add AVP service documentation (#1738)

bentsku · HarshCasper · web-flow · commit 8a19853f801b · 2025-05-05T22:12:04.000+05:30
Co-authored-by: Harsh Mishra &lt;erbeusgriffincasper@gmail.com&gt;
diff --git a/content/en/user-guide/aws/cloudformation/index.md b/content/en/user-guide/aws/cloudformation/index.md
@@ -437,6 +437,10 @@ When utilizing the Community image, any resources within the stack that are not
 | AWS::SES::ReceiptRuleSet                        |      ✅ |      ✅ |      - |
 | AWS::SES::Template                              |      ✅ |      ✅ |      ✅ |
 | AWS::SecretsManager::SecretTargetAttachment     |      ✅ |      ✅ |      - |
+| AWS::VerifiedPermissions::IdentitySource        |      ✅ |      ✅ |      - |
+| AWS::VerifiedPermissions::Policy                |      ✅ |      ✅ |      - |
+| AWS::VerifiedPermissions::PolicyStore           |      ✅ |      ✅ |      - |
+| AWS::VerifiedPermissions::PolicyTemplate        |      ✅ |      ✅ |      - |
 | AWS::WAFv2::IPSet                               |      ✅ |      ✅ |      - |
 | AWS::WAFv2::LoggingConfiguration                |     ✅ |      ✅ |      - |
 | AWS::WAFv2::WebACL                              |      ✅ |      ✅ |      - |
diff --git a/content/en/user-guide/aws/verifiedpermissions/index.md b/content/en/user-guide/aws/verifiedpermissions/index.md
@@ -0,0 +1,140 @@
+---
+title: "Verified Permissions"
+linkTitle: "Verified Permissions"
+description: Get started with Verified Permissions on LocalStack
+tags: ["Enterprise plan"]
+---
+
+## Introduction
+
+Amazon Verified Permissions is a scalable service for managing fine-grained permissions and authorization in custom applications.  
+It helps secure applications by moving authorization logic outside the app and managing policies in one place, using the [Cedar policy language](https://docs.cedarpolicy.com/) to define access rules.  
+It checks if a principal can take an action on a resource in a specific context in your application.
+
+LocalStack allows you to use the Verified Permissions APIs in your local environment to test your authorization logic, with integrations with other AWS services like Cognito.
+The supported APIs are available on our [API coverage page](https://docs.localstack.cloud/references/coverage/coverage_verifiedpermissions/), which provides information on the extent of Verified Permissions' integration with LocalStack.
+
+{{< callout >}}
+Verified Permissions is available as part of the LocalStack Enterprise plan.
+If you'd like to try it out, please [contact us](https://www.localstack.cloud/demo) to request access.
+{{< /callout >}}
+
+## Getting started
+
+This guide is designed for users new to Verified Permissions and assumes basic knowledge of the AWS CLI and our [`awslocal`](https://github.com/localstack/awscli-local) wrapper script.
+
+Start your LocalStack container using your preferred method.
+We will demonstrate how to create a Verified Permissions Policy Store, add a policy to it, and authorize a request with the AWS CLI.
+
+### Create a Policy Store
+
+To create a Verified Permissions Policy Store, use the [`CreatePolicyStore`](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreatePolicyStore.html) API.
+Run the following command to create a Policy Store with Schema validation settings set to `OFF`:
+
+{{< command >}}
+$ awslocal verifiedpermissions create-policy-store \
+  --validation-settings mode=OFF \
+  --description "A local Policy Store"
+{{< /command >}}
+
+The above command returns the following response:
+
+```json
+{
+    "policyStoreId": "q5PCScu9qo4aswMVc0owNN",
+    "arn": "arn:aws:verifiedpermissions::000000000000:policy-store/q5PCScu9qo4aswMVc0owNN",
+    "createdDate": "2025-04-22T19:24:11.175557Z",
+    "lastUpdatedDate": "2025-04-22T19:24:11.175557Z"
+}
+```
+
+You can list all the Verified Permissions policy stores using the [`ListPolicyStores`](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ListPolicyStores.html) API.
+Run the following command to list all the Verified Permissions policy stores:
+
+{{< command >}}
+$ awslocal verifiedpermissions list-policy-stores
+{{< /command >}}
+
+### Create a Policy
+
+To create a Verified Permissions Policy, use the [`CreatePolicy`](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreatePolicy.html) API.
+
+Create a JSON file named `static_policy.json` with the following content:
+
+```json
+{
+    "static": {
+        "description":  "Grant the User alice access to view the trip Album",
+        "statement": "permit(principal == User::\"alice\", action == Action::\"view\", resource == Album::\"trip\");"
+    }
+}
+```
+
+You can then run this command to create the policy:
+{{< command >}}
+$ awslocal verifiedpermissions create-policy \
+    --definition file://static_policy.json \
+    --policy-store-id q5PCScu9qo4aswMVc0owNN
+{{< /command >}}
+
+Replace the policy store ID with the ID of the policy store you created previously.
+
+You should see the following output:
+
+```json
+{
+    "policyStoreId": "q5PCScu9qo4aswMVc0owNN",
+    "policyId": "MfsIseJDeZsr5WUm3tB4FX",
+    "policyType": "STATIC",
+    "principal": {
+        "entityType": "User",
+        "entityId": "alice"
+    },
+    "resource": {
+        "entityType": "Album",
+        "entityId": "trip"
+    },
+    "actions": [
+        {
+            "actionType": "Action",
+            "actionId": "view"
+        }
+    ],
+    "createdDate": "2025-04-22T19:25:25.161652Z",
+    "lastUpdatedDate": "2025-04-22T19:25:25.161652Z",
+    "effect": "Permit"
+}
+```
+
+### Authorize a request
+
+We can now make use of the Policy Store and the Policy to start authorizing requests.
+To authorize a request using Verified Permissions, use the [`IsAuthorized`](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_IsAuthorized.html) API.
+
+{{< command >}}
+$ awslocal verifiedpermissions is-authorized \
+  --policy-store-id q5PCScu9qo4aswMVc0owNN \
+  --principal entityType=User,entityId=alice \
+  --action actionType=Action,actionId=view \
+  --resource entityType=Album,entityId=trip
+{{< /command >}}
+
+You should get the following output, indicating that your request was allowed:
+
+```json
+{
+    "decision": "ALLOW",
+    "determiningPolicies": [
+        {
+            "policyId": "MfsIseJDeZsr5WUm3tB4FX"
+        }
+    ],
+    "errors": []
+}
+```
+
+## Current limitations
+
+- No Schema validation when creating a new schema using `PutSchema`, and no Policy validation using said schema when creating policies and template policies.
+- Only Cognito is supported as an `IdentitySource`, external OIDC providers are not yet implemented.
+- The validation around Identity Sources and JWT is not fully yet implemented: the identity source is not validated to have a valid `jwks.json` endpoint, and the issuer, signature and expiration of the incoming JWT are not validated.
