Permissions Management
If you need to assign different permissions to employees in your enterprise to access your API Gateway resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your HUAWEI CLOUD resources.
With IAM, you can use your HUAWEI CLOUD account to create IAM users for your employees, and assign permissions to the employees to control their access to specific resources.
If your HUAWEI CLOUD account does not require individual IAM users for permissions management, skip this chapter.
IAM is free of charge. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview.
API Gateway Permissions
By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and attach policies or roles to these groups. The user then inherits permissions from the groups to which the user belongs, and can perform specified operations on cloud services based on the permissions.
API Gateway is a project-level service deployed and accessed in specific physical regions. To assign API Gateway permissions to a user group, you need to specify region-specific projects (for example, cn-north-1 for CN North-Beijing1) for which the permissions will take effect. If you select All projects, the permissions will be granted for both the global service project and all region-specific projects. When accessing API Gateway, the users need to switch to a region where they have been authorized to use this service.
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other dependent roles for permissions to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and meets requirements for secure access control. For example, you can grant API Gateway users only the permissions for performing specific operations. Most policies define permissions based on APIs. For the API actions supported by API Gateway, see Permissions Policies and Supported Actions.
Table 1 lists all the system-defined roles and policies supported by API Gateway.
|
Role/Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
|
APIG Administrator |
Administrator permissions for API Gateway. Users granted these permissions can use all functions of the shared and dedicated gateways. |
System-defined role |
|
|
APIG FullAccess |
Full permissions for API Gateway. Users granted these permissions can use all functions of dedicated gateways. |
System-defined policy |
None |
|
APIG ReadOnlyAccess |
Read-only permissions for API Gateway. Users granted these permissions can only view dedicated gateways. |
System-defined policy |
None |
You can view the content of the preceding roles and policies on the IAM console. For example, the content of the APIG FullAccess policy is as follows:
{
"Version": "1.1",
"Statement": [
{
"Action": [
"apig:*:*",
"vpc:*:get*",
"vpc:*:list*",
"vpc:ports:create",
"vpc:ports:update",
"vpc:ports:delete",
"vpc:publicIps:update",
"FunctionGraph:function:listVersion",
"FunctionGraph:function:list",
"FunctionGraph:function:getConfig",
"ecs:servers:list",
"lts:groups:list",
"lts:logs:list",
"lts:topics:list"
],
"Effect": "Allow"
}
]
}
Last Article: Notes and Constraints
Next Article: Basic Concepts
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.