You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
description: "Control which tools an agent can invoke using Cedar policies. Enforce identity-aware access control, role-based permissions, and rate limits at the tool-call boundary."
4
-
languages: [typescript]
5
4
tags: [safety, interventions, tool-execution]
6
5
sidebar:
7
6
badge:
8
7
text: New
9
8
variant: tip
10
9
---
11
10
12
-
Cedar Authorization evaluates [Cedar](https://cedarpolicy.com) policies before each tool call, giving you declarative, identity-aware access control over agent behavior. It ships as a vended intervention in the TypeScript SDK.
11
+
Cedar Authorization evaluates [Cedar](https://cedarpolicy.com) policies before each tool call, giving you declarative, identity-aware access control over agent behavior. It ships as a vended intervention handler in both the Python and TypeScript SDKs.
13
12
14
13
## How it works
15
14
@@ -29,81 +28,158 @@ The design is fail-closed: if principal identity cannot be resolved, all tool ca
Cedar uses default-deny semantics. Tools without a matching `permit` statement are automatically blocked.
39
49
40
50
## Role-based access control
41
51
42
-
For multi-tenant agents where each request carries user identity, use `principalResolver` to extract the principal from `invocationState` and `contextEnricher` to forward role information into Cedar context:
52
+
For multi-tenant agents where each request carries user identity, use <Syntaxpy="principal_resolver"ts="principalResolver" /> to extract the principal from <Syntaxpy="invocation_state"ts="invocationState" /> and <Syntaxpy="context_enricher"ts="contextEnricher" /> to forward role information into Cedar context:
When `principalResolver`returns `undefined` (no identity found), the handler denies all tool calls for that request.
71
+
When <Syntaxpy="principal_resolver"ts="principalResolver" /> returns <Syntaxpy="None"ts="undefined" /> (no identity found), the handler denies all tool calls for that request.
51
72
52
73
## Rate limiting
53
74
54
75
Cedar policies can reference `context.session.call_count`, which tracks how many times each tool has been invoked successfully during the session:
Call counts persist with the agent's `appState` and survive session reloads. Only successful tool calls increment the counter.
94
+
Call counts persist with the agent's state and survive session reloads. Only successful tool calls increment the counter.
63
95
64
96
## Schema validation
65
97
66
-
Pass your `tools` array to catch policy typos at construction time. The handler generates a Cedar schema from tool definitions and validates policies against it:
98
+
Pass your tool definitions to catch policy typos at construction time. The handler generates a Cedar schema from tool definitions and validates policies against it:
Schema validation integrates with the [`cedar-for-agents`](https://github.com/cedar-policy/cedar-for-agents) ecosystem via `@cedar-policy/mcp-schema-generator-wasm`.
117
+
Schema validation integrates with the [`cedar-for-agents`](https://github.com/cedar-policy/cedar-for-agents) ecosystem via `@cedar-policy/mcp-schema-generator-wasm` (TypeScript) and `cedar-policy-mcp-schema-generator` (Python).
75
118
76
119
## Environment gating
77
120
78
-
Block tools based on deployment context by forwarding environment metadata through `contextEnricher`:
121
+
Block tools based on deployment context by forwarding environment metadata through <Syntaxpy="context_enricher"ts="contextEnricher" />:
`reload()` reads fresh policy, entity, and schema files, validates them, and atomically swaps the active policy set. If validation fails, the previous policies remain in effect and the method throws.
109
185
@@ -125,15 +201,38 @@ Every authorization request includes a structured context object:
125
201
-`context.input` contains the tool's input arguments, accessible in policies via `context.input.fieldName`
126
202
-`context.session.hour_utc` is auto-populated with the current UTC hour (0-23)
- Additional `context.session` fields come from your `contextEnricher`
204
+
- Additional `context.session` fields come from your <Syntaxpy="context_enricher"ts="contextEnricher" />
129
205
130
206
## Error handling
131
207
132
-
The `onError` option controls behavior when Cedar evaluation itself fails (malformed context, WASM errors):
208
+
Cedar engine failures (malformed policies, evaluation errors) are always fail-closed: the tool call is denied regardless of configuration.
209
+
210
+
The <Syntaxpy="on_error"ts="onError" /> option controls what happens when your user-supplied callbacks (<Syntaxpy="principal_resolver"ts="principalResolver" /> or <Syntaxpy="context_enricher"ts="contextEnricher" />) raise an exception:
211
+
212
+
-`'throw'` (default): re-raises the exception to the caller
213
+
-`'deny'`: treats the callback failure as a denial (fail-closed)
214
+
-`'proceed'`: allows the tool call despite the callback error (fail-open, use with caution)
215
+
216
+
## Installation
217
+
218
+
<Tabs>
219
+
<Tablabel="Python">
220
+
221
+
```bash
222
+
pip install strands-agents[cedar]
223
+
```
224
+
225
+
Requires `cedarpy` and `cedar-policy-mcp-schema-generator` (installed automatically with the extra).
226
+
</Tab>
227
+
<Tablabel="TypeScript">
228
+
229
+
```bash
230
+
npm install @strands-agents/sdk
231
+
```
133
232
134
-
-`'throw'` (default): raises the error to the caller
135
-
-`'deny'`: treats evaluation failure as a denial (fail-closed)
136
-
-`'proceed'`: allows the tool call despite the error (fail-open, use with caution)
233
+
Cedar support is included in the core package via `@cedar-policy/mcp-schema-generator-wasm`.
0 commit comments