This article provides valuable insights, but it doesn't clarify what is "MyApplication" in the policy or how the Actions are associated with the endpoint and how resources are specified.
MyApplication is whatever application you're working on which requires restricting access to endpoints depending on who's calling them. Specifically, in the policy, it is the "namespace" of the schema. The Actions are associated with the endpoint by your mind. There's no reason why you can't say that the Action name is something like `GET /books`. That said, typically, endpoints have a human-readable name (In an OpenAPI swagger file it would be the OperationId). You can use that human readable name as your cedar action name too. How resources are specified is up to you. You can decide that when they call `GET /books/{bookId}` the resource is of type Book. Then you fetch it from the DB by its bookId and you send it to AVP as a resource of type Book, with whatever id it had. Hope that helps.
Please can you guys make a tutorial video on how to "use scripts to bulk migrate policies to use fine-grained IAM actions" this is really complex for a non technical person. Alternatively, please you can also refer where to get experts who can help with this migration. Thanks. Your reply will be appreciated.
Thanks for the awesome demo, this will be going to be a beneficial service in the future. I have a minor query that I did not understand. How is the mapping done between the application (Lambda as per this demo) and verified permissions service with respect to the action (defined in policy store) like MyApplication::Action:: "SearchPets" or MyApplication::Action:: "PlaceOrder"? What is this SearchPets or PlaceOrders in the application? Is that path parameter or query parameter of APIs defined in the application or something else? I think you should have covered or explained that as well in the demo.
Hi there. This doc should help clarify Verified Permissions for you: go.aws/3qrqL6C. 🔖 For further help, you can also reach out to our devs and experts in re:Post: go.aws/aws-repost. 👨💻 ^RS
There is no minimum number of requests that a customer must make to use Amazon Verified Permissions. For example, if your application makes 1000 authorization requests, then you are charged for 1000 requests ($150 / 1000 requests = $0.15).
My exact thought. I've always dreamed about having an AWS IAM-like authorization solution but with many actions per user per day this solution is pretty much out of reach. It's really nice they open-sourced Cedar though. Also very nice video!
@@ee7keelt Yeah, seeing that it's $0.15 per 1000 requests... that definitely seems expensive and out of budget for non-enterprise. If I have my math right, the way I view it is relative to the price per million API Gateway, Lambda, and Cognito requests is pretty low. Adding this makes it suddenly very expensive much earlier. .... but it's probably more convenient than deploying Open Policy Agent so there's that
This article provides valuable insights, but it doesn't clarify what is "MyApplication" in the policy or how the Actions are associated with the endpoint and how resources are specified.
MyApplication is whatever application you're working on which requires restricting access to endpoints depending on who's calling them. Specifically, in the policy, it is the "namespace" of the schema.
The Actions are associated with the endpoint by your mind. There's no reason why you can't say that the Action name is something like `GET /books`. That said, typically, endpoints have a human-readable name (In an OpenAPI swagger file it would be the OperationId). You can use that human readable name as your cedar action name too.
How resources are specified is up to you. You can decide that when they call `GET /books/{bookId}` the resource is of type Book. Then you fetch it from the DB by its bookId and you send it to AVP as a resource of type Book, with whatever id it had.
Hope that helps.
Please can you guys make a tutorial video on how to "use scripts to bulk migrate policies to use fine-grained IAM actions" this is really complex for a non technical person. Alternatively, please you can also refer where to get experts who can help with this migration. Thanks. Your reply will be appreciated.
Thanks for the awesome demo, this will be going to be a beneficial service in the future. I have a minor query that I did not understand. How is the mapping done between the application (Lambda as per this demo) and verified permissions service with respect to the action (defined in policy store) like MyApplication::Action:: "SearchPets" or MyApplication::Action:: "PlaceOrder"? What is this SearchPets or PlaceOrders in the application? Is that path parameter or query parameter of APIs defined in the application or something else? I think you should have covered or explained that as well in the demo.
Hi there. This doc should help clarify Verified Permissions for you: go.aws/3qrqL6C. 🔖 For further help, you can also reach out to our devs and experts in re:Post: go.aws/aws-repost. 👨💻 ^RS
Price is super high for this service. $150/million requests 🙄🙄🙄
There is no minimum number of requests that a customer must make to use Amazon Verified Permissions. For example, if your application makes 1000 authorization requests, then you are charged for 1000 requests ($150 / 1000 requests = $0.15).
My exact thought. I've always dreamed about having an AWS IAM-like authorization solution but with many actions per user per day this solution is pretty much out of reach. It's really nice they open-sourced Cedar though. Also very nice video!
@@ee7keelt Yeah, seeing that it's $0.15 per 1000 requests... that definitely seems expensive and out of budget for non-enterprise. If I have my math right, the way I view it is relative to the price per million API Gateway, Lambda, and Cognito requests is pretty low. Adding this makes it suddenly very expensive much earlier.
.... but it's probably more convenient than deploying Open Policy Agent so there's that