Class Policy

java.lang.Object
software.amazon.awssdk.services.bedrockagentcorecontrol.model.Policy
All Implemented Interfaces:
Serializable, SdkPojo, ToCopyableBuilder<Policy.Builder,Policy>
@Generated("software.amazon.awssdk:codegen") public final class Policy extends Object implements SdkPojo, Serializable, ToCopyableBuilder<Policy.Builder,Policy>

Represents a complete policy resource within the AgentCore Policy system. Policies are ARN-able resources that contain Cedar policy statements and associated metadata for controlling agent behavior and access decisions. Each policy belongs to a policy engine and defines fine-grained authorization rules that are evaluated in real-time as agents interact with tools through Gateway. Policies use the Cedar policy language to specify who (principals based on OAuth claims like username, role, or scope) can perform what actions (tool calls) on which resources (Gateways), with optional conditions for attribute-based access control. Multiple policies can apply to a single request, with Cedar's forbid-wins semantics ensuring that security restrictions are never accidentally overridden.

See Also:

  • Method Details

    • policyId

      public final String policyId()

      The unique identifier for the policy. This system-generated identifier consists of the user name plus a 10-character generated suffix and serves as the primary key for policy operations.

      Returns:
      The unique identifier for the policy. This system-generated identifier consists of the user name plus a 10-character generated suffix and serves as the primary key for policy operations.

    • name

      public final String name()

      The customer-assigned immutable name for the policy. This human-readable identifier must be unique within the account and cannot exceed 48 characters.

      Returns:
      The customer-assigned immutable name for the policy. This human-readable identifier must be unique within the account and cannot exceed 48 characters.

    • policyEngineId

      public final String policyEngineId()

      The identifier of the policy engine that manages this policy. This establishes the policy engine context for policy evaluation and management.

      Returns:
      The identifier of the policy engine that manages this policy. This establishes the policy engine context for policy evaluation and management.

    • definition

      public final PolicyDefinition definition()

      The Cedar policy statement that defines the access control rules. This contains the actual policy logic used for agent behavior control and access decisions.

      Returns:
      The Cedar policy statement that defines the access control rules. This contains the actual policy logic used for agent behavior control and access decisions.

    • description

      public final String description()

      A human-readable description of the policy's purpose and functionality. Limited to 4,096 characters, this helps administrators understand and manage the policy.

      Returns:
      A human-readable description of the policy's purpose and functionality. Limited to 4,096 characters, this helps administrators understand and manage the policy.

    • createdAt

      public final Instant createdAt()

      The timestamp when the policy was originally created. This is automatically set by the service and used for auditing and lifecycle management.

      Returns:
      The timestamp when the policy was originally created. This is automatically set by the service and used for auditing and lifecycle management.

    • updatedAt

      public final Instant updatedAt()

      The timestamp when the policy was last modified. This tracks the most recent changes to the policy configuration or metadata.

      Returns:
      The timestamp when the policy was last modified. This tracks the most recent changes to the policy configuration or metadata.

    • policyArn

      public final String policyArn()

      The Amazon Resource Name (ARN) of the policy. This globally unique identifier can be used for cross-service references and IAM policy statements.

      Returns:
      The Amazon Resource Name (ARN) of the policy. This globally unique identifier can be used for cross-service references and IAM policy statements.

    • status

      public final PolicyStatus status()

      The current status of the policy.

      If the service returns an enum value that is not available in the current SDK version, status will return PolicyStatus.UNKNOWN_TO_SDK_VERSION. The raw value returned by the service is available from statusAsString().

      Returns:
      The current status of the policy.
      See Also:

    • statusAsString

      public final String statusAsString()

      The current status of the policy.

      If the service returns an enum value that is not available in the current SDK version, status will return PolicyStatus.UNKNOWN_TO_SDK_VERSION. The raw value returned by the service is available from statusAsString().

      Returns:
      The current status of the policy.
      See Also:

    • hasStatusReasons

      public final boolean hasStatusReasons()
      For responses, this returns true if the service returned a value for the StatusReasons property. This DOES NOT check that the value is non-empty (for which, you should check the isEmpty() method on the property). This is useful because the SDK will never return a null collection or map, but you may need to differentiate between the service returning nothing (or null) and the service returning an empty collection or map. For requests, this returns true if a value for the property was specified in the request builder, and false if a value was not specified.

    • statusReasons

      public final List<String> statusReasons()

      Additional information about the policy status. This provides details about any failures or the current state of the policy lifecycle.

      Attempts to modify the collection returned by this method will result in an UnsupportedOperationException.

      This method will never return null. If you would like to know whether the service returned this field (so that you can differentiate between null and empty), you can use the hasStatusReasons() method.

      Returns:
      Additional information about the policy status. This provides details about any failures or the current state of the policy lifecycle.

    • toBuilder

      public Policy.Builder toBuilder()
      Description copied from interface: ToCopyableBuilder
      Take this object and create a builder that contains all of the current property values of this object.
      Specified by:
      toBuilder in interface ToCopyableBuilder<Policy.Builder,Policy>
      Returns:
      a builder for type T

    • builder

      public static Policy.Builder builder()

    • serializableBuilderClass

      public static Class<? extends Policy.Builder> serializableBuilderClass()

    • hashCode

      public final int hashCode()
      Overrides:
      hashCode in class Object

    • equals

      public final boolean equals(Object obj)
      Overrides:
      equals in class Object

    • equalsBySdkFields

      public final boolean equalsBySdkFields(Object obj)
      Description copied from interface: SdkPojo
      Indicates whether some other object is "equal to" this one by SDK fields. An SDK field is a modeled, non-inherited field in an SdkPojo class, and is generated based on a service model.

      If an SdkPojo class does not have any inherited fields, equalsBySdkFields and equals are essentially the same.

      Specified by:
      equalsBySdkFields in interface SdkPojo
      Parameters:
      obj - the object to be compared with
      Returns:
      true if the other object equals to this object by sdk fields, false otherwise.

    • toString

      public final String toString()
      Returns a string representation of this object. This is useful for testing and debugging. Sensitive data will be redacted from this string using a placeholder value.
      Overrides:
      toString in class Object

    • getValueForField

      public final <T> Optional<T> getValueForField(String fieldName, Class<T> clazz)

    • sdkFields

      public final List<SdkField<?>> sdkFields()
      Specified by:
      sdkFields in interface SdkPojo
      Returns:
      List of SdkField in this POJO. May be empty list but should never be null.

    • sdkFieldNameToField

      public final Map<String,SdkField<?>> sdkFieldNameToField()
      Specified by:
      sdkFieldNameToField in interface SdkPojo
      Returns:
      The mapping between the field name and its corresponding field.