BedrockAgentCoreControl / Client / get_policy

get_policy

BedrockAgentCoreControl.Client.get_policy(**kwargs)

Retrieves detailed information about a specific policy within the AgentCore Policy system. This operation returns the complete policy definition, metadata, and current status, allowing administrators to review and manage policy configurations.

See also: AWS API Documentation

Request Syntax

response = client.get_policy(
    policyEngineId='string',
    policyId='string'
)
Parameters:

  • policyEngineId (string) –

    [REQUIRED]

    The identifier of the policy engine that manages the policy to be retrieved.

  • policyId (string) –

    [REQUIRED]

    The unique identifier of the policy to be retrieved. This must be a valid policy ID that exists within the specified policy engine.

Return type:

dict

Returns:

Response Syntax

{
    'policyId': 'string',
    'name': 'string',
    'policyEngineId': 'string',
    'definition': {
        'cedar': {
            'statement': 'string'
        }
    },
    'description': 'string',
    'createdAt': datetime(2015, 1, 1),
    'updatedAt': datetime(2015, 1, 1),
    'policyArn': 'string',
    'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
    'statusReasons': [
        'string',
    ]
}

Response Structure

  • (dict) –

    • policyId (string) –

      The unique identifier of the retrieved policy. This matches the policy ID provided in the request and serves as the system identifier for the policy.

    • name (string) –

      The customer-assigned name of the policy. This is the human-readable identifier that was specified when the policy was created.

    • policyEngineId (string) –

      The identifier of the policy engine that manages this policy. This confirms the policy engine context for the retrieved policy.

    • definition (dict) –

      The Cedar policy statement that defines the access control rules. This contains the actual policy logic used for agent behavior control and access decisions.

      Note

      This is a Tagged Union structure. Only one of the following top level keys will be set: cedar. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:

      'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}

      • cedar (dict) –

        The Cedar policy definition within the policy definition structure. This contains the Cedar policy statement that defines the authorization logic using Cedar’s human-readable, analyzable policy language. Cedar policies specify principals (who can access), actions (what operations are allowed), resources (what can be accessed), and optional conditions for fine-grained control. Cedar provides a formal policy language designed for authorization with deterministic evaluation, making policies testable, reviewable, and auditable. All Cedar policies follow a default-deny model where actions are denied unless explicitly permitted, and forbid policies always override permit policies.

        • statement (string) –

          The Cedar policy statement that defines the authorization logic. This statement follows Cedar syntax and specifies principals, actions, resources, and conditions that determine when access should be allowed or denied.

    • description (string) –

      The human-readable description of the policy’s purpose and functionality. This helps administrators understand and manage the policy.

    • createdAt (datetime) –

      The timestamp when the policy was originally created.

    • updatedAt (datetime) –

      The timestamp when the policy was last modified. This tracks the most recent changes to the policy configuration.

    • policyArn (string) –

      The Amazon Resource Name (ARN) of the policy. This globally unique identifier can be used for cross-service references and IAM policy statements.

    • status (string) –

      The current status of the policy.

    • statusReasons (list) –

      Additional information about the policy status. This provides details about any failures or the current state of the policy.

      • (string) –

Exceptions

  • BedrockAgentCoreControl.Client.exceptions.AccessDeniedException

  • BedrockAgentCoreControl.Client.exceptions.ValidationException

  • BedrockAgentCoreControl.Client.exceptions.ResourceNotFoundException

  • BedrockAgentCoreControl.Client.exceptions.ThrottlingException

  • BedrockAgentCoreControl.Client.exceptions.InternalServerException