1 Answer
- Newest
- Most votes
- Most comments
0
- Mapping Technical Actions to Business-Friendly Names: Currently, Amazon Verified Permissions (AVP) does not provide a built-in way to directly map technical actions to business-friendly names within the policy itself. The policies are written in Cedar language and typically use the technical API endpoints as actions.
However, you can implement a solution to achieve this mapping in your application layer. Here's a recommended approach:
- Create a mapping table or configuration file in your application that associates business-friendly names with their corresponding technical API endpoints.
- In your Lambda authorizer, when receiving a request, translate the business-friendly action name to its technical counterpart before sending it to AVP for evaluation.
- Maintain this mapping in a centralized location in your application, such as a database or configuration file, for easy updates and management.
- Mapping One Business-Friendly Action to Multiple APIs: AVP policies don't directly support mapping one action to multiple APIs. However, you can achieve this functionality through your application logic:
- In your mapping configuration, associate a business-friendly action name with multiple API endpoints.
- When evaluating permissions in your Lambda authorizer, check if the requested action matches any of the mapped endpoints.
- If a match is found, proceed with the AVP authorization check using the specific technical API endpoint.
For example, your mapping might look like: "Update Entity": ["GET /entity/id", "PUT /entity/id"]
In your Lambda authorizer, you would check if the requested action matches either of these endpoints before proceeding with the AVP check.
- UI Options for Policy Management: AWS does not currently provide a separate UI for managing AVP policies outside of the AWS Console. For tenant management of policies, you would need to develop your own UI solution. Here are some best practices for implementing such a solution:
- Create a user-friendly interface that abstracts the complexity of Cedar policy language.
- Implement role-based access control to ensure only authorized users can modify policies.
- Provide templates or wizards to guide users through policy creation.
- Include validation to ensure policies are syntactically correct before saving.
- Implement versioning and auditing for policy changes.
- Consider using AWS SDK or API calls to interact with AVP programmatically from your custom UI.
Remember to thoroughly test your custom UI solution to ensure it correctly interacts with AVP and maintains the integrity of your authorization system.
Sources
Community | Using Verified Permissions with Cognito to control access to API endpoints
Community | Protect API Gateway with Amazon Verified Permissions
answered a month ago
Relevant content
- asked 9 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- How do I use an interface VPC endpoint to access an API Gateway private REST API in another account?AWS OFFICIALUpdated a year ago
Above auto generated answer says "In your Lambda authorizer, when receiving a request, translate the business-friendly action name to its technical counterpart before sending it to AVP for evaluation.", but in a request, we would be getting technical actions e.g. GET /pet-store/1 and not business actions. Also we are having technical actions only in AVP policy. Can we please have an expert looking into these queries ?