Clarification Needed on Valid Identifiers in Policies

[joshkraft-ncino]

Before opening, please confirm:

• I have searched for duplicate or closed issues.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

Bug Category

Schemas and Validation

Describe the bug

I have been encountering errors of this type when setting up AVP w/ Cedar to perform route-based API authorization:

identifier `get /foo` contains characters that fall outside of the General Security Profile for Identifiers

API route identifiers of the flavor get /foo seem to violate constraints Cedar is expecting, but are used in documentation such as this:

https://aws.amazon.com/blogs/security/authorize-api-gateway-apis-using-amazon-verified-permissions-and-amazon-cognito/

I have also encountered this issue in the console when using the automated 'Set up with API Gateway and an identity provider' starting action.

Expected behavior

According to the documentation, API routes of the format get /foo should be valid actions.

Reproduction steps

1. Create an API Gateway with a get /foo endpoint.
2. Create AVP request authorizer and attach to API.
3. Attempt to create a simple policy such as:

permit (
  principal in {{NAMESPACE}}::UserGroup::"{{USER_POOL_ID}}|{{USER_GROUP_NAME}}",
  action in
  [
    {{NAMESPACE}}::Action::"get /foo"
  ],
  resource
);

Log output

Warning:   ⚠ for policy `policy0`, identifier `get /foo` contains characters that fall outside of the General Security Profile for Identifiers

Additional configuration

No response

Operating System

No response

Additional information and screenshots

No response

[cdisselkoen]

Currently, the / character triggers this warning, but should not: #621

[joshkraft-ncino]

Hi @cdisselkoen - just to clarify, I see this as a warning in the Cedar CLI, but it actually blocks the creation of policies in the Cedar AWS console. It lists the same error as being a validation warning, but you are blocked from actually creating the policy. The Chrome console states that it is running against Cedar 3.3.0.

[cdisselkoen]

Understood, but this is a problem in the Verified Permissions service or console, not in Cedar. Cedar reports it as a warning and not an error, as you say. So even though Cedar could improve by not reporting a warning at all in this case (#621), the behavior of blocking policy creation is somewhere in Verified Permissions code.

[joshkraft-ncino]

Got it - any suggestions on where to forward this issue re: the console?

[cdisselkoen]

You can use the "feedback" button in the footer of the console. If you have an AWS support contract or account manager, I recommend going through them instead / as well. If you're internal to AWS, ping me internally (@CDiss) and I'll give you internal details on how to report.

[cdisselkoen]

Closing this, feel free to open a new issue if needed.

[john-h-kastner-aws]

FYI, we've merged a fix to substantially limit when we emit this warning on the Cedar side in #1336. AVP console should pick up this change eventually, but I don't have timeline.