Policies are a set of permissions granted to a resource (VRN) or a role that allows or forbids them to execute a given set of actions in an account, such as making a request to the platform.

In VTEX IO, apps interact with policies in two ways:

• Using policies to access to an external resource, such as an endpoint exposed by another VTEX IO app.
• Exposing policies to define how other apps, users, or services can securely access the resources they provide.

There are two kinds of policies: role-based and resource-based. Both are based on AWS's IAM policies.

Understanding the difference between role-based and resource-based policies is especially important when exposing a new policy, since the type determines where the policy must be declared and how it will be evaluated by the platform.

As the name suggests, role-based policies are associated with a role in the platform, for example, a role assumed by an app. In this case, these policies must be declared in the policies.json file in the app's root folder.

Resource-based policies, in turn, are policies assigned to a resource in the platform, such as an API endpoint. In this case, the resource itself must declare which apps, users, and services it trusts, and provide information about the context in which those roles should be trusted. Since an app declares its routes in a service.json file, this is also the file in which the resource-based policies must be declared.