[Amazon Verified Permissions] Can't change "==" to "in" within policy template

Question

In Amazon Verified Permissions I have a policy template that contains this: "principal == ?principal"

I want to change it to this: "principal in ?principal"

Seems like I should be allowed to do this, but when I try to make the change it does not allow it and returns: "Template principal cannot change during update."

Is there any way to change the operator in my template policy?

Answer

There isn't currently a way to change this.  It's not explicit on the [Editing policy templates](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/policies_template-edit.html) page, but as of 10-MAR-2024 [Editing Amazon Verified Permissions static policies](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/policies_edit.html) calls out "principal referenced by a static policy" as something that can't change.

> You can't change these elements of a static policy:
> 
> - Changing a policy from a static policy to a template-linked policy.
> - Changing the effect of a static policy from permit or forbid.
> - The principal referenced by a static policy.
> - The resource referenced by a static policy.

Verified Permissions can use `principal` as part of [PolicyFilter](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_PolicyFilter.html) and these is some backend indexing to support this.  You are correct is is not clear that switching from `==` to `in` changes the principal.  I'll submit documentation feedback on this topic.

[Amazon Verified Permissions] Can't change "==" to "in" within policy template

Relevanter Inhalt