lint and minor fixes

bentsku · bentsku · commit 7df161fc656c · 2025-04-22T21:56:36.000+02:00
diff --git a/content/en/user-guide/aws/verifiedpermissions/index.md b/content/en/user-guide/aws/verifiedpermissions/index.md
@@ -13,7 +13,7 @@ Verified Permissions uses the [Cedar policy language](https://docs.cedarpolicy.c
 
 Verified Permissions provides authorization by verifying whether a principal is allowed to perform an action on a resource in a given context in your application.
 
-LocalStack allows you to use the Verified Permissions APIs in your local environment to test XXXX
+LocalStack allows you to use the Verified Permissions APIs in your local environment to test your authorization logic, with integrations with other AWS services like Cognito.
 The supported APIs are available on our [API coverage page](https://docs.localstack.cloud/references/coverage/coverage_verifiedpermissions/), which provides information on the extent of Verified Permissions' integration with LocalStack.
 
 {{< alert title="Note">}}
@@ -34,11 +34,13 @@ To create a Verified Permissions Policy Store, use the [`CreatePolicyStore`](htt
 Run the following command to create a Policy Store with Schema validation settings set to `OFF`:
 
 {{< command >}}
-$ awslocal verifiedpermissions create-policy-store --validation-settings mode=OFF --description "A local Policy Store"
+awslocal verifiedpermissions create-policy-store \
+  --validation-settings mode=OFF \
+  --description "A local Policy Store"
 {{< /command >}}
 
 The above command returns the following response:
-XXXXX
+
 ```json
 {
     "policyStoreId": "q5PCScu9qo4aswMVc0owNN",
@@ -52,7 +54,7 @@ You can list all the Verified Permissions policy stores using the [`ListPolicySt
 Run the following command to list all the Verified Permissions policy stores:
 
 {{< command >}}
-$ awslocal verifiedpermissions list-policy-stores
+awslocal verifiedpermissions list-policy-stores
 {{< /command >}}
 
 ### Create a Policy
@@ -72,15 +74,15 @@ First, create a JSON file containing the following policy named `static_policy.j
 
 You can then run this command to create the policy:
 {{< command >}}
-$ awslocal verifiedpermissions create-policy \
+awslocal verifiedpermissions create-policy \
     --definition file://static_policy.json \
     --policy-store-id q5PCScu9qo4aswMVc0owNN
 {{< /command >}}
 
+Replace the policy store ID with the ID of the policy store you created previously.
 
-Replace the policy store ID with the ID of the policy store you created previously. 
+You should see the following output:
 
-Should get following output:
 ```json
 {
     "policyStoreId": "q5PCScu9qo4aswMVc0owNN",
@@ -112,14 +114,15 @@ We can now make use of the Policy Store and the Policy to start authorizing requ
 To authorize a request using Verified Permissions, use the [`IsAuthorized`](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_IsAuthorized.html) API.
 
 {{< command >}}
-$ awslocal verifiedpermissions is-authorized \
+awslocal verifiedpermissions is-authorized \
   --policy-store-id q5PCScu9qo4aswMVc0owNN \
   --principal entityType=User,entityId=alice \
   --action actionType=Action,actionId=view \
   --resource entityType=Album,entityId=trip
 {{< /command >}}
 
 You should get the following output, indicating that your request was allowed:
+
 ```json
 {
     "decision": "ALLOW",
@@ -132,21 +135,22 @@ You should get the following output, indicating that your request was allowed:
 }
 ```
 
-
 ## Integration with Cognito
 
-Verified Permissions allows you to use external identity provider (IdP) via Idendity Sources.
+Verified Permissions allows you to use external identity provider (IdP) via Identity Sources.
 Your application can use JSON web tokens (JWTs) generated by your IdP in authorization requests.
-The user identity in the token is mapped to the principal ID of the request. 
+The user identity in the token is mapped to the principal ID of the request.
 
-With ID tokens, Verified Permissions maps attribute claims to principal attributes. With Access tokens, these claims are mapped to context.
+With ID tokens, Verified Permissions maps attribute claims to principal attributes.
+With Access tokens, these claims are mapped to context.
 
 ### Create a Cognito UserPool
 To create a user pool, you can use the [`CreateUserPool`](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) API call.
 The following command creates a user pool named `avp-test`:
 
 {{< command >}}
-$ awslocal cognito-idp create-user-pool --pool-name avp-test
+awslocal cognito-idp create-user-pool \
+  --pool-name avp-test
 {{< /command >}}
 
 You can see an output similar to the following:
@@ -156,50 +160,20 @@ You can see an output similar to the following:
     "UserPool": {
         "Id": "us-east-1_84e2d3fb5af24aba9827b82a6971b17f",
         "Name": "avp-test",
-        "Policies": {
-            "PasswordPolicy": {
-                "MinimumLength": 8,
-                "RequireUppercase": true,
-                "RequireLowercase": true,
-                "RequireNumbers": true,
-                "RequireSymbols": true,
-                "TemporaryPasswordValidityDays": 7
-            }
-        },
-        "DeletionProtection": "INACTIVE",
-        "LambdaConfig": {},
+        "Arn": "arn:aws:cognito-idp:us-east-1:000000000000:userpool/us-east-1_84e2d3fb5af24aba9827b82a6971b17f",
         "LastModifiedDate": 1745357214.529315,
         "CreationDate": 1745357214.529319,
         "SchemaAttributes": ["...truncated"],
         "VerificationMessageTemplate": {
             "DefaultEmailOption": "CONFIRM_WITH_CODE"
         },
-        "UserAttributeUpdateSettings": {
-            "AttributesRequireVerificationBeforeUpdate": []
-        },
         "MfaConfiguration": "OFF",
         "EstimatedNumberOfUsers": 0,
         "EmailConfiguration": {
             "EmailSendingAccount": "COGNITO_DEFAULT"
         },
-        "AdminCreateUserConfig": {
-            "AllowAdminCreateUserOnly": false,
-            "UnusedAccountValidityDays": 7
-        },
-        "Arn": "arn:aws:cognito-idp:us-east-1:000000000000:userpool/us-east-1_84e2d3fb5af24aba9827b82a6971b17f",
-        "AccountRecoverySetting": {
-            "RecoveryMechanisms": [
-                {
-                    "Priority": 1,
-                    "Name": "verified_email"
-                },
-                {
-                    "Priority": 2,
-                    "Name": "verified_phone_number"
-                }
-            ]
-        },
-        "UserPoolTier": "ESSENTIALS"
+        "UserPoolTier": "ESSENTIALS",
+        "...": "truncated"
     }
 }
 ```
@@ -214,10 +188,13 @@ You can use the [`CreateUserPoolClient`](https://docs.aws.amazon.com/cognito-use
 Run the following command, replacing the `--user-pool-id` with the one from the previous step:
 
 {{< command >}}
-$ awslocal cognito-idp create-user-pool-client --user-pool-id us-east-1_84e2d3fb5af24aba9827b82a6971b17f --client-name avp-client
+awslocal cognito-idp create-user-pool-client \
+  --user-pool-id us-east-1_84e2d3fb5af24aba9827b82a6971b17f \
+  --client-name avp-client
 {{< /command >}}
 
 You can see an output similar to the following:
+
 ```json
 {
     "UserPoolClient": {
@@ -240,52 +217,54 @@ You will also need the user pool client's `ClientId` for further operations.
 
 ### Create a Cognito Group
 
-To use a Verified Permissions policy that validate whether your user is part of a group, we can leverage Cognito Groups. 
+To use a Verified Permissions policy that validate whether your user is part of a group, we can leverage Cognito Groups.
 
 First, create a group named `AVPGroup`:
 {{< command >}}
-$ awslocal cognito-idp create-group --user-pool-id us-east-1_84e2d3fb5af24aba9827b82a6971b17f --group AVPGroup
+awslocal cognito-idp create-group \
+  --user-pool-id us-east-1_84e2d3fb5af24aba9827b82a6971b17f \
+  --group AVPGroup
 {{< /command >}}
 
 ### Create a Cognito User
 
-You can now create a user, which will be used when sending requests to Verified Permissions. 
+You can now create a user, which will be used when sending requests to Verified Permissions.
 We will use `avp-user` for its username, and `avp@test.com` as its email address.
 
 We can run the 4 following commands to create the user, add it to the Cognito Group then get the Identity Token and Access Token for the user.
-You will need to replace the `--user-pool-id` from the User Pool `id` from the first step, and the `--client-id` with the User Pool Client `id` from the step above. 
+You will need to replace the `--user-pool-id` from the User Pool `id` from the first step, and the `--client-id` with the User Pool Client `id` from the step above.
 
 {{< command >}}
-$ awslocal cognito-idp admin-create-user \
+awslocal cognito-idp admin-create-user \
   --user-pool-id us-east-1_84e2d3fb5af24aba9827b82a6971b17f \
   --username avp-user \
   --user-attributes Name=email,Value="avp@test.com" Name=email_verified,Value=true
 {{< /command >}}
 
 {{< command >}}
-$ awslocal cognito-idp admin-set-user-password \
+awslocal cognito-idp admin-set-user-password \
   --user-pool-id us-east-1_84e2d3fb5af24aba9827b82a6971b17f \
   --username avp-user \
   --password Test123! \
   --permanent
 {{< /command >}}
 
 {{< command >}}
-$ awslocal cognito-idp admin-add-user-to-group \
+awslocal cognito-idp admin-add-user-to-group \
   --user-pool-id us-east-1_84e2d3fb5af24aba9827b82a6971b17f \
   --username avp-user \
   --group-name AVPGroup
 {{< /command >}}
 
 {{< command >}}
-$ awslocal cognito-idp initiate-auth \
+awslocal cognito-idp initiate-auth \
   --auth-flow USER_PASSWORD_AUTH \
   --client-id xhixnryjv7fcc07s95xau9cjze \
   --auth-parameters USERNAME=avp-user,PASSWORD=Test123!
 {{< /command >}}
 
-
 From the last command, you can see an output similar to the following:
+
 ```json
 {
     "ChallengeParameters": {},
@@ -299,13 +278,15 @@ From the last command, you can see an output similar to the following:
 }
 ```
 
-You will need the `IdToken` for the Verified Permissions authorization request. 
+You will need the `IdToken` for the Verified Permissions authorization request.
 
 ### Create a Policy Store
 
 We can now create a new Policy Store:
 {{< command >}}
-$ awslocal verifiedpermissions create-policy-store --validation-settings mode=OFF --description "Policy Store with Cognito"
+awslocal verifiedpermissions create-policy-store \
+  --validation-settings mode=OFF \
+  --description "Policy Store with Cognito"
 {{< /command >}}
 
 The above command returns the following response:
@@ -319,14 +300,15 @@ The above command returns the following response:
 }
 ```
 
-You will need the `policyStoreId` for the next commands. 
+You will need the `policyStoreId` for the next commands.
 
 ### Create an Identity Source
 
 You can now create an Identity Source, which is a representation of an external identity provider, Cognito in our case.
 To create a Verified Permissions Identity Source, use the [`CreateIdentitySource`](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) API.
 
-First, create a JSON file containing the following Identity Source configuration named `identity_source.json`. Replace the `userPoolArn` with the User Pool `Arn` value from the previous step, and the `clientIds` value from the User Pool Client `Id`:
+First, create a JSON file containing the following Identity Source configuration named `identity_source.json`.
+Replace the `userPoolArn` with the User Pool `Arn` value from the previous step, and the `clientIds` value from the User Pool Client `Id`:
 
 ```json
 {
@@ -339,13 +321,12 @@ First, create a JSON file containing the following Identity Source configuration
 ```
 
 {{< command >}}
-$ awslocal verifiedpermissions create-identity-source \
+awslocal verifiedpermissions create-identity-source \
   --policy-store-id ESIPIqX1pUHDvwqekZno1G \
   --principal-entity-type "User" \
   --configuration file://identity_source.json
 {{< /command >}}
 
-
 ### Create a Policy
 
 You will now create a Policy that will take advantage of the configuration of your Identity Source, and will provide access to the resource if the principal is part of the group type that was defined in the IdentitySource configuration, and the group identity that was defined in Cognito.
@@ -363,12 +344,13 @@ First, create a JSON file containing the following policy named `policy_cognito.
 
 You can then run this command to create the policy:
 {{< command >}}
-$ awslocal verifiedpermissions create-policy \
+awslocal verifiedpermissions create-policy \
     --definition file://policy_cognito.json \
     --policy-store-id ESIPIqX1pUHDvwqekZno1G
 {{< /command >}}
 
 You should see similiar output:
+
 ```json
 {
     "policyStoreId": "ESIPIqX1pUHDvwqekZno1G",
@@ -396,7 +378,8 @@ You should see similiar output:
 
 ### Authorize a request with a Cognito Token
 
-Finally, you can use everything that we created above to authorize your request. By using your user's Identity Token, you can run an authorization request that will authenticate your principal, and automatically use the information that its type is of `UserGroup::`, and the value will be from the token attribute `cognito:groups`.
+Finally, you can use everything that we created above to authorize your request.
+By using your user's Identity Token, you can run an authorization request that will authenticate your principal, and automatically use the information that its type is of `UserGroup::`, and the value will be from the token attribute `cognito:groups`.
 
 To authorize a request with a token using Verified Permissions, use the [`IsAuthorizedWithToken`](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_IsAuthorizedWithToken.html) API.
 
@@ -411,6 +394,7 @@ awslocal verifiedpermissions is-authorized-with-token \
 {{< /command >}}
 
 You should get the following output, indicating that your request was allowed:
+
 ```json
 {
     "decision": "ALLOW",
@@ -427,13 +411,13 @@ You should get the following output, indicating that your request was allowed:
 }
 ```
 
-
-Additionally, you can have more advanced and complex scenarios using Cognito attributes and claims to provide more context to your authorization request. Your policy can also use those additionals attributes to provide more fine-grained authorization. 
+Additionally, you can have more advanced and complex scenarios using Cognito attributes and claims to provide more context to your authorization request.
+Your policy can also use those additionals attributes to provide more fine-grained authorization.
 
 ## Current limitations
 
-No Schema validation when creating a new schema using `PutSchema`, and no Policy validation using said schema when creating policies and template policies. 
-
-Only Cognito is supported as an IdentitySource, external OIDC providers are not yet implemented.
+LocalStack currently has a few limitations in its emulation capabilities:
 
-The validation around Identity Sources and JWT is not fully yet implemented: the identity source is not validated to have a valid `jwks.json` endpoint, and the issuer and signature of the incoming JWT is not validated. 
+- No Schema validation when creating a new schema using `PutSchema`, and no Policy validation using said schema when creating policies and template policies.
+- Only Cognito is supported as an IdentitySource, external OIDC providers are not yet implemented.
+- The validation around Identity Sources and JWT is not fully yet implemented: the identity source is not validated to have a valid `jwks.json` endpoint, and the issuer, signature and expiration of the incoming JWT are not validated.
