Authorization and Amazon Verified Permissions: A New Way to Manage Permissions - Part VI - Policy Templates

pigius

Daniel Aniszkiewicz

Posted on July 20, 2023

Authorization and Amazon Verified Permissions: A New Way to Manage Permissions - Part VI - Policy Templates

Welcome back to my series on AWS Verified Permissions (AVP)! If you've been following along, you'll know that we've covered a lot of ground so far. We've explored the basics of AVP, looked at how to use the Test Bench feature, and much more. In this sixth blogpost, we're going to dive into a powerful feature of AVP: Policy Templates. I'll explain what they are, why they're useful, and how to use them in the context of our ongoing ecommerce example. As always, we'll provide step-by-step instructions for both the AWS console and our handy AVP CLI tool.

Policy Templates

Policy Templates in AVP are reusable policy definitions that can be linked to multiple principals and resources. They are a way to define a policy once and then apply it to many different entities. This concept is from Cedar, a policy management system that also uses templates to simplify policy creation and management.

In the context of AVP, a Policy Template is a blueprint for a policy that can be applied to different principals and resources (but not for actions). It's a way to define the permissions once and then apply them to multiple entities, ensuring consistency and reducing the complexity of your policy management.

For example, in our ecommerce system, we might have a policy that allows sellers to list products. Instead of creating a separate policy for each seller, we can create a single policy template and link it to each seller. This not only reduces the number of policies we need to manage, but also ensures consistency across all sellers.

Why Use Policy Templates?

Policy Templates offer several benefits:

Efficiency: Instead of creating individual policies for each entity, you can create one policy template and link it to multiple entities. This can save time and reduce the complexity of your policy management.

Consistency: By using a policy template, you ensure that all entities linked to the template have the same permissions. This can help prevent errors and inconsistencies that might arise from manually creating individual policies.

Flexibility: Policy templates can be linked to different types of entities (e.g., users, roles, groups) and resources, providing a flexible way to manage permissions across your system.

Granular Control: Policy templates provide a more granular level of control compared to using groups or allowing all access. They allow you to specify exactly what actions a principal can perform on a resource, reducing the risk of over-permissioning.

Static Policies vs Template-Linked Policies vs Policy Templates

Before we dive into how to use policy templates, let's clarify the difference between static policies, template-linked policies, and policy templates.

Static Policies: These are standalone policies that define permissions for a specific principal and resource. They are not linked to a template and can't be reused for other principals or resources.

Template-Linked Policies: These are policies that are linked to a policy template. They inherit the permissions defined in the template and apply them to a specific principal and resource.

Policy Templates: These are reusable policy definitions that can be linked to multiple principals and resources through template-linked policies. They define a set of permissions that can be applied consistently across multiple entities.

Policy Templates in action

Let's walk through the process of creating and using a policy template for our ecommerce scenario.

Two approaches:

Manually in AWS Console

  • Open the AWS Management Console, find the AVP service, and create a new policy store. Select Empty policy store.

Empty Policy Store

  • Navigate to Schema and add below json:
{
    "EcommercePlatform": {
        "entityTypes": {
            "Product": {
                "shape": {
                    "type": "Record",
                    "attributes": {}
                }
            },
            "Seller": {
                "shape": {
                    "type": "Record",
                    "attributes": {}
                }
            }
        },
        "actions": {
            "List": {
                "appliesTo": {
                    "principalTypes": [
                        "Seller"
                    ],
                    "resourceTypes": [
                        "Product"
                    ]
                }
            },
            "Remove": {
                "appliesTo": {
                    "principalTypes": [
                        "Seller"
                    ],
                    "resourceTypes": [
                        "Product"
                    ]
                }
            },
            "Update": {
                "appliesTo": {
                    "resourceTypes": [
                        "Product"
                    ],
                    "principalTypes": [
                        "Seller"
                    ]
                }
            }
        }
    }
}

Enter fullscreen mode Exit fullscreen mode

Schema

  • Navigate to the "Policy Templates" section. Click on "Create Policy Template". You'll be asked to provide a name and a policy definition. The policy definition should be a JSON object that describes the permissions granted by the policy. For our ecommerce example, we might create a policy template that allows a seller to list a product.

  • For description use "Policy template that allows a seller to list a product", and for "Policy template body" use:

permit (
    principal == ?principal,
    action in [
        EcommercePlatform::Action::"List"
    ],
    resource == ?resource
);
Enter fullscreen mode Exit fullscreen mode

Policy template

  • Once the policy template is created, you can link it to principals and resources. Navigate to the "Polices" section and click on "Create Template-Linked Policy".

Template

  • Select already existing policy template, and click next.

Select policy template

  • Now you need to provide values that are injected into the template to create the policy (principal - seller and resource - product), and create a policy.

values

  • After creating the template-linked policy, you can review it in the "Template-Linked Policies" section. You'll see the policy template, the principal, and the resource, along with any other template-linked policies you've created.

  • At the end we can test it in Test Bench section.

Test Bench

That's it!

Via AVP-CLI

We can also avoid doing it manually within the AWS console, and use avp-cli for deploying it via CLI.

For the purpose of this blogpost I've created scenario Ecommerce policy template scenario which is the exact usecase.

Simply download it, and run "Ecommerce with Template-Linked Policies Scenario" from the avaliable scenarios.

āžœ  avp-cli git:(main) node index.js
Welcome to AVP CLI!
This tool is designed to help you interact with the AWS Verified Permissions (AVP) service. You can use it to create, manage, and delete policy stores, schemas, and policies.
Please ensure that you have set up your AWS credentials correctly to use this tool.
? What would you like to do? Use prepared scenarios
? Choose a scenario 
  Documents Scenario 
  Ecommerce with Context Scenario 
  Ecommerce with Group Scenario 
āÆ Ecommerce with Template-Linked Policies Scenario 
Enter fullscreen mode Exit fullscreen mode

After it will be successfully finished, open the AVP in AWS console to play around with that.

Next steps

That's all for today. I encourage you to play around it more. In addition, I encourage you to try the official AVP workshop from AWS where there are also policy templates.

As for the next blogpost, I will describe the topics of audit and pricing of the service.

šŸ’– šŸ’Ŗ šŸ™… šŸš©
pigius
Daniel Aniszkiewicz

Posted on July 20, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related