Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

test_authorization

test_authorization(**kwargs)

Tests if a specified principal is authorized to perform an IoT action on a specified resource. Use this to test and debug the authorization behavior of devices that connect to the IoT device gateway.

Requires permission to access the TestAuthorization action.

See also: AWS API Documentation

Request Syntax

response = client.test_authorization(
    principal='string',
    cognitoIdentityPoolId='string',
    authInfos=[
        {
            'actionType': 'PUBLISH'|'SUBSCRIBE'|'RECEIVE'|'CONNECT',
            'resources': [
                'string',
            ]
        },
    ],
    clientId='string',
    policyNamesToAdd=[
        'string',
    ],
    policyNamesToSkip=[
        'string',
    ]
)
Parameters
  • principal (string) -- The principal. Valid principals are CertificateArn (arn:aws:iot:region :accountId :cert/certificateId ), thingGroupArn (arn:aws:iot:region :accountId :thinggroup/groupName ) and CognitoId (region :id ).
  • cognitoIdentityPoolId (string) -- The Cognito identity pool ID.
  • authInfos (list) --

    [REQUIRED]

    A list of authorization info objects. Simulating authorization will create a response for each authInfo object in the list.

    • (dict) --

      A collection of authorization information.

      • actionType (string) --

        The type of action for which the principal is being authorized.

      • resources (list) -- [REQUIRED]

        The resources for which the principal is being authorized to perform the specified action.

        • (string) --
  • clientId (string) -- The MQTT client ID.
  • policyNamesToAdd (list) --

    When testing custom authorization, the policies specified here are treated as if they are attached to the principal being authorized.

    • (string) --
  • policyNamesToSkip (list) --

    When testing custom authorization, the policies specified here are treated as if they are not attached to the principal being authorized.

    • (string) --
Return type

dict

Returns

Response Syntax

{
    'authResults': [
        {
            'authInfo': {
                'actionType': 'PUBLISH'|'SUBSCRIBE'|'RECEIVE'|'CONNECT',
                'resources': [
                    'string',
                ]
            },
            'allowed': {
                'policies': [
                    {
                        'policyName': 'string',
                        'policyArn': 'string'
                    },
                ]
            },
            'denied': {
                'implicitDeny': {
                    'policies': [
                        {
                            'policyName': 'string',
                            'policyArn': 'string'
                        },
                    ]
                },
                'explicitDeny': {
                    'policies': [
                        {
                            'policyName': 'string',
                            'policyArn': 'string'
                        },
                    ]
                }
            },
            'authDecision': 'ALLOWED'|'EXPLICIT_DENY'|'IMPLICIT_DENY',
            'missingContextValues': [
                'string',
            ]
        },
    ]
}

Response Structure

  • (dict) --

    • authResults (list) --

      The authentication results.

      • (dict) --

        The authorizer result.

        • authInfo (dict) --

          Authorization information.

          • actionType (string) --

            The type of action for which the principal is being authorized.

          • resources (list) --

            The resources for which the principal is being authorized to perform the specified action.

            • (string) --
        • allowed (dict) --

          The policies and statements that allowed the specified action.

          • policies (list) --

            A list of policies that allowed the authentication.

            • (dict) --

              Describes an IoT policy.

              • policyName (string) --

                The policy name.

              • policyArn (string) --

                The policy ARN.

        • denied (dict) --

          The policies and statements that denied the specified action.

          • implicitDeny (dict) --

            Information that implicitly denies the authorization. When a policy doesn't explicitly deny or allow an action on a resource it is considered an implicit deny.

            • policies (list) --

              Policies that don't contain a matching allow or deny statement for the specified action on the specified resource.

              • (dict) --

                Describes an IoT policy.

                • policyName (string) --

                  The policy name.

                • policyArn (string) --

                  The policy ARN.

          • explicitDeny (dict) --

            Information that explicitly denies the authorization.

            • policies (list) --

              The policies that denied the authorization.

              • (dict) --

                Describes an IoT policy.

                • policyName (string) --

                  The policy name.

                • policyArn (string) --

                  The policy ARN.

        • authDecision (string) --

          The final authorization decision of this scenario. Multiple statements are taken into account when determining the authorization decision. An explicit deny statement can override multiple allow statements.

        • missingContextValues (list) --

          Contains any missing context values found while evaluating policy.

          • (string) --

Exceptions

  • IoT.Client.exceptions.ResourceNotFoundException
  • IoT.Client.exceptions.InvalidRequestException
  • IoT.Client.exceptions.ThrottlingException
  • IoT.Client.exceptions.UnauthorizedException
  • IoT.Client.exceptions.ServiceUnavailableException
  • IoT.Client.exceptions.InternalFailureException
  • IoT.Client.exceptions.LimitExceededException