Skip to main content

Endpoint

method
string
default:"POST"
POST
path
string
/check-access

Overview

This endpoint evaluates authorization requests using AWS Verified Permissions (AVP). It checks whether a user can perform a specific action on a resource based on Cedar policies configured in your AVP policy store. The Lambda handler constructs entity information including user attributes, role memberships, and resource properties, then calls the AVP IsAuthorized API to make the authorization decision.

Request

Request Body

user
string
required
User ID to check permissions for. Must be one of: alice, bob, or carol.
action
string
required
Action to perform. Must be one of: Read, Edit, or Delete.
resource
string
required
Resource ID to access. Must be one of: Q4-Report-2024, HR-Payroll-2024, or Sales-Dashboard.

Example Request

curl -X POST https://[your-api-id].execute-api.[region].amazonaws.com/Prod/check-access \
  -H "Content-Type: application/json" \
  -d '{
    "user": "alice",
    "action": "Read",
    "resource": "Q4-Report-2024"
  }'

Response

Success Response (200)

decision
string
required
The authorization decision from AVP. Either ALLOW or DENY.
allowed
boolean
required
Boolean convenience field. true if decision is ALLOW, false otherwise.
user
object
required
User information object.
action
string
required
The action that was evaluated (echoed from request).
resource
string
required
The resource that was evaluated (echoed from request).
resource_info
object
required
Resource metadata.
determining_policies
array
List of policy IDs that determined the authorization decision.
errors
array
Any errors encountered during policy evaluation.
message
string
required
Human-readable message describing the authorization result.

Example Success Response

{
  "decision": "ALLOW",
  "allowed": true,
  "user": {
    "id": "alice",
    "name": "Alice Garcia",
    "role": "Analyst",
    "department": "Finance",
    "avatar": "👩‍💼"
  },
  "action": "Read",
  "resource": "Q4-Report-2024",
  "resource_info": {
    "department": "Finance",
    "classification": "confidential"
  },
  "determining_policies": [
    "policy-12345"
  ],
  "errors": [],
  "message": "✅ ACCESO PERMITIDO: Alice Garcia puede Read en Q4-Report-2024"
}

Error Responses

400 - Invalid Request Body

{
  "error": "Body invalido: 'user'",
  "expected": {
    "user": "alice",
    "action": "Read",
    "resource": "Q4-Report-2024"
  }
}

400 - Invalid User

{
  "error": "Usuario 'john' no existe. Opciones: ['alice', 'bob', 'carol']"
}

400 - Invalid Resource

{
  "error": "Recurso 'unknown-doc' no existe. Opciones: ['Q4-Report-2024', 'HR-Payroll-2024', 'Sales-Dashboard']"
}

500 - AVP Service Error

{
  "error": "Error en AVP: AccessDeniedException",
  "details": "User: arn:aws:sts::123456789012:assumed-role/... is not authorized to perform: verifiedpermissions:IsAuthorized",
  "tip": "Verifica que el POLICY_STORE_ID sea correcto y que el Lambda tenga permisos verifiedpermissions:IsAuthorized"
}

Entity Structure

The Lambda function constructs Cedar entities for AVP evaluation:

Principal Entity

{
  "identifier": {
    "entityType": "FinancialApp::User",
    "entityId": "alice"
  },
  "attributes": {
    "department": {"string": "Finance"},
    "clearance_level": {"long": 2}
  },
  "parents": [
    {
      "entityType": "FinancialApp::Role",
      "entityId": "Analyst"
    }
  ]
}

Resource Entity

{
  "identifier": {
    "entityType": "FinancialApp::Document",
    "entityId": "Q4-Report-2024"
  },
  "attributes": {
    "department": {"string": "Finance"},
    "classification": {"string": "confidential"}
  },
  "parents": []
}

Source Code Reference

Implemented in /lambda/app.py:101-232
The POLICY_STORE_ID environment variable must be configured with your AVP policy store ID for this endpoint to work.

Build docs developers (and LLMs) love

Get started for freeTalk to us