifies the validation setting for this policy store.

Currently, the only valid and required value is Mode .

We recommend that you turn on STRICT mode only after you define a schema. If a schema doesn't exist, then STRICT mode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the UpdatePolicyStore . Then, when you have a schema defined, use UpdatePolicyStore again to turn validation back on.

Description string
Descriptive text that you can provide to help with identification of the current policy store.
Schema PolicyStoreSchemaDefinitionArgs
Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.
validationSettings This property is required. PolicyStoreValidationSettings

Specifies the validation setting for this policy store.

Currently, the only valid and required value is Mode .

We recommend that you turn on STRICT mode only after you define a schema. If a schema doesn't exist, then STRICT mode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the UpdatePolicyStore . Then, when you have a schema defined, use UpdatePolicyStore again to turn validation back on.

description String
Descriptive text that you can provide to help with identification of the current policy store.
schema PolicyStoreSchemaDefinition
Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.
validationSettings This property is required. PolicyStoreValidationSettings

Specifies the validation setting for this policy store.

Currently, the only valid and required value is Mode .

We recommend that you turn on STRICT mode only after you define a schema. If a schema doesn't exist, then STRICT mode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the UpdatePolicyStore . Then, when you have a schema defined, use UpdatePolicyStore again to turn validation back on.

description string
Descriptive text that you can provide to help with identification of the current policy store.
schema PolicyStoreSchemaDefinition
Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.
validation_settings This property is required. PolicyStoreValidationSettingsArgs

Specifies the validation setting for this policy store.

Currently, the only valid and required value is Mode .

We recommend that you turn on STRICT mode only after you define a schema. If a schema doesn't exist, then STRICT mode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the UpdatePolicyStore . Then, when you have a schema defined, use UpdatePolicyStore again to turn validation back on.

description str
Descriptive text that you can provide to help with identification of the current policy store.
schema PolicyStoreSchemaDefinitionArgs
Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.
validationSettings This property is required. Property Map

Specifies the validation setting for this policy store.

Currently, the only valid and required value is Mode .

We recommend that you turn on STRICT mode only after you define a schema. If a schema doesn't exist, then STRICT mode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the UpdatePolicyStore . Then, when you have a schema defined, use UpdatePolicyStore again to turn validation back on.

description String
Descriptive text that you can provide to help with identification of the current policy store.
schema Property Map
Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.

Outputs

All input properties are implicitly available as output properties. Additionally, the PolicyStore resource produces the following output properties:

Arn string
The Amazon Resource Name (ARN) of the new or updated policy store.
Id string
The provider-assigned unique ID for this managed resource.
PolicyStoreId string
The unique ID of the new or updated policy store.
Arn string
The Amazon Resource Name (ARN) of the new or updated policy store.
Id string
The provider-assigned unique ID for this managed resource.
PolicyStoreId string
The unique ID of the new or updated policy store.
arn String
The Amazon Resource Name (ARN) of the new or updated policy store.
id String
The provider-assigned unique ID for this managed resource.
policyStoreId String
The unique ID of the new or updated policy store.
arn string
The Amazon Resource Name (ARN) of the new or updated policy store.
id string
The provider-assigned unique ID for this managed resource.
policyStoreId string
The unique ID of the new or updated policy store.
arn str
The Amazon Resource Name (ARN) of the new or updated policy store.
id str
The provider-assigned unique ID for this managed resource.
policy_store_id str
The unique ID of the new or updated policy store.
arn String
The Amazon Resource Name (ARN) of the new or updated policy store.
id String
The provider-assigned unique ID for this managed resource.
policyStoreId String
The unique ID of the new or updated policy store.

Supporting Types

PolicyStoreSchemaDefinition
, PolicyStoreSchemaDefinitionArgs

CedarJson string
A JSON string representation of the schema supported by applications that use this policy store. For more information, see Policy store schema in the AVP User Guide.
CedarJson string
A JSON string representation of the schema supported by applications that use this policy store. For more information, see Policy store schema in the AVP User Guide.
cedarJson String
A JSON string representation of the schema supported by applications that use this policy store. For more information, see Policy store schema in the AVP User Guide.
cedarJson string
A JSON string representation of the schema supported by applications that use this policy store. For more information, see Policy store schema in the AVP User Guide.
cedar_json str
A JSON string representation of the schema supported by applications that use this policy store. For more information, see Policy store schema in the AVP User Guide.
cedarJson String
A JSON string representation of the schema supported by applications that use this policy store. For more information, see Policy store schema in the AVP User Guide.

PolicyStoreValidationMode
, PolicyStoreValidationModeArgs

Off
OFF
Strict
STRICT
PolicyStoreValidationModeOff
OFF
PolicyStoreValidationModeStrict
STRICT
Off
OFF
Strict
STRICT
Off
OFF
Strict
STRICT
OFF
OFF
STRICT
STRICT
"OFF"
OFF
"STRICT"
STRICT

PolicyStoreValidationSettings
, PolicyStoreValidationSettingsArgs

Mode This property is required. Pulumi.AwsNative.VerifiedPermissions.PolicyStoreValidationMode

The validation mode currently configured for this policy store. The valid values are:

  • OFF – Neither Verified Permissions nor Cedar perform any validation on policies. No validation errors are reported by either service.
  • STRICT – Requires a schema to be present in the policy store. Cedar performs validation on all submitted new or updated static policies and policy templates. Any that fail validation are rejected and Cedar doesn't store them in the policy store.

If Mode=STRICT and the policy store doesn't contain a schema, Verified Permissions rejects all static policies and policy templates because there is no schema to validate against.

To submit a static policy or policy template without a schema, you must turn off validation.

Mode This property is required. PolicyStoreValidationMode

The validation mode currently configured for this policy store. The valid values are:

  • OFF – Neither Verified Permissions nor Cedar perform any validation on policies. No validation errors are reported by either service.
  • STRICT – Requires a schema to be present in the policy store. Cedar performs validation on all submitted new or updated static policies and policy templates. Any that fail validation are rejected and Cedar doesn't store them in the policy store.

If Mode=STRICT and the policy store doesn't contain a schema, Verified Permissions rejects all static policies and policy templates because there is no schema to validate against.

To submit a static policy or policy template without a schema, you must turn off validation.

mode This property is required. PolicyStoreValidationMode

The validation mode currently configured for this policy store. The valid values are:

  • OFF – Neither Verified Permissions nor Cedar perform any validation on policies. No validation errors are reported by either service.
  • STRICT – Requires a schema to be present in the policy store. Cedar performs validation on all submitted new or updated static policies and policy templates. Any that fail validation are rejected and Cedar doesn't store them in the policy store.

If Mode=STRICT and the policy store doesn't contain a schema, Verified Permissions rejects all static policies and policy templates because there is no schema to validate against.

To submit a static policy or policy template without a schema, you must turn off validation.

mode This property is required. PolicyStoreValidationMode

The validation mode currently configured for this policy store. The valid values are:

  • OFF – Neither Verified Permissions nor Cedar perform any validation on policies. No validation errors are reported by either service.
  • STRICT – Requires a schema to be present in the policy store. Cedar performs validation on all submitted new or updated static policies and policy templates. Any that fail validation are rejected and Cedar doesn't store them in the policy store.

If Mode=STRICT and the policy store doesn't contain a schema, Verified Permissions rejects all static policies and policy templates because there is no schema to validate against.

To submit a static policy or policy template without a schema, you must turn off validation.

mode This property is required. PolicyStoreValidationMode

The validation mode currently configured for this policy store. The valid values are:

  • OFF – Neither Verified Permissions nor Cedar perform any validation on policies. No validation errors are reported by either service.
  • STRICT – Requires a schema to be present in the policy store. Cedar performs validation on all submitted new or updated static policies and policy templates. Any that fail validation are rejected and Cedar doesn't store them in the policy store.

If Mode=STRICT and the policy store doesn't contain a schema, Verified Permissions rejects all static policies and policy templates because there is no schema to validate against.

To submit a static policy or policy template without a schema, you must turn off validation.

mode This property is required. "OFF" | "STRICT"

The validation mode currently configured for this policy store. The valid values are:

  • OFF – Neither Verified Permissions nor Cedar perform any validation on policies. No validation errors are reported by either service.
  • STRICT – Requires a schema to be present in the policy store. Cedar performs validation on all submitted new or updated static policies and policy templates. Any that fail validation are rejected and Cedar doesn't store them in the policy store.

If Mode=STRICT and the policy store doesn't contain a schema, Verified Permissions rejects all static policies and policy templates because there is no schema to validate against.

To submit a static policy or policy template without a schema, you must turn off validation.

Package Details

Repository
AWS Native pulumi/pulumi-aws-native
License
Apache-2.0

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.27.0 published on Monday, Apr 14, 2025 by Pulumi