CfnIdentitySourcePropsMixin
- class aws_cdk.mixins_preview.aws_verifiedpermissions.mixins.CfnIdentitySourcePropsMixin(props, *, strategy=None)
Bases:
MixinCreates or updates a reference to Amazon Cognito as an external identity provider.
If you are creating a new identity source, then you must specify a
Configuration. If you are updating an existing identity source, then you must specify anUpdateConfiguration.After you create an identity source, you can use the identities provided by the IdP as proxies for the principal in authorization queries that use the IsAuthorizedWithToken operation. These identities take the form of tokens that contain claims about the user, such as IDs, attributes and group memberships. Amazon Cognito provides both identity tokens and access tokens, and Verified Permissions can use either or both. Any combination of identity and access tokens results in the same Cedar principal. Verified Permissions automatically translates the information about the identities into the standard Cedar attributes that can be evaluated by your policies. Because the Amazon Cognito identity and access tokens can contain different information, the tokens you choose to use determine the attributes that are available to access in the Cedar principal from your policies.
Amazon Cognito Identity is not available in all of the same AWS Regions as . Because of this, the
AWS::VerifiedPermissions::IdentitySourcetype is not available to create from CloudFormation in Regions where Amazon Cognito Identity is not currently available. Users can still createAWS::VerifiedPermissions::IdentitySourcein those Regions, but only from the AWS CLI , SDK, or from the AWS console. .. epigraph:To reference a user from this identity source in your Cedar policies, use the following syntax. *IdentityType::"|* Where ``IdentityType`` is the string that you provide to the ``PrincipalEntityType`` parameter for this operation. The ``CognitoUserPoolId`` and ``CognitoClientId`` are defined by the Amazon Cognito user pool.
- See:
- CloudformationResource:
AWS::VerifiedPermissions::IdentitySource
- Mixin:
true
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk.mixins_preview import mixins from aws_cdk.mixins_preview.aws_verifiedpermissions import mixins as verifiedpermissions_mixins cfn_identity_source_props_mixin = verifiedpermissions_mixins.CfnIdentitySourcePropsMixin(verifiedpermissions_mixins.CfnIdentitySourceMixinProps( configuration=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.IdentitySourceConfigurationProperty( cognito_user_pool_configuration=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.CognitoUserPoolConfigurationProperty( client_ids=["clientIds"], group_configuration=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.CognitoGroupConfigurationProperty( group_entity_type="groupEntityType" ), user_pool_arn="userPoolArn" ), open_id_connect_configuration=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectConfigurationProperty( entity_id_prefix="entityIdPrefix", group_configuration=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectGroupConfigurationProperty( group_claim="groupClaim", group_entity_type="groupEntityType" ), issuer="issuer", token_selection=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectTokenSelectionProperty( access_token_only=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectAccessTokenConfigurationProperty( audiences=["audiences"], principal_id_claim="principalIdClaim" ), identity_token_only=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectIdentityTokenConfigurationProperty( client_ids=["clientIds"], principal_id_claim="principalIdClaim" ) ) ) ), policy_store_id="policyStoreId", principal_entity_type="principalEntityType" ), strategy=mixins.PropertyMergeStrategy.OVERRIDE )
Create a mixin to apply properties to
AWS::VerifiedPermissions::IdentitySource.- Parameters:
props (
Union[CfnIdentitySourceMixinProps,Dict[str,Any]]) – L1 properties to apply.strategy (
Optional[PropertyMergeStrategy]) – (experimental) Strategy for merging nested properties. Default: - PropertyMergeStrategy.MERGE
Methods
- apply_to(construct)
Apply the mixin properties to the construct.
- Parameters:
construct (
IConstruct)- Return type:
- supports(construct)
Check if this mixin supports the given construct.
- Parameters:
construct (
IConstruct)- Return type:
bool
Attributes
- CFN_PROPERTY_KEYS = ['configuration', 'policyStoreId', 'principalEntityType']
Static Methods
- classmethod is_mixin(x)
(experimental) Checks if
xis a Mixin.- Parameters:
x (
Any) – Any object.- Return type:
bool- Returns:
true if
xis an object created from a class which extendsMixin.- Stability:
experimental
CognitoGroupConfigurationProperty
- class CfnIdentitySourcePropsMixin.CognitoGroupConfigurationProperty(*, group_entity_type=None)
Bases:
objectThe type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source.
- Parameters:
group_entity_type (
Optional[str]) – The name of the schema entity type that’s mapped to the user pool group. Defaults toAWS::CognitoGroup.- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk.mixins_preview.aws_verifiedpermissions import mixins as verifiedpermissions_mixins cognito_group_configuration_property = verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.CognitoGroupConfigurationProperty( group_entity_type="groupEntityType" )
Attributes
- group_entity_type
The name of the schema entity type that’s mapped to the user pool group.
Defaults to
AWS::CognitoGroup.
CognitoUserPoolConfigurationProperty
- class CfnIdentitySourcePropsMixin.CognitoUserPoolConfigurationProperty(*, client_ids=None, group_configuration=None, user_pool_arn=None)
Bases:
objectA structure that contains configuration information used when creating or updating an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions .
- Parameters:
client_ids (
Optional[Sequence[str]]) – The unique application client IDs that are associated with the specified Amazon Cognito user pool. Example:"ClientIds": ["&ExampleCogClientId;"]group_configuration (
Union[IResolvable,CognitoGroupConfigurationProperty,Dict[str,Any],None]) – The type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source.user_pool_arn (
Optional[str]) – The Amazon Resource Name (ARN) of the Amazon Cognito user pool that contains the identities to be authorized.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk.mixins_preview.aws_verifiedpermissions import mixins as verifiedpermissions_mixins cognito_user_pool_configuration_property = verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.CognitoUserPoolConfigurationProperty( client_ids=["clientIds"], group_configuration=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.CognitoGroupConfigurationProperty( group_entity_type="groupEntityType" ), user_pool_arn="userPoolArn" )
Attributes
- client_ids
The unique application client IDs that are associated with the specified Amazon Cognito user pool.
Example:
"ClientIds": ["&ExampleCogClientId;"]
- group_configuration
The type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source.
- user_pool_arn
The Amazon Resource Name (ARN) of the Amazon Cognito user pool that contains the identities to be authorized.
IdentitySourceConfigurationProperty
- class CfnIdentitySourcePropsMixin.IdentitySourceConfigurationProperty(*, cognito_user_pool_configuration=None, open_id_connect_configuration=None)
Bases:
objectA structure that contains configuration information used when creating or updating a new identity source.
At this time, the only valid member of this structure is a Amazon Cognito user pool configuration.
You must specify a
userPoolArn, and optionally, aClientId.- Parameters:
cognito_user_pool_configuration (
Union[IResolvable,CognitoUserPoolConfigurationProperty,Dict[str,Any],None]) – A structure that contains configuration information used when creating or updating an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions .open_id_connect_configuration (
Union[IResolvable,OpenIdConnectConfigurationProperty,Dict[str,Any],None])
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk.mixins_preview.aws_verifiedpermissions import mixins as verifiedpermissions_mixins identity_source_configuration_property = verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.IdentitySourceConfigurationProperty( cognito_user_pool_configuration=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.CognitoUserPoolConfigurationProperty( client_ids=["clientIds"], group_configuration=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.CognitoGroupConfigurationProperty( group_entity_type="groupEntityType" ), user_pool_arn="userPoolArn" ), open_id_connect_configuration=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectConfigurationProperty( entity_id_prefix="entityIdPrefix", group_configuration=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectGroupConfigurationProperty( group_claim="groupClaim", group_entity_type="groupEntityType" ), issuer="issuer", token_selection=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectTokenSelectionProperty( access_token_only=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectAccessTokenConfigurationProperty( audiences=["audiences"], principal_id_claim="principalIdClaim" ), identity_token_only=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectIdentityTokenConfigurationProperty( client_ids=["clientIds"], principal_id_claim="principalIdClaim" ) ) ) )
Attributes
- cognito_user_pool_configuration
A structure that contains configuration information used when creating or updating an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions .
IdentitySourceDetailsProperty
- class CfnIdentitySourcePropsMixin.IdentitySourceDetailsProperty(*, client_ids=None, discovery_url=None, open_id_issuer=None, user_pool_arn=None)
Bases:
object- Parameters:
client_ids (
Optional[Sequence[str]])discovery_url (
Optional[str])open_id_issuer (
Optional[str])user_pool_arn (
Optional[str])
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk.mixins_preview.aws_verifiedpermissions import mixins as verifiedpermissions_mixins identity_source_details_property = verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.IdentitySourceDetailsProperty( client_ids=["clientIds"], discovery_url="discoveryUrl", open_id_issuer="openIdIssuer", user_pool_arn="userPoolArn" )
Attributes
- client_ids
-
- Type:
see
- discovery_url
-
- Type:
see
- open_id_issuer
-
- Type:
see
OpenIdConnectAccessTokenConfigurationProperty
- class CfnIdentitySourcePropsMixin.OpenIdConnectAccessTokenConfigurationProperty(*, audiences=None, principal_id_claim=None)
Bases:
objectThe configuration of an OpenID Connect (OIDC) identity source for handling access token claims.
Contains the claim that you want to identify as the principal in an authorization request, and the values of the
audclaim, or audiences, that you want to accept.This data type is part of a OpenIdConnectTokenSelection structure, which is a parameter of CreateIdentitySource .
- Parameters:
audiences (
Optional[Sequence[str]]) – The access tokenaudclaim values that you want to accept in your policy store. For example,https://myapp.example.com, https://myapp2.example.com.principal_id_claim (
Optional[str]) – The claim that determines the principal in OIDC access tokens. For example,sub. Default: - “sub”
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk.mixins_preview.aws_verifiedpermissions import mixins as verifiedpermissions_mixins open_id_connect_access_token_configuration_property = verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectAccessTokenConfigurationProperty( audiences=["audiences"], principal_id_claim="principalIdClaim" )
Attributes
- audiences
The access token
audclaim values that you want to accept in your policy store.For example,
https://myapp.example.com, https://myapp2.example.com.
- principal_id_claim
The claim that determines the principal in OIDC access tokens.
For example,
sub.
OpenIdConnectConfigurationProperty
- class CfnIdentitySourcePropsMixin.OpenIdConnectConfigurationProperty(*, entity_id_prefix=None, group_configuration=None, issuer=None, token_selection=None)
Bases:
objectContains configuration details of an OpenID Connect (OIDC) identity provider, or identity source, that Verified Permissions can use to generate entities from authenticated identities.
It specifies the issuer URL, token type that you want to use, and policy store entity details.
This data type is part of a Configuration structure, which is a parameter to CreateIdentitySource .
- Parameters:
entity_id_prefix (
Optional[str]) – A descriptive string that you want to prefix to user entities from your OIDC identity provider. For example, if you set anentityIdPrefixofMyOIDCProvider, you can reference principals in your policies in the formatMyCorp::User::MyOIDCProvider|Carlos.group_configuration (
Union[IResolvable,OpenIdConnectGroupConfigurationProperty,Dict[str,Any],None]) – The claim in OIDC identity provider tokens that indicates a user’s group membership, and the entity type that you want to map it to. For example, this object can map the contents of agroupsclaim toMyCorp::UserGroup.issuer (
Optional[str]) – The issuer URL of an OIDC identity provider. This URL must have an OIDC discovery endpoint at the path.well-known/openid-configuration.token_selection (
Union[IResolvable,OpenIdConnectTokenSelectionProperty,Dict[str,Any],None]) – The token type that you want to process from your OIDC identity provider. Your policy store can process either identity (ID) or access tokens from a given OIDC identity source.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk.mixins_preview.aws_verifiedpermissions import mixins as verifiedpermissions_mixins open_id_connect_configuration_property = verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectConfigurationProperty( entity_id_prefix="entityIdPrefix", group_configuration=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectGroupConfigurationProperty( group_claim="groupClaim", group_entity_type="groupEntityType" ), issuer="issuer", token_selection=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectTokenSelectionProperty( access_token_only=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectAccessTokenConfigurationProperty( audiences=["audiences"], principal_id_claim="principalIdClaim" ), identity_token_only=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectIdentityTokenConfigurationProperty( client_ids=["clientIds"], principal_id_claim="principalIdClaim" ) ) )
Attributes
- entity_id_prefix
A descriptive string that you want to prefix to user entities from your OIDC identity provider.
For example, if you set an
entityIdPrefixofMyOIDCProvider, you can reference principals in your policies in the formatMyCorp::User::MyOIDCProvider|Carlos.
- group_configuration
The claim in OIDC identity provider tokens that indicates a user’s group membership, and the entity type that you want to map it to.
For example, this object can map the contents of a
groupsclaim toMyCorp::UserGroup.
- issuer
The issuer URL of an OIDC identity provider.
This URL must have an OIDC discovery endpoint at the path
.well-known/openid-configuration.
- token_selection
The token type that you want to process from your OIDC identity provider.
Your policy store can process either identity (ID) or access tokens from a given OIDC identity source.
OpenIdConnectGroupConfigurationProperty
- class CfnIdentitySourcePropsMixin.OpenIdConnectGroupConfigurationProperty(*, group_claim=None, group_entity_type=None)
Bases:
objectThe claim in OIDC identity provider tokens that indicates a user’s group membership, and the entity type that you want to map it to.
For example, this object can map the contents of a
groupsclaim toMyCorp::UserGroup.This data type is part of a OpenIdConnectConfiguration structure, which is a parameter of CreateIdentitySource .
- Parameters:
group_claim (
Optional[str]) – The token claim that you want Verified Permissions to interpret as group membership. For example,groups.group_entity_type (
Optional[str]) – The policy store entity type that you want to map your users’ group claim to. For example,MyCorp::UserGroup. A group entity type is an entity that can have a user entity type as a member.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk.mixins_preview.aws_verifiedpermissions import mixins as verifiedpermissions_mixins open_id_connect_group_configuration_property = verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectGroupConfigurationProperty( group_claim="groupClaim", group_entity_type="groupEntityType" )
Attributes
- group_claim
The token claim that you want Verified Permissions to interpret as group membership.
For example,
groups.
- group_entity_type
The policy store entity type that you want to map your users’ group claim to.
For example,
MyCorp::UserGroup. A group entity type is an entity that can have a user entity type as a member.
OpenIdConnectIdentityTokenConfigurationProperty
- class CfnIdentitySourcePropsMixin.OpenIdConnectIdentityTokenConfigurationProperty(*, client_ids=None, principal_id_claim=None)
Bases:
objectThe configuration of an OpenID Connect (OIDC) identity source for handling identity (ID) token claims.
Contains the claim that you want to identify as the principal in an authorization request, and the values of the
audclaim, or audiences, that you want to accept.This data type is part of a OpenIdConnectTokenSelection structure, which is a parameter of CreateIdentitySource .
- Parameters:
client_ids (
Optional[Sequence[str]]) – The ID token audience, or client ID, claim values that you want to accept in your policy store from an OIDC identity provider. For example,1example23456789, 2example10111213.principal_id_claim (
Optional[str]) – The claim that determines the principal in OIDC access tokens. For example,sub. Default: - “sub”
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk.mixins_preview.aws_verifiedpermissions import mixins as verifiedpermissions_mixins open_id_connect_identity_token_configuration_property = verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectIdentityTokenConfigurationProperty( client_ids=["clientIds"], principal_id_claim="principalIdClaim" )
Attributes
- client_ids
The ID token audience, or client ID, claim values that you want to accept in your policy store from an OIDC identity provider.
For example,
1example23456789, 2example10111213.
- principal_id_claim
The claim that determines the principal in OIDC access tokens.
For example,
sub.
OpenIdConnectTokenSelectionProperty
- class CfnIdentitySourcePropsMixin.OpenIdConnectTokenSelectionProperty(*, access_token_only=None, identity_token_only=None)
Bases:
objectThe token type that you want to process from your OIDC identity provider.
Your policy store can process either identity (ID) or access tokens from a given OIDC identity source.
This data type is part of a OpenIdConnectConfiguration structure, which is a parameter of CreateIdentitySource .
- Parameters:
access_token_only (
Union[IResolvable,OpenIdConnectAccessTokenConfigurationProperty,Dict[str,Any],None]) – The OIDC configuration for processing access tokens. Contains allowed audience claims, for examplehttps://auth.example.com, and the claim that you want to map to the principal, for examplesub.identity_token_only (
Union[IResolvable,OpenIdConnectIdentityTokenConfigurationProperty,Dict[str,Any],None]) – The OIDC configuration for processing identity (ID) tokens. Contains allowed client ID claims, for example1example23456789, and the claim that you want to map to the principal, for examplesub.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk.mixins_preview.aws_verifiedpermissions import mixins as verifiedpermissions_mixins open_id_connect_token_selection_property = verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectTokenSelectionProperty( access_token_only=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectAccessTokenConfigurationProperty( audiences=["audiences"], principal_id_claim="principalIdClaim" ), identity_token_only=verifiedpermissions_mixins.CfnIdentitySourcePropsMixin.OpenIdConnectIdentityTokenConfigurationProperty( client_ids=["clientIds"], principal_id_claim="principalIdClaim" ) )
Attributes
- access_token_only
The OIDC configuration for processing access tokens.
Contains allowed audience claims, for example
https://auth.example.com, and the claim that you want to map to the principal, for examplesub.
- identity_token_only
The OIDC configuration for processing identity (ID) tokens.
Contains allowed client ID claims, for example
1example23456789, and the claim that you want to map to the principal, for examplesub.