Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add bedrock agents grained access permissions sample #167

Merged
merged 6 commits into from
Jun 3, 2024
Merged

Add bedrock agents grained access permissions sample #167

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
80ad5d4
initial commit
aniloncloud May 17, 2024
5167645
initial commit
aniloncloud May 18, 2024
1c812b1
Updates to the API
aniloncloud May 18, 2024
4eeb02c
updates based on feedback for PR
aniloncloud Jun 3, 2024
b26c588
updates based on feedback #167
aniloncloud Jun 3, 2024
f5cc84f
updates based on feedback #167
aniloncloud Jun 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions agents-for-bedrock/features-examples/09-fine-grained-access-permissions/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
.env
node_modules/
**/node_modules/
006_Frontend/amplify/
.DS_Store
*.log
ws-env.sh
samconfig.toml
aws-exports.js
006_Frontend/build/
**/aws-exports.js
**/.aws-sam/
**/build/
005_Frontend/src/aws-exports.js
005_Frontend/amplify/
182 changes: 182 additions & 0 deletions ...ts-for-bedrock/features-examples/09-fine-grained-access-permissions/001_avp/template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,182 @@
AWSTemplateFormatVersion: '2010-09-09'
Description: 'CloudFormation template for Amazon Verified Permissions resources'

Resources:
AvpPolicyStore:
Type: AWS::VerifiedPermissions::PolicyStore
Properties:
Description: 'Fine-grained data access - Policy store for the claims application'
ValidationSettings:
Mode: STRICT
Schema:
CedarJson: |
{
"avp::claim::app": {
"actions": {
"ListClaims": {
"appliesTo": {
"principalTypes": [
"User"
],
"resourceTypes": [
"Application"
]
}
},
"UpdateClaim": {
"appliesTo": {
"resourceTypes": [
"Claim"
],
"principalTypes": [
"User"
]
}
},
"GetClaim": {
"appliesTo": {
"resourceTypes": [
"Claim"
],
"principalTypes": [
"User"
]
}
}
},
"entityTypes": {
"Role": {
"shape": {
"type": "Record",
"attributes": {}
},
"memberOfTypes": []
},
"Application": {
"shape": {
"type": "Record",
"attributes": {
"region": {
"type": "String",
"required": true
},
"owner": {
"type": "Entity",
"name": "User",
"required": true
}
}
},
"memberOfTypes": []
},
"Claim": {
"shape": {
"type": "Record",
"attributes": {
"region": {
"type": "String",
"required": true
},
"custom-attr-1": {
"type": "String",
"required": true
},
"owner": {
"required": true,
"type": "Entity",
"name": "User"
}
}
},
"memberOfTypes": []
},
"User": {
"memberOfTypes": [
"Role"
],
"shape": {
"attributes": {
"custom": {
"attributes": {
"region": {
"type": "String",
"required": false
}
},
"required": false,
"type": "Record"
}
},
"type": "Record"
}
}
}
}
}

Policy1:
Type: AWS::VerifiedPermissions::Policy
Properties:
PolicyStoreId: !Ref AvpPolicyStore
Definition:
Static:
Description: 'Allow ClaimsAdministrator role to List claims across all regions'
Statement: |
permit (
principal in avp::claim::app::Role::"ClaimsAdministrator",
action in [
avp::claim::app::Action::"ListClaims"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the claim admin can only list the claims?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes

],
resource
);

Policy2:
Type: AWS::VerifiedPermissions::Policy
Properties:
PolicyStoreId: !Ref AvpPolicyStore
Definition:
Static:
Description: 'Allow ClaimsAdjuster role to Get and Update Claims they own'
Statement: |
permit (
principal in avp::claim::app::Role::"ClaimsAdjuster",
action in [
avp::claim::app::Action::"GetClaim",
avp::claim::app::Action::"UpdateClaim"
],
resource
) when {
principal == resource.owner
};

Policy3:
Type: AWS::VerifiedPermissions::Policy
Properties:
PolicyStoreId: !Ref AvpPolicyStore
Definition:
Static:
Description: 'Allow ClaimsAdjuster role to List claims in their region'
Statement: |
permit (
principal in avp::claim::app::Role::"ClaimsAdjuster",
action in [avp::claim::app::Action::"ListClaims"],
resource
)
when
{
resource has owner &&
principal == resource.owner &&
principal has custom &&
principal.custom has region &&
principal.custom.region == resource.region
};

Outputs:
PolicyStoreId:
Value: !Ref AvpPolicyStore
Policy1Id:
Value: !GetAtt Policy1.PolicyId
Policy2Id:
Value: !GetAtt Policy2.PolicyId
Policy3Id:
Value: !GetAtt Policy3.PolicyId
140 changes: 140 additions & 0 deletions ...or-bedrock/features-examples/09-fine-grained-access-permissions/002_cognito/template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,140 @@
AWSTemplateFormatVersion: '2010-09-09'
Description: 'CloudFormation template for creating an Amazon Cognito User Pool'

Resources:
UserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: claims-app-userpool
Policies:
PasswordPolicy:
MinimumLength: 8
RequireUppercase: true
RequireLowercase: true
RequireNumbers: true
RequireSymbols: true
TemporaryPasswordValidityDays: 7
# DeletionProtection: ACTIVE
LambdaConfig: {}
Schema:
- Name: preferred_username
AttributeDataType: String
Mutable: true
Required: false
StringAttributeConstraints:
MinLength: '0'
MaxLength: '2048'
- Name: region
AttributeDataType: String
Mutable: true
Required: false
StringAttributeConstraints: {}
- Name: role
AttributeDataType: String
Mutable: true
Required: false
StringAttributeConstraints: {}
AliasAttributes:
- preferred_username



UserPoolDomain:
Type: AWS::Cognito::UserPoolDomain
Properties:
Domain: !Sub claims-agent-auth-${AWS::AccountId}
UserPoolId: !Ref UserPool


UserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
ClientName: claims-app-demo
UserPoolId: !Ref UserPool
RefreshTokenValidity: 30
AccessTokenValidity: 60
IdTokenValidity: 60
TokenValidityUnits:
AccessToken: minutes
IdToken: minutes
RefreshToken: days
ReadAttributes:
- custom:region
- custom:role
- preferred_username
WriteAttributes:
- custom:region
- custom:role
- preferred_username
ExplicitAuthFlows:
- ALLOW_REFRESH_TOKEN_AUTH
- ALLOW_USER_PASSWORD_AUTH
- ALLOW_USER_SRP_AUTH


ClaimsAdjuster:
Type: AWS::Cognito::UserPoolGroup
Properties:
GroupName: ClaimsAdjuster
Description: ClaimsAdjuster user group
Precedence: 0
UserPoolId: !Ref UserPool


claimsAppAdjusterUser:
Type: AWS::Cognito::UserPoolUser
Properties:
Username: claims-app-adjuster
UserAttributes:
- Name: custom:region
Value: northeast
- Name: custom:role
Value: ClaimsAdjuster
UserPoolId: !Ref UserPool

adjusterGroup:
Type: AWS::Cognito::UserPoolUserToGroupAttachment
Properties:
GroupName: !Ref ClaimsAdjuster
Username: !Ref claimsAppAdjusterUser
UserPoolId: !Ref UserPool

ClaimsAdministrator:
Type: AWS::Cognito::UserPoolGroup
Properties:
GroupName: ClaimsAdministrator
Description: ClaimsAdministrator user group
Precedence: 0
UserPoolId: !Ref UserPool


claimsAppAdminUser:
Type: AWS::Cognito::UserPoolUser
Properties:
Username: claims-app-admin
UserAttributes:
- Name: custom:region
Value: northeast
- Name: custom:role
Value: ClaimsAdmin
UserPoolId: !Ref UserPool

adminGroup:
Type: AWS::Cognito::UserPoolUserToGroupAttachment
Properties:
GroupName: !Ref ClaimsAdministrator
Username: !Ref claimsAppAdminUser
UserPoolId: !Ref UserPool




Outputs:
UserPoolId:
Value: !Ref UserPool
UserPoolArn:
Value: !GetAtt UserPool.Arn
UserPoolDomain:
Value: !Ref UserPoolDomain
UserPoolClientId:
Value: !Ref UserPoolClient
Loading