<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
Curious about how StrongDM works? 🤔 Learn more here!
Search
Close icon
Search bar icon
Search
Close icon
Search bar icon
Blog / AWS

StrongDM Releases Cedar-Go 1.0.0: Policy-Based Authorization for Go Developers

Justin McCarthy
by
Co-founder / CTO
StrongDM
4 min read
Last updated on: November 21, 2024
AWS Well-Architected Framework Solution Guide PDF PDF AWS Well-Architected Framework Solution Guide PDF
Found in: AWS
StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen
Get a demo
StrongDM Releases Cedar-Go 1.0.0: Policy-Based Authorization for Go Developers

Cedar is an open-source policy language and evaluation engine designed to define and enforce fine-grained authorization policies within applications. It enables developers to express permissions through clear, human-readable policies, effectively decoupling access control from application logic. Cedar supports common authorization models, including role-based access control (RBAC) and attribute-based access control (ABAC).

About nine months ago, Amazon accepted StrongDM's native Go implementation of Cedar into the official Cedar Policy Organization GitHub repository to complement the AWS’ Rust Cedar library.

This milestone was a game-changer for Go developers working on authorization solutions. Cedar is a domain-specific language for authorization designed to be expressive, performant, and analyzable. By implementing Cedar in Go, StrongDM has brought this robust framework directly into the Go ecosystem, enabling developers to seamlessly integrate it into their projects.

Today, we’re excited to announce the release of version 1.0.0 of the package, now generally available.

Why does this matter? The combination of Cedar's policy-based approach and Go's efficiency empowers developers to build secure, high-performance applications with ease. Our Go implementation unlocks Cedar’s capabilities for Go developers, providing key benefits like:

  • Enhanced Security: Leverage Cedar’s cryptographic solutions and policy-based authorization to enforce secure access controls in your Go applications right out of the box.
  • High Performance: Cedar’s design ensures security doesn’t compromise speed, making it an ideal choice for performance-critical applications.
  • Streamlined Authorization: Easily integrate policy-based access control that adapts to changing requirements with minimal code changes, ensuring scalability.
  • Simplified Policy Management: Define, update, and enforce access policies with Cedar’s flexible, developer-friendly framework.
  • Native Go Integration: Enjoy the reliability and readability of a Go-native implementation, built specifically for the tools and workflows you already know.

With this release, Go developers now have a powerful tool to build applications that are both secure and scalable, while benefiting from Cedar's advanced features.

StrongDM is Simplifying Security for Developers With Cedar

At StrongDM, we’re passionate about Cedar because it strikes the perfect balance between expressiveness, performance, safety, and analyzability. These attributes make Cedar an outstanding choice for building robust, efficient, and maintainable policy-based access control systems.

One of the primary reasons we chose Cedar was its exceptional performance in large, complex environments. This isn’t just our opinion—it’s backed by research. The AWS team, alongside leading experts, published a detailed paper, Cedar: A New Language for Expressive, Fast, Safe, and Analyzable Authorization, highlighting Cedar’s performance advantages. Unlike alternatives such as OpenFGA and Rego, Cedar maintains its efficiency as the number of users and resources scales—a critical need in today’s rapidly expanding digital ecosystems.

We saw this firsthand last year when benchmarking various policy languages. Cedar consistently outperformed others, scaling gracefully even as the count of entities (users, resources, etc.) grew. For us, this scalability is non-negotiable for building secure, high-performance applications that keep up with evolving demands.

Our decision to implement Cedar in Go wasn’t just technical—it was philosophical. At StrongDM, we prioritize usability and simplicity in everything we build. Go, our language of choice, emphasizes readability, making it easier for developers to write, understand, and maintain code. By introducing Cedar into the Go ecosystem, we extend this commitment to usability into the realm of security, empowering developers to seamlessly incorporate strong authorization into their applications.

With Cedar in Go, we’re combining the best of both worlds: a high-performance, scalable policy language paired with a developer-friendly implementation. This synergy enables you to build secure, scalable systems without adding complexity—keeping security straightforward and effective.

StrongDM’s Cedar-Go Version 1.0.0

The 1.0.0 release has some unique and helpful features, which we’re excited to detail here: 

Programmatic AST Construction

At StrongDM, we needed a way to express our existing software-defined authorization primitives in Cedar. These primitives were already implemented in Go, so converting them into Cedar text—only for the cedar-go parser to turn them back into a Cedar Abstract Syntax Tree (AST)—felt inefficient and unnecessary.

To streamline this process, we developed the ast package, enabling us to construct the Cedar AST programmatically. By cutting out the translation layer, we optimized the integration and reduced overhead, allowing us to work directly with the Cedar AST in Go.

When building the ast package, we focused on making programmatic AST construction as intuitive as writing a Cedar policy in text. The result? A developer experience that closely mirrors the simplicity and readability of Cedar itself, empowering you to seamlessly define and manage policies in your Go applications. Here’s a taste:

 johnny := types.NewEntityUID("FolkHeroes", "johnnyChapman")
 sow := types.NewEntityUID("Action", "sow")
 cast := types.NewEntityUID("Action", "cast")
 midwest := types.NewEntityUID("Locations::USA::Regions", "midwest")

 policy := ast.Permit().
     PrincipalEq(johnny).
     ActionInSet(sow, cast).
     ResourceIs("Crops::Apple").
     When(ast.Context().Access("location").In(ast.Value(midwest))).
     Unless(ast.Context().Access("season").Equal(ast.String("winter")))

Batch Authorization

Batch authorization is a fully tested feature that allows callers to run authorizations against a policy set while treating one or more elements of the PARC (Principal, Action, Resource, and Context) as variables. (Note: We reserve the right to update or modify the API in the future.)

This system leverages partial evaluation of the policy set, significantly reducing the time needed to process a batch compared to making individual calls to PolicySet.IsAuthorized() for every variable combination. The results are streamed back via a callback function, giving callers the flexibility to cancel the operation if it exceeds a desired time limit.

In our testing, batch authorization demonstrated impressive performance: it evaluated access for a user across 250,000 resources with over 20,000 policies in under 200ms. This efficiency ensures that even large-scale authorization queries remain fast and manageable.

Here’s an example of what’s possible:

req := batch.Request {
    Principal: cedar.NewEntityUID("StrongDM::Account", "a-1234")
    Action: cedar.NewEntityUID("StrongDM::Action", "connect"),
    Resource:  Variable("resource"),
    Context:   types.Record{},
    Variables: Variables{
        "resource": []types.Value{...}, // A set of all resources
    },
}


// Given a cedar.PolicySet ps and entity map e, tell me whether principal
// StrongDM::Account::"a-1234" can connect to each of the resources specified
err := Authorize(
    context.Background(),
    ps,
    e,
    tt.Request,
    func(r Result) {
        // Called for each resource with an authorization decision
    }
)

100% Test Coverage

When it comes to authorization libraries, correctness is non-negotiable. That’s why we’ve meticulously written tests to ensure 100% code coverage across the library. To further bolster confidence in our implementation, we run the upstream corpus test suite from the cedar-policy/cedar-integration-tests repository on every pull request. This ensures the library meets the highest standards of accuracy and reliability.

What’s Next for StrongDM, Cedar, and Go?

Reaching version 1.0 is just the beginning! We’re already planning our next steps, which include:

  • Entity Tags Support: Implementing features from RFC 82 to enhance flexibility in policy definitions.
  • Policy Templates: Simplifying policy creation and reuse with structured, pre-defined templates.
  • Schema-Based Policy Validation: Introducing schema validation to ensure policies are correctly formatted and aligned with organizational requirements.

Stay tuned as we continue to innovate and expand the possibilities for Cedar in the Go ecosystem!

About the Author

, Co-founder / CTO, originally developed empathy for Operations as a founding and pager-carrying member of many operations and data teams. As an Executive, he has led Engineering and Product in high-throughput and high-stakes e-Commerce, financial, and AI products. Justin is the original author of StrongDM's core protocol-aware proxy technology. To contact Justin, visit him on Twitter.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

How to Automate Continuous Compliance in AWS with StrongDM
How to Automate Continuous Compliance in AWS with StrongDM
Enterprises seek ways to effectively address the needs of dynamic, always-evolving cloud infrastructures, and StrongDM has developed a platform that is designed with built-in capabilities to support continuous compliance in AWS environments.
Why Just-in-Time Access Is Key for Zero Trust Security in AWS
Why Just-in-Time Access Is Key for Zero Trust Security in AWS
Learn why Just-in-Time (JIT) access is essential for Zero Trust security in AWS environments. Discover how StrongDM's JIT access enhances security, optimizes workflows, and ensures compliance with Zero Trust principles.
Cedar for Kubernetes: Authorization That Speaks Your Language
Cedar for Kubernetes: Authorization That Speaks Your Language
By simplifying the ability to enforce granular policies, Cedar has set a new benchmark for access control in Kubernetes, and we’re thrilled to be part of this journey. This evolution is a milestone for anyone dedicated to securing cloud infrastructure.
Cedar Go Implementation: Simplifying Security for Developers
Cedar Go Implementation: Simplifying Security for Developers
We are pleased to announce that Amazon has accepted StrongDM's native Go implementation of Cedar into the Cedar Policy Organization's official GitHub repository. This allows Go developers to use Cedar, a security and authorization framework built to be fast, secure, and analyzable natively in their Go programs.
AWS re:Invent 2023 Recap
AWS re:Invent 2023 Recap: RDS for Db2, EKS Pod Identity & More
re:Invent 2023 was AWS’ 12th conference, and it did not disappoint. More than 50,000 of us descended onto Las Vegas for a week of learning, networking, and discussing all things cloud. The campus was insanely large, spanning most of the Las Vegas strip, so that meant we got our steps in! We had some fun along the way, as well, at the many social gatherings, parties and amazing musical experience re:Play.